mirror of
https://github.com/billz/raspap-webgui.git
synced 2023-10-10 13:37:24 +02:00
send CSRF token in a response header,
update the page's CSRF tokens with the new token from the response header, verify csrf token in ajax endpoints, initialize a session for every endpoint
This commit is contained in:
parent
8f3489cd4a
commit
da69d3d768
@ -1,8 +1,10 @@
|
||||
<?php
|
||||
|
||||
require('includes/csrf.php');
|
||||
|
||||
require_once '../../includes/config.php';
|
||||
require_once RASPI_CONFIG.'/raspap.php';
|
||||
|
||||
session_start();
|
||||
header('X-Frame-Options: DENY');
|
||||
header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
|
||||
require_once '../../includes/authenticate.php';
|
||||
|
@ -1,4 +1,7 @@
|
||||
<?php
|
||||
|
||||
require('includes/csrf.php');
|
||||
|
||||
if (filter_input(INPUT_GET, 'tu') == 'h') {
|
||||
|
||||
header('X-Content-Type-Options: nosniff');
|
||||
|
@ -1,5 +1,7 @@
|
||||
<?php
|
||||
session_start();
|
||||
|
||||
require('includes/csrf.php');
|
||||
|
||||
include_once('../../includes/config.php');
|
||||
include_once('../../includes/functions.php');
|
||||
|
||||
|
@ -1,4 +1,7 @@
|
||||
<?php
|
||||
|
||||
require('includes/csrf.php');
|
||||
|
||||
exec("ls /sys/class/net | grep -v lo", $interfaces);
|
||||
echo json_encode($interfaces);
|
||||
?>
|
||||
|
@ -1,5 +1,7 @@
|
||||
<?php
|
||||
session_start();
|
||||
|
||||
require('includes/csrf.php');
|
||||
|
||||
include_once('../../includes/config.php');
|
||||
include_once('../../includes/functions.php');
|
||||
|
||||
|
@ -1,5 +1,7 @@
|
||||
<?php
|
||||
session_start();
|
||||
|
||||
require('includes/csrf.php');
|
||||
|
||||
include_once('../../includes/functions.php');
|
||||
|
||||
if(isset($_POST['interface'])) {
|
||||
|
@ -1,5 +1,7 @@
|
||||
<?php
|
||||
session_start();
|
||||
|
||||
require('includes/csrf.php');
|
||||
|
||||
include_once('../../includes/config.php');
|
||||
include_once('../../includes/functions.php');
|
||||
if(isset($_POST['interface'])) {
|
||||
|
11
includes/csrf.php
Normal file
11
includes/csrf.php
Normal file
@ -0,0 +1,11 @@
|
||||
<?php
|
||||
|
||||
include_once('includes/functions.php');
|
||||
include_once('includes/session.php');
|
||||
|
||||
if (csrfValidateRequest() && !CSRFValidate()) {
|
||||
handleInvalidCSRFToken();
|
||||
}
|
||||
|
||||
ensureCSRFSessionToken();
|
||||
header('X-CSRF-Token', $_SESSION['csrf_token']);
|
5
includes/session.php
Normal file
5
includes/session.php
Normal file
@ -0,0 +1,5 @@
|
||||
<?php
|
||||
|
||||
if (session_status() == PHP_SESSION_NONE) {
|
||||
session_start();
|
||||
}
|
@ -18,7 +18,7 @@
|
||||
* @see http://sirlagz.net/2013/02/08/raspap-webgui/
|
||||
*/
|
||||
|
||||
session_start();
|
||||
require('includes/csrf.php');
|
||||
|
||||
include_once('includes/config.php');
|
||||
include_once(RASPI_CONFIG.'/raspap.php');
|
||||
@ -39,12 +39,6 @@ include_once('includes/about.php');
|
||||
$output = $return = 0;
|
||||
$page = $_GET['page'];
|
||||
|
||||
if (csrfValidateRequest() && !CSRFValidate()) {
|
||||
handleInvalidCSRFToken();
|
||||
}
|
||||
|
||||
ensureCSRFSessionToken();
|
||||
|
||||
if (!isset($_COOKIE['theme'])) {
|
||||
$theme = "custom.css";
|
||||
} else {
|
||||
|
11
js/custom.js
11
js/custom.js
@ -160,13 +160,22 @@ function setupBtns() {
|
||||
});
|
||||
}
|
||||
|
||||
function updateCSRFToken(xhr, settings) {
|
||||
var newToken = xhr.getResponseHeader("X-CSRF-Token");
|
||||
if (newToken) {
|
||||
$('meta[name=csrf_token]').attr('content', newToken);
|
||||
$('[name=csrf_token]:input').attr('value', newToken);
|
||||
}
|
||||
}
|
||||
|
||||
$.ajaxSetup({
|
||||
beforeSend: function(xhr, settings) {
|
||||
var csrfToken = $('meta[name=csrf_token]').attr('content');
|
||||
if (/^(POST|PATCH|PUT|DELETE)$/i.test(settings.type)) {
|
||||
xhr.setRequestHeader("X-CSRF-Token", csrfToken);
|
||||
}
|
||||
}
|
||||
},
|
||||
ajaxComplete: updateCSRFToken
|
||||
});
|
||||
|
||||
$().ready(function(){
|
||||
|
Loading…
Reference in New Issue
Block a user