1
0
mirror of https://github.com/billz/raspap-webgui.git synced 2023-10-10 13:37:24 +02:00

Merge pull request #16 from jrmhaig/csrf

Adding CSRF verification to DHCP form
This commit is contained in:
Bill Zimmerman 2016-07-10 23:22:05 +02:00 committed by GitHub
commit 9df326b338
5 changed files with 307 additions and 254 deletions

View File

@ -1,38 +1,30 @@
<?php <?php
function Status($message, $level='success', $dismissable=true) { include_once( 'includes/status_messages.php' );
$status = '<div class="alert alert-'.$level;
if ($dismissable) $status .= ' alert-dismissable';
$status .= '">'.$message;
if ($dismissable) $status .= '<button type="button" class="close" data-dismiss="alert" aria-hidden="true">x</button>';
$status .= '</div>';
return $status;
}
function DisplayAuthConfig($username, $password){ function DisplayAuthConfig($username, $password){
$status = ''; $status = new StatusMessages();
if (isset($_POST['UpdateAdminPassword'])) { if (isset($_POST['UpdateAdminPassword'])) {
if (CSRFValidate()) { if (CSRFValidate()) {
if (password_verify($_POST['oldpass'], $password)) { if (password_verify($_POST['oldpass'], $password)) {
$new_username=trim($_POST['username']); $new_username=trim($_POST['username']);
if ($_POST['newpass'] != $_POST['newpassagain']) { if ($_POST['newpass'] != $_POST['newpassagain']) {
$status = Status('New passwords do not match', 'danger'); $status->addMessage('New passwords do not match', 'danger');
} else if ($new_username == '') { } else if ($new_username == '') {
$status = Status('Username must not be empty', 'danger'); $status->addMessage('Username must not be empty', 'danger');
} else { } else {
if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) { if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
fwrite($auth_file, $new_username.PHP_EOL); fwrite($auth_file, $new_username.PHP_EOL);
fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL); fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
fclose($auth_file); fclose($auth_file);
$username = $new_username; $username = $new_username;
$status = Status('Admin password updated'); $status->addMessage('Admin password updated');
} else { } else {
$status = Status('Failed to update admin password', 'danger'); $status->addMessage('Failed to update admin password', 'danger');
} }
} }
} else { } else {
$status = Status('Old password does not match', 'danger'); $status->addMessage('Old password does not match', 'danger');
} }
} else { } else {
error_log('CSRF violation'); error_log('CSRF violation');
@ -44,7 +36,7 @@ function DisplayAuthConfig($username, $password){
<div class="panel panel-primary"> <div class="panel panel-primary">
<div class="panel-heading"><i class="fa fa-lock fa-fw"></i>Configure Auth</div> <div class="panel-heading"><i class="fa fa-lock fa-fw"></i>Configure Auth</div>
<div class="panel-body"> <div class="panel-body">
<p><?php echo $status; ?></p> <p><?php $status->showMessages(); ?></p>
<form role="form" action="/?page=auth_conf" method="POST"> <form role="form" action="/?page=auth_conf" method="POST">
<?php CSRFToken() ?> <?php CSRFToken() ?>
<div class="row"> <div class="row">

220
includes/dhcp.php Executable file
View File

@ -0,0 +1,220 @@
<?php
include_once( 'includes/status_messages.php' );
/**
*
* Manage DHCP configuration
*
*/
function DisplayDHCPConfig() {
$status = new StatusMessages();
if( isset( $_POST['savedhcpdsettings'] ) ) {
if (CSRFValidate()) {
$config = 'interface='.$_POST['interface'].PHP_EOL
.'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd'].',255.255.255.0,'.$_POST['RangeLeaseTime'].''.$_POST['RangeLeaseTimeUnits'];
exec( 'echo "'.$config.'" > /tmp/dhcpddata',$temp );
system( 'sudo cp /tmp/dhcpddata '. RASPI_DNSMASQ_CONFIG, $return );
if( $return == 0 ) {
$status->addMessage('Dnsmasq configuration updated successfully', 'success');
} else {
$status->addMessage('Dnsmasq configuration failed to be updated', 'danger');
}
} else {
error_log('CSRF violation');
}
}
exec( 'pidof dnsmasq | wc -l',$dnsmasq );
$dnsmasq_state = ($dnsmasq[0] > 0);
if( isset( $_POST['startdhcpd'] ) ) {
if (CSRFValidate()) {
if ($dnsmasq_state) {
$status->addMessage('dnsmasq already running', 'info');
} else {
exec('sudo /etc/init.d/dnsmasq start', $dnsmasq, $return);
if ($return == 0) {
$status->addMessage('Successfully started dnsmasq', 'success');
$dnsmasq_state = true;
} else {
$status->addMessage('Failed to start dnsmasq', 'danger');
}
}
} else {
error_log('CSRF violation');
}
} elseif( isset($_POST['stopdhcpd'] ) ) {
if (CSRFValidate()) {
if ($dnsmasq_state) {
exec('sudo /etc/init.d/dnsmasq stop', $dnsmasq, $return);
if ($return == 0) {
$status->addMessage('Successfully stopped dnsmasq', 'success');
$dnsmasq_state = false;
} else {
$status->addMessage('Failed to stop dnsmasq', 'danger');
}
} else {
$status->addMessage('dnsmasq already stopped', 'info');
}
} else {
error_log('CSRF violation');
}
} else {
if( $dnsmasq_state ) {
$status->addMessage('Dnsmasq is running', 'success');
} else {
$status->addMessage('Dnsmasq is not running', 'warning');
}
}
exec( 'cat '. RASPI_DNSMASQ_CONFIG, $return );
$conf = ParseConfig($return);
$arrRange = explode( ",", $conf['dhcp-range'] );
$RangeStart = $arrRange[0];
$RangeEnd = $arrRange[1];
$RangeMask = $arrRange[2];
preg_match( '/([0-9]*)([a-z])/i', $arrRange[3], $arrRangeLeaseTime );
switch( $arrRangeLeaseTime[2] ) {
case "h":
$hselected = " selected";
break;
case "m":
$mselected = " selected";
break;
case "d":
$dselected = " selected";
break;
}
?>
<div class="row">
<div class="col-lg-12">
<div class="panel panel-primary">
<div class="panel-heading"><i class="fa fa-exchange fa-fw"></i> Configure DHCP
</div>
<!-- /.panel-heading -->
<div class="panel-body">
<p><?php $status->showMessages(); ?></p>
<!-- Nav tabs -->
<ul class="nav nav-tabs">
<li class="active"><a href="#server-settings" data-toggle="tab">Server settings</a>
</li>
<li><a href="#client-list" data-toggle="tab">Client list</a>
</li>
</ul>
<!-- Tab panes -->
<div class="tab-content">
<div class="tab-pane fade in active" id="server-settings">
<h4>DHCP server settings</h4>
<form method="POST" action="?page=dhcpd_conf">
<?php CSRFToken() ?>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Interface</label>
<select class="form-control" name="interface">
<?php
exec("ip -o link show | awk -F': ' '{print $2}'", $interfaces);
foreach( $interfaces as $int ) {
$select = '';
if( $int == $conf['interface'] ) {
$select = " selected";
}
echo '<option value="'.$int.'"'.$select.'>'.$int.'</option>';
}
?>
</select>
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Starting IP Address</label>
<input type="text" class="form-control"name="RangeStart" value="<?php echo $RangeStart; ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Ending IP Address</label>
<input type="text" class="form-control" name="RangeEnd" value="<?php echo $RangeEnd; ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-xs-2 col-sm-2">
<label for="code">Lease Time</label>
<input type="text" class="form-control" name="RangeLeaseTime" value="<?php echo $arrRangeLeaseTime[1]; ?>" />
</div>
<div class="col-xs-2 col-sm-2">
<label for="code">Interval</label>
<select name="RangeLeaseTimeUnits" class="form-control" ><option value="m" <?php echo $mselected; ?>>Minutes</option><option value="h" <?php echo $hselected; ?>>Hours</option><option value="d" <?php echo $dselected; ?>>Days</option><option value="infinite">Infinite</option></select>
</div>
</div>
<input type="submit" class="btn btn-outline btn-primary" value="Save settings" name="savedhcpdsettings" />
<?php
if ( $dnsmasq_state ) {
echo '<input type="submit" class="btn btn-warning" value="Stop dnsmasq" name="stopdhcpd" />';
} else {
echo'<input type="submit" class="btn btn-success" value="Start dnsmasq" name="startdhcpd" />';
}
?>
</form>
</div><!-- /.tab-pane -->
<div class="tab-pane fade in" id="client-list">
<h4>Client list</h4>
<div class="col-lg-12">
<div class="panel panel-default">
<div class="panel-heading">
Active DHCP leases
</div>
<!-- /.panel-heading -->
<div class="panel-body">
<div class="table-responsive">
<table class="table table-hover">
<thead>
<tr>
<th>Expire time</th>
<th>MAC Address</th>
<th>IP Address</th>
<th>Host name</th>
<th>Client ID</th>
</tr>
</thead>
<tbody>
<tr>
<?php
exec( 'cat ' . RASPI_DNSMASQ_LEASES, $leases );
foreach( $leases as $lease ) {
$lease_items = explode(' ', $lease);
foreach( $lease_items as $lease_item ) {
echo '<td>' . $lease_item . '</td>';
}
echo '</tr>';
};
?>
</tr>
</tbody>
</table>
</div><!-- /.table-responsive -->
</div><!-- /.panel-body -->
</div><!-- /.panel -->
</div><!-- /.col-lg-6 -->
</div><!-- /.tab-pane -->
</div><!-- /.tab-content -->
</div><!-- ./ Panel body -->
<div class="panel-footer"> Information provided by Dnsmasq</div>
</div><!-- /.panel-primary -->
</div><!-- /.col-lg-12 -->
</div><!-- /.row -->
<?php
}
?>

View File

@ -551,188 +551,6 @@ function DisplayHostAPDConfig(){
<?php <?php
} }
/**
*
*
*/
function DisplayDHCPConfig() {
exec( 'cat '. RASPI_DNSMASQ_CONFIG, $return );
$conf = ParseConfig($return);
$arrRange = explode( ",", $conf['dhcp-range'] );
$RangeStart = $arrRange[0];
$RangeEnd = $arrRange[1];
$RangeMask = $arrRange[2];
preg_match( '/([0-9]*)([a-z])/i', $arrRange[3], $arrRangeLeaseTime );
switch( $arrRangeLeaseTime[2] ) {
case "h":
$hselected = " selected";
break;
case "m":
$mselected = " selected";
break;
case "d":
$dselected = " selected";
break;
}
exec( 'pidof dnsmasq | wc -l',$dnsmasq );
if( $dnsmasq[0] == 0 ) {
$status = '<div class="alert alert-warning alert-dismissable">Dnsmasq is not running<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button></div>';
} else {
$status = '<div class="alert alert-success alert-dismissable">Dnsmasq is running<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button></div>';
}
?>
<div class="row">
<div class="col-lg-12">
<div class="panel panel-primary">
<div class="panel-heading"><i class="fa fa-exchange fa-fw"></i> Configure DHCP
</div>
<!-- /.panel-heading -->
<div class="panel-body">
<!-- Nav tabs -->
<ul class="nav nav-tabs">
<li class="active"><a href="#server-settings" data-toggle="tab">Server settings</a>
</li>
<li><a href="#client-list" data-toggle="tab">Client list</a>
</li>
</ul>
<!-- Tab panes -->
<div class="tab-content">
<p><?php echo $status; ?></p>
<div class="tab-pane fade in active" id="server-settings">
<h4>DHCP server settings</h4>
<form method="POST" action="?page=dhcpd_conf">
<div class="row">
<div class="form-group col-md-4">
<label for="code">Interface</label>
<select class="form-control" name="interface">
<?php
exec("ip -o link show | awk -F': ' '{print $2}'", $interfaces);
foreach( $interfaces as $int ) {
$select = '';
if( $int == $conf['interface'] ) {
$select = " selected";
}
echo '<option value="'.$int.'"'.$select.'>'.$int.'</option>';
}
?>
</select>
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Starting IP Address</label>
<input type="text" class="form-control"name="RangeStart" value="<?php echo $RangeStart; ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code">Ending IP Address</label>
<input type="text" class="form-control" name="RangeEnd" value="<?php echo $RangeEnd; ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-xs-2 col-sm-2">
<label for="code">Lease Time</label>
<input type="text" class="form-control" name="RangeLeaseTime" value="<?php echo $arrRangeLeaseTime[1]; ?>" />
</div>
<div class="col-xs-2 col-sm-2">
<label for="code">Interval</label>
<select name="RangeLeaseTimeUnits" class="form-control" ><option value="m" <?php echo $mselected; ?>>Minutes</option><option value="h" <?php echo $hselected; ?>>Hours</option><option value="d" <?php echo $dselected; ?>>Days</option><option value="infinite">Infinite</option></select>
</div>
</div>
<input type="submit" class="btn btn-outline btn-primary" value="Save settings" name="savedhcpdsettings" />
<?php
if ( $dnsmasq[0] == 0 ) {
echo'<input type="submit" class="btn btn-success" value="Start dnsmasq" name="startdhcpd" />';
} else {
echo '<input type="submit" class="btn btn-warning" value="Stop dnsmasq" name="stopdhcpd" />';
}
?>
</form>
</div><!-- /.tab-pane -->
<div class="tab-pane fade in" id="client-list">
<h4>Client list</h4>
<div class="col-lg-12">
<div class="panel panel-default">
<div class="panel-heading">
Active DHCP leases
</div>
<!-- /.panel-heading -->
<div class="panel-body">
<div class="table-responsive">
<table class="table table-hover">
<thead>
<tr>
<th>Expire time</th>
<th>MAC Address</th>
<th>IP Address</th>
<th>Host name</th>
<th>Client ID</th>
</tr>
</thead>
<tbody>
<tr>
<?php
exec( 'cat ' . RASPI_DNSMASQ_LEASES, $leases );
foreach( $leases as $lease ) {
$lease_items = explode(' ', $lease);
foreach( $lease_items as $lease_item ) {
echo '<td>' . $lease_item . '</td>';
}
echo '</tr>';
};
?>
</tr>
</tbody>
</table>
</div><!-- /.table-responsive -->
</div><!-- /.panel-body -->
</div><!-- /.panel -->
</div><!-- /.col-lg-6 -->
<?php
if( isset( $_POST['savedhcpdsettings'] ) ) {
$config = 'interface='.$_POST['interface'].'
dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd'].',255.255.255.0,'.$_POST['RangeLeaseTime'].''.$_POST['RangeLeaseTimeUnits'];
exec( 'echo "'.$config.'" > /tmp/dhcpddata',$temp );
system( 'sudo cp /tmp/dhcpddata '. RASPI_DNSMASQ_CONFIG, $return );
if( $return == 0 ) {
echo "Dnsmasq configuration updated successfully";
} else {
echo "Dnsmasq configuration failed to be updated";
}
}
if( isset( $_POST['startdhcpd'] ) ) {
$line = system('sudo /etc/init.d/dnsmasq start',$return);
echo "Attempting to start dnsmasq";
}
if( isset($_POST['stopdhcpd'] ) ) {
$line = system('sudo /etc/init.d/dnsmasq stop',$return);
echo "Stopping dnsmasq";
}
?>
</div><!-- /.tab-pane -->
</div><!-- /.tab-content -->
</div><!-- ./ Panel body -->
<div class="panel-footer"> Information provided by Dnsmasq</div>
</div><!-- /.panel-primary -->
</div><!-- /.col-lg-12 -->
</div><!-- /.row -->
<?php
}
/** /**
* *
* *

View File

@ -0,0 +1,22 @@
<?php
class StatusMessages {
public $messages = array();
public function addMessage($message, $level='success', $dismissable=true) {
$status = '<div class="alert alert-'.$level;
if ($dismissable) $status .= ' alert-dismissable';
$status .= '">'.$message;
if ($dismissable) $status .= '<button type="button" class="close" data-dismiss="alert" aria-hidden="true">x</button>';
$status .= '</div>';
array_push($this->messages, $status);
}
public function showMessages($clear = true) {
foreach($this->messages as $message) {
echo $message;
}
if ( $clear ) $this->messages = array();
}
}
?>

View File

@ -38,9 +38,10 @@ define('RASPI_OPENVPN_ENABLED', false );
define('RASPI_TORPROXY_ENABLED', false ); define('RASPI_TORPROXY_ENABLED', false );
include_once( RASPI_CONFIG.'/raspap.php' ); include_once( RASPI_CONFIG.'/raspap.php' );
include_once( 'includes/functions.php' );
include_once( 'includes/authenticate.php' ); include_once( 'includes/authenticate.php' );
include_once( 'includes/admin.php' ); include_once( 'includes/admin.php' );
include_once( 'includes/functions.php' ); include_once( 'includes/dhcp.php' );
$output = $return = 0; $output = $return = 0;
$page = $_GET['page']; $page = $_GET['page'];