From 87fe8948b8bec0d1b13174dbd15de392d163852b Mon Sep 17 00:00:00 2001 From: glaszig Date: Tue, 30 Jul 2019 17:05:41 +0200 Subject: [PATCH] remove splattered, duplicated csrf validation code since we do that always and early, now. --- ajax/networking/gen_int_config.php | 2 +- ajax/networking/get_int_config.php | 2 +- ajax/networking/get_ip_summary.php | 2 +- ajax/networking/save_int_config.php | 2 +- includes/admin.php | 46 +++++----- includes/configure_client.php | 2 +- includes/dhcp.php | 138 +++++++++++++--------------- includes/hostapd.php | 36 +++----- includes/system.php | 10 +- 9 files changed, 104 insertions(+), 136 deletions(-) diff --git a/ajax/networking/gen_int_config.php b/ajax/networking/gen_int_config.php index d0f59ff3..8d042991 100644 --- a/ajax/networking/gen_int_config.php +++ b/ajax/networking/gen_int_config.php @@ -3,7 +3,7 @@ session_start(); include_once('../../includes/config.php'); include_once('../../includes/functions.php'); -if(isset($_POST['generate']) && isset($_POST['csrf_token']) && CSRFValidate()) { +if(isset($_POST['generate'])) { $cnfNetworking = array_diff(scandir(RASPI_CONFIG_NETWORKING, 1),array('..','.','dhcpcd.conf')); $cnfNetworking = array_combine($cnfNetworking,$cnfNetworking); $strConfFile = ""; diff --git a/ajax/networking/get_int_config.php b/ajax/networking/get_int_config.php index d29ee735..d39f12b3 100644 --- a/ajax/networking/get_int_config.php +++ b/ajax/networking/get_int_config.php @@ -4,7 +4,7 @@ include_once('../../includes/config.php'); include_once('../../includes/functions.php'); -if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) { +if(isset($_POST['interface'])) { $int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']); if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) { touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini'); diff --git a/ajax/networking/get_ip_summary.php b/ajax/networking/get_ip_summary.php index 810c6265..3383337d 100644 --- a/ajax/networking/get_ip_summary.php +++ b/ajax/networking/get_ip_summary.php @@ -2,7 +2,7 @@ session_start(); include_once('../../includes/functions.php'); -if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) { +if(isset($_POST['interface'])) { $int = preg_replace('/[^a-z0-9]/','',$_POST['interface']); exec('ip a s '.$int,$intOutput,$intResult); $intOutput = array_map('htmlentities', $intOutput); diff --git a/ajax/networking/save_int_config.php b/ajax/networking/save_int_config.php index 77fcd865..e8b4f4d1 100644 --- a/ajax/networking/save_int_config.php +++ b/ajax/networking/save_int_config.php @@ -2,7 +2,7 @@ session_start(); include_once('../../includes/config.php'); include_once('../../includes/functions.php'); - if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) { + if(isset($_POST['interface'])) { $int = $_POST['interface']; $cfg = []; $file = $int.".ini"; diff --git a/includes/admin.php b/includes/admin.php index b335f6be..22353461 100755 --- a/includes/admin.php +++ b/includes/admin.php @@ -6,34 +6,30 @@ function DisplayAuthConfig($username, $password) { $status = new StatusMessages(); if (isset($_POST['UpdateAdminPassword'])) { - if (CSRFValidate()) { - if (password_verify($_POST['oldpass'], $password)) { - $new_username=trim($_POST['username']); - if ($_POST['newpass'] !== $_POST['newpassagain']) { - $status->addMessage('New passwords do not match', 'danger'); - } elseif ($new_username == '') { - $status->addMessage('Username must not be empty', 'danger'); - } else { - if (!file_exists(RASPI_ADMIN_DETAILS)) { - $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w'); - fclose($tmpauth); - } - - if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) { - fwrite($auth_file, $new_username.PHP_EOL); - fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL); - fclose($auth_file); - $username = $new_username; - $status->addMessage('Admin password updated'); - } else { - $status->addMessage('Failed to update admin password', 'danger'); - } - } + if (password_verify($_POST['oldpass'], $password)) { + $new_username=trim($_POST['username']); + if ($_POST['newpass'] !== $_POST['newpassagain']) { + $status->addMessage('New passwords do not match', 'danger'); + } elseif ($new_username == '') { + $status->addMessage('Username must not be empty', 'danger'); } else { - $status->addMessage('Old password does not match', 'danger'); + if (!file_exists(RASPI_ADMIN_DETAILS)) { + $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w'); + fclose($tmpauth); + } + + if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) { + fwrite($auth_file, $new_username.PHP_EOL); + fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL); + fclose($auth_file); + $username = $new_username; + $status->addMessage('Admin password updated'); + } else { + $status->addMessage('Failed to update admin password', 'danger'); + } } } else { - error_log('CSRF violation'); + $status->addMessage('Old password does not match', 'danger'); } } ?> diff --git a/includes/configure_client.php b/includes/configure_client.php index 8c3f08b3..d1640041 100755 --- a/includes/configure_client.php +++ b/includes/configure_client.php @@ -53,7 +53,7 @@ function DisplayWPAConfig() if (isset($_POST['connect'])) { $result = 0; exec('sudo wpa_cli -i ' . RASPI_WPA_CTRL_INTERFACE . ' select_network '.strval($_POST['connect'])); - } elseif (isset($_POST['client_settings']) && CSRFValidate()) { + } elseif (isset($_POST['client_settings'])) { $tmp_networks = $networks; if ($wpa_file = fopen('/tmp/wifidata', 'w')) { fwrite($wpa_file, 'ctrl_interface=DIR=' . RASPI_WPA_CTRL_INTERFACE . ' GROUP=netdev' . PHP_EOL); diff --git a/includes/dhcp.php b/includes/dhcp.php index cc5133c1..82e80bec 100755 --- a/includes/dhcp.php +++ b/includes/dhcp.php @@ -12,64 +12,60 @@ function DisplayDHCPConfig() $status = new StatusMessages(); if (isset($_POST['savedhcpdsettings'])) { - if (CSRFValidate()) { - $errors = ''; - define('IFNAMSIZ', 16); - if (!preg_match('/^[a-zA-Z0-9]+$/', $_POST['interface']) || - strlen($_POST['interface']) >= IFNAMSIZ) { - $errors .= _('Invalid interface name.').'
'.PHP_EOL; + $errors = ''; + define('IFNAMSIZ', 16); + if (!preg_match('/^[a-zA-Z0-9]+$/', $_POST['interface']) || + strlen($_POST['interface']) >= IFNAMSIZ) { + $errors .= _('Invalid interface name.').'
'.PHP_EOL; + } + + if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeStart']) && + !empty($_POST['RangeStart'])) { // allow ''/null ? + $errors .= _('Invalid DHCP range start.').'
'.PHP_EOL; + } + + if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeEnd']) && + !empty($_POST['RangeEnd'])) { // allow ''/null ? + $errors .= _('Invalid DHCP range end.').'
'.PHP_EOL; + } + + if (!ctype_digit($_POST['RangeLeaseTime']) && $_POST['RangeLeaseTimeUnits'] !== 'infinite') { + $errors .= _('Invalid DHCP lease time, not a number.').'
'.PHP_EOL; + } + + if (!in_array($_POST['RangeLeaseTimeUnits'], array('m', 'h', 'd', 'infinite'))) { + $errors .= _('Unknown DHCP lease time unit.').'
'.PHP_EOL; + } + + $return = 1; + if (empty($errors)) { + $config = 'interface='.$_POST['interface'].PHP_EOL. + 'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd']. + ',255.255.255.0,'; + if ($_POST['RangeLeaseTimeUnits'] !== 'infinite') { + $config .= $_POST['RangeLeaseTime']; } - if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeStart']) && - !empty($_POST['RangeStart'])) { // allow ''/null ? - $errors .= _('Invalid DHCP range start.').'
'.PHP_EOL; - } + $config .= $_POST['RangeLeaseTimeUnits'].PHP_EOL; - if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeEnd']) && - !empty($_POST['RangeEnd'])) { // allow ''/null ? - $errors .= _('Invalid DHCP range end.').'
'.PHP_EOL; - } - - if (!ctype_digit($_POST['RangeLeaseTime']) && $_POST['RangeLeaseTimeUnits'] !== 'infinite') { - $errors .= _('Invalid DHCP lease time, not a number.').'
'.PHP_EOL; - } - - if (!in_array($_POST['RangeLeaseTimeUnits'], array('m', 'h', 'd', 'infinite'))) { - $errors .= _('Unknown DHCP lease time unit.').'
'.PHP_EOL; - } - - $return = 1; - if (empty($errors)) { - $config = 'interface='.$_POST['interface'].PHP_EOL. - 'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd']. - ',255.255.255.0,'; - if ($_POST['RangeLeaseTimeUnits'] !== 'infinite') { - $config .= $_POST['RangeLeaseTime']; + for ($i=0; $i < count($_POST["static_leases"]["mac"]); $i++) { + $mac = trim($_POST["static_leases"]["mac"][$i]); + $ip = trim($_POST["static_leases"]["ip"][$i]); + if ($mac != "" && $ip != "") { + $config .= "dhcp-host=$mac,$ip".PHP_EOL; } - - $config .= $_POST['RangeLeaseTimeUnits'].PHP_EOL; - - for ($i=0; $i < count($_POST["static_leases"]["mac"]); $i++) { - $mac = trim($_POST["static_leases"]["mac"][$i]); - $ip = trim($_POST["static_leases"]["ip"][$i]); - if ($mac != "" && $ip != "") { - $config .= "dhcp-host=$mac,$ip".PHP_EOL; - } - } - - file_put_contents("/tmp/dhcpddata", $config); - system('sudo cp /tmp/dhcpddata '.RASPI_DNSMASQ_CONFIG, $return); - } else { - $status->addMessage($errors, 'danger'); } - if ($return == 0) { - $status->addMessage('Dnsmasq configuration updated successfully', 'success'); - } else { - $status->addMessage('Dnsmasq configuration failed to be updated.', 'danger'); - } + file_put_contents("/tmp/dhcpddata", $config); + system('sudo cp /tmp/dhcpddata '.RASPI_DNSMASQ_CONFIG, $return); } else { - error_log('CSRF violation'); + $status->addMessage($errors, 'danger'); + } + + if ($return == 0) { + $status->addMessage('Dnsmasq configuration updated successfully', 'success'); + } else { + $status->addMessage('Dnsmasq configuration failed to be updated.', 'danger'); } } @@ -77,36 +73,28 @@ function DisplayDHCPConfig() $dnsmasq_state = ($dnsmasq[0] > 0); if (isset($_POST['startdhcpd'])) { - if (CSRFValidate()) { - if ($dnsmasq_state) { - $status->addMessage('dnsmasq already running', 'info'); - } else { - exec('sudo /etc/init.d/dnsmasq start', $dnsmasq, $return); - if ($return == 0) { - $status->addMessage('Successfully started dnsmasq', 'success'); - $dnsmasq_state = true; - } else { - $status->addMessage('Failed to start dnsmasq', 'danger'); - } - } + if ($dnsmasq_state) { + $status->addMessage('dnsmasq already running', 'info'); } else { - error_log('CSRF violation'); + exec('sudo /etc/init.d/dnsmasq start', $dnsmasq, $return); + if ($return == 0) { + $status->addMessage('Successfully started dnsmasq', 'success'); + $dnsmasq_state = true; + } else { + $status->addMessage('Failed to start dnsmasq', 'danger'); + } } } elseif (isset($_POST['stopdhcpd'])) { - if (CSRFValidate()) { - if ($dnsmasq_state) { - exec('sudo /etc/init.d/dnsmasq stop', $dnsmasq, $return); - if ($return == 0) { - $status->addMessage('Successfully stopped dnsmasq', 'success'); - $dnsmasq_state = false; - } else { - $status->addMessage('Failed to stop dnsmasq', 'danger'); - } + if ($dnsmasq_state) { + exec('sudo /etc/init.d/dnsmasq stop', $dnsmasq, $return); + if ($return == 0) { + $status->addMessage('Successfully stopped dnsmasq', 'success'); + $dnsmasq_state = false; } else { - $status->addMessage('dnsmasq already stopped', 'info'); + $status->addMessage('Failed to stop dnsmasq', 'danger'); } } else { - error_log('CSRF violation'); + $status->addMessage('dnsmasq already stopped', 'info'); } } else { if ($dnsmasq_state) { diff --git a/includes/hostapd.php b/includes/hostapd.php index 6912bd92..0da1c795 100755 --- a/includes/hostapd.php +++ b/includes/hostapd.php @@ -22,34 +22,22 @@ function DisplayHostAPDConfig() exec("ip -o link show | awk -F': ' '{print $2}'", $interfaces); if (isset($_POST['SaveHostAPDSettings'])) { - if (CSRFValidate()) { - SaveHostAPDConfig($arrSecurity, $arrEncType, $arr80211Standard, $interfaces, $status); - } else { - error_log('CSRF violation'); - } + SaveHostAPDConfig($arrSecurity, $arrEncType, $arr80211Standard, $interfaces, $status); } elseif (isset($_POST['StartHotspot'])) { - if (CSRFValidate()) { - $status->addMessage('Attempting to start hotspot', 'info'); - if ($arrHostapdConf['WifiAPEnable'] == 1) { - exec('sudo /etc/raspap/hostapd/servicestart.sh --interface uap0 --seconds 3', $return); - } else { - exec('sudo /etc/raspap/hostapd/servicestart.sh --seconds 5', $return); - } - foreach ($return as $line) { - $status->addMessage($line, 'info'); - } + $status->addMessage('Attempting to start hotspot', 'info'); + if ($arrHostapdConf['WifiAPEnable'] == 1) { + exec('sudo /etc/raspap/hostapd/servicestart.sh --interface uap0 --seconds 3', $return); } else { - error_log('CSRF violation'); + exec('sudo /etc/raspap/hostapd/servicestart.sh --seconds 5', $return); + } + foreach ($return as $line) { + $status->addMessage($line, 'info'); } } elseif (isset($_POST['StopHotspot'])) { - if (CSRFValidate()) { - $status->addMessage('Attempting to stop hotspot', 'info'); - exec('sudo /etc/init.d/hostapd stop', $return); - foreach ($return as $line) { - $status->addMessage($line, 'info'); - } - } else { - error_log('CSRF violation'); + $status->addMessage('Attempting to stop hotspot', 'info'); + exec('sudo /etc/init.d/hostapd stop', $return); + foreach ($return as $line) { + $status->addMessage($line, 'info'); } } diff --git a/includes/system.php b/includes/system.php index 4b27c1d9..746963c9 100755 --- a/includes/system.php +++ b/includes/system.php @@ -63,13 +63,9 @@ function DisplaySystem() $status = new StatusMessages(); if (isset($_POST['SaveLanguage'])) { - if (CSRFValidate()) { - if (isset($_POST['locale'])) { - $_SESSION['locale'] = $_POST['locale']; - $status->addMessage('Language setting saved', 'success'); - } - } else { - error_log('CSRF violation'); + if (isset($_POST['locale'])) { + $_SESSION['locale'] = $_POST['locale']; + $status->addMessage('Language setting saved', 'success'); } }