mirror of
https://github.com/billz/raspap-webgui.git
synced 2023-10-10 13:37:24 +02:00
send CSRF token in a response header,
update the page's CSRF tokens with the new token from the response header, verify csrf token in ajax endpoints, initialize a session for every endpoint
This commit is contained in:
parent
8f3489cd4a
commit
da69d3d768
@ -1,8 +1,10 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
require_once '../../includes/config.php';
|
require_once '../../includes/config.php';
|
||||||
require_once RASPI_CONFIG.'/raspap.php';
|
require_once RASPI_CONFIG.'/raspap.php';
|
||||||
|
|
||||||
session_start();
|
|
||||||
header('X-Frame-Options: DENY');
|
header('X-Frame-Options: DENY');
|
||||||
header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
|
header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
|
||||||
require_once '../../includes/authenticate.php';
|
require_once '../../includes/authenticate.php';
|
||||||
|
@ -1,4 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
if (filter_input(INPUT_GET, 'tu') == 'h') {
|
if (filter_input(INPUT_GET, 'tu') == 'h') {
|
||||||
|
|
||||||
header('X-Content-Type-Options: nosniff');
|
header('X-Content-Type-Options: nosniff');
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
session_start();
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
include_once('../../includes/config.php');
|
include_once('../../includes/config.php');
|
||||||
include_once('../../includes/functions.php');
|
include_once('../../includes/functions.php');
|
||||||
|
|
||||||
|
@ -1,4 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
exec("ls /sys/class/net | grep -v lo", $interfaces);
|
exec("ls /sys/class/net | grep -v lo", $interfaces);
|
||||||
echo json_encode($interfaces);
|
echo json_encode($interfaces);
|
||||||
?>
|
?>
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
session_start();
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
include_once('../../includes/config.php');
|
include_once('../../includes/config.php');
|
||||||
include_once('../../includes/functions.php');
|
include_once('../../includes/functions.php');
|
||||||
|
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
session_start();
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
include_once('../../includes/functions.php');
|
include_once('../../includes/functions.php');
|
||||||
|
|
||||||
if(isset($_POST['interface'])) {
|
if(isset($_POST['interface'])) {
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
session_start();
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
include_once('../../includes/config.php');
|
include_once('../../includes/config.php');
|
||||||
include_once('../../includes/functions.php');
|
include_once('../../includes/functions.php');
|
||||||
if(isset($_POST['interface'])) {
|
if(isset($_POST['interface'])) {
|
||||||
|
11
includes/csrf.php
Normal file
11
includes/csrf.php
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
include_once('includes/functions.php');
|
||||||
|
include_once('includes/session.php');
|
||||||
|
|
||||||
|
if (csrfValidateRequest() && !CSRFValidate()) {
|
||||||
|
handleInvalidCSRFToken();
|
||||||
|
}
|
||||||
|
|
||||||
|
ensureCSRFSessionToken();
|
||||||
|
header('X-CSRF-Token', $_SESSION['csrf_token']);
|
5
includes/session.php
Normal file
5
includes/session.php
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
if (session_status() == PHP_SESSION_NONE) {
|
||||||
|
session_start();
|
||||||
|
}
|
@ -18,7 +18,7 @@
|
|||||||
* @see http://sirlagz.net/2013/02/08/raspap-webgui/
|
* @see http://sirlagz.net/2013/02/08/raspap-webgui/
|
||||||
*/
|
*/
|
||||||
|
|
||||||
session_start();
|
require('includes/csrf.php');
|
||||||
|
|
||||||
include_once('includes/config.php');
|
include_once('includes/config.php');
|
||||||
include_once(RASPI_CONFIG.'/raspap.php');
|
include_once(RASPI_CONFIG.'/raspap.php');
|
||||||
@ -39,12 +39,6 @@ include_once('includes/about.php');
|
|||||||
$output = $return = 0;
|
$output = $return = 0;
|
||||||
$page = $_GET['page'];
|
$page = $_GET['page'];
|
||||||
|
|
||||||
if (csrfValidateRequest() && !CSRFValidate()) {
|
|
||||||
handleInvalidCSRFToken();
|
|
||||||
}
|
|
||||||
|
|
||||||
ensureCSRFSessionToken();
|
|
||||||
|
|
||||||
if (!isset($_COOKIE['theme'])) {
|
if (!isset($_COOKIE['theme'])) {
|
||||||
$theme = "custom.css";
|
$theme = "custom.css";
|
||||||
} else {
|
} else {
|
||||||
|
11
js/custom.js
11
js/custom.js
@ -160,13 +160,22 @@ function setupBtns() {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function updateCSRFToken(xhr, settings) {
|
||||||
|
var newToken = xhr.getResponseHeader("X-CSRF-Token");
|
||||||
|
if (newToken) {
|
||||||
|
$('meta[name=csrf_token]').attr('content', newToken);
|
||||||
|
$('[name=csrf_token]:input').attr('value', newToken);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$.ajaxSetup({
|
$.ajaxSetup({
|
||||||
beforeSend: function(xhr, settings) {
|
beforeSend: function(xhr, settings) {
|
||||||
var csrfToken = $('meta[name=csrf_token]').attr('content');
|
var csrfToken = $('meta[name=csrf_token]').attr('content');
|
||||||
if (/^(POST|PATCH|PUT|DELETE)$/i.test(settings.type)) {
|
if (/^(POST|PATCH|PUT|DELETE)$/i.test(settings.type)) {
|
||||||
xhr.setRequestHeader("X-CSRF-Token", csrfToken);
|
xhr.setRequestHeader("X-CSRF-Token", csrfToken);
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
|
ajaxComplete: updateCSRFToken
|
||||||
});
|
});
|
||||||
|
|
||||||
$().ready(function(){
|
$().ready(function(){
|
||||||
|
Loading…
Reference in New Issue
Block a user