1
0
mirror of https://github.com/billz/raspap-webgui.git synced 2023-10-10 13:37:24 +02:00

send CSRF token in a response header,

update the page's CSRF tokens with the new token
from the response header,
verify csrf token in ajax endpoints,
initialize a session for every endpoint
This commit is contained in:
glaszig 2019-08-06 21:34:58 +02:00
parent 8f3489cd4a
commit da69d3d768
11 changed files with 48 additions and 13 deletions

View File

@ -1,8 +1,10 @@
<?php <?php
require('includes/csrf.php');
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once RASPI_CONFIG.'/raspap.php'; require_once RASPI_CONFIG.'/raspap.php';
session_start();
header('X-Frame-Options: DENY'); header('X-Frame-Options: DENY');
header("Content-Security-Policy: default-src 'none'; connect-src 'self'"); header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
require_once '../../includes/authenticate.php'; require_once '../../includes/authenticate.php';

View File

@ -1,4 +1,7 @@
<?php <?php
require('includes/csrf.php');
if (filter_input(INPUT_GET, 'tu') == 'h') { if (filter_input(INPUT_GET, 'tu') == 'h') {
header('X-Content-Type-Options: nosniff'); header('X-Content-Type-Options: nosniff');

View File

@ -1,5 +1,7 @@
<?php <?php
session_start();
require('includes/csrf.php');
include_once('../../includes/config.php'); include_once('../../includes/config.php');
include_once('../../includes/functions.php'); include_once('../../includes/functions.php');

View File

@ -1,4 +1,7 @@
<?php <?php
require('includes/csrf.php');
exec("ls /sys/class/net | grep -v lo", $interfaces); exec("ls /sys/class/net | grep -v lo", $interfaces);
echo json_encode($interfaces); echo json_encode($interfaces);
?> ?>

View File

@ -1,5 +1,7 @@
<?php <?php
session_start();
require('includes/csrf.php');
include_once('../../includes/config.php'); include_once('../../includes/config.php');
include_once('../../includes/functions.php'); include_once('../../includes/functions.php');

View File

@ -1,5 +1,7 @@
<?php <?php
session_start();
require('includes/csrf.php');
include_once('../../includes/functions.php'); include_once('../../includes/functions.php');
if(isset($_POST['interface'])) { if(isset($_POST['interface'])) {

View File

@ -1,5 +1,7 @@
<?php <?php
session_start();
require('includes/csrf.php');
include_once('../../includes/config.php'); include_once('../../includes/config.php');
include_once('../../includes/functions.php'); include_once('../../includes/functions.php');
if(isset($_POST['interface'])) { if(isset($_POST['interface'])) {

11
includes/csrf.php Normal file
View File

@ -0,0 +1,11 @@
<?php
include_once('includes/functions.php');
include_once('includes/session.php');
if (csrfValidateRequest() && !CSRFValidate()) {
handleInvalidCSRFToken();
}
ensureCSRFSessionToken();
header('X-CSRF-Token', $_SESSION['csrf_token']);

5
includes/session.php Normal file
View File

@ -0,0 +1,5 @@
<?php
if (session_status() == PHP_SESSION_NONE) {
session_start();
}

View File

@ -18,7 +18,7 @@
* @see http://sirlagz.net/2013/02/08/raspap-webgui/ * @see http://sirlagz.net/2013/02/08/raspap-webgui/
*/ */
session_start(); require('includes/csrf.php');
include_once('includes/config.php'); include_once('includes/config.php');
include_once(RASPI_CONFIG.'/raspap.php'); include_once(RASPI_CONFIG.'/raspap.php');
@ -39,12 +39,6 @@ include_once('includes/about.php');
$output = $return = 0; $output = $return = 0;
$page = $_GET['page']; $page = $_GET['page'];
if (csrfValidateRequest() && !CSRFValidate()) {
handleInvalidCSRFToken();
}
ensureCSRFSessionToken();
if (!isset($_COOKIE['theme'])) { if (!isset($_COOKIE['theme'])) {
$theme = "custom.css"; $theme = "custom.css";
} else { } else {

View File

@ -160,13 +160,22 @@ function setupBtns() {
}); });
} }
function updateCSRFToken(xhr, settings) {
var newToken = xhr.getResponseHeader("X-CSRF-Token");
if (newToken) {
$('meta[name=csrf_token]').attr('content', newToken);
$('[name=csrf_token]:input').attr('value', newToken);
}
}
$.ajaxSetup({ $.ajaxSetup({
beforeSend: function(xhr, settings) { beforeSend: function(xhr, settings) {
var csrfToken = $('meta[name=csrf_token]').attr('content'); var csrfToken = $('meta[name=csrf_token]').attr('content');
if (/^(POST|PATCH|PUT|DELETE)$/i.test(settings.type)) { if (/^(POST|PATCH|PUT|DELETE)$/i.test(settings.type)) {
xhr.setRequestHeader("X-CSRF-Token", csrfToken); xhr.setRequestHeader("X-CSRF-Token", csrfToken);
} }
} },
ajaxComplete: updateCSRFToken
}); });
$().ready(function(){ $().ready(function(){