1
0
mirror of https://github.com/billz/raspap-webgui.git synced 2023-10-10 13:37:24 +02:00

send CSRF token in a response header,

update the page's CSRF tokens with the new token
from the response header,
verify csrf token in ajax endpoints,
initialize a session for every endpoint
This commit is contained in:
glaszig 2019-08-06 21:34:58 +02:00
parent 8f3489cd4a
commit da69d3d768
11 changed files with 48 additions and 13 deletions

View File

@ -1,8 +1,10 @@
<?php
require('includes/csrf.php');
require_once '../../includes/config.php';
require_once RASPI_CONFIG.'/raspap.php';
session_start();
header('X-Frame-Options: DENY');
header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
require_once '../../includes/authenticate.php';

View File

@ -1,4 +1,7 @@
<?php
require('includes/csrf.php');
if (filter_input(INPUT_GET, 'tu') == 'h') {
header('X-Content-Type-Options: nosniff');

View File

@ -1,5 +1,7 @@
<?php
session_start();
require('includes/csrf.php');
include_once('../../includes/config.php');
include_once('../../includes/functions.php');

View File

@ -1,4 +1,7 @@
<?php
require('includes/csrf.php');
exec("ls /sys/class/net | grep -v lo", $interfaces);
echo json_encode($interfaces);
?>

View File

@ -1,5 +1,7 @@
<?php
session_start();
require('includes/csrf.php');
include_once('../../includes/config.php');
include_once('../../includes/functions.php');

View File

@ -1,5 +1,7 @@
<?php
session_start();
require('includes/csrf.php');
include_once('../../includes/functions.php');
if(isset($_POST['interface'])) {

View File

@ -1,5 +1,7 @@
<?php
session_start();
require('includes/csrf.php');
include_once('../../includes/config.php');
include_once('../../includes/functions.php');
if(isset($_POST['interface'])) {

11
includes/csrf.php Normal file
View File

@ -0,0 +1,11 @@
<?php
include_once('includes/functions.php');
include_once('includes/session.php');
if (csrfValidateRequest() && !CSRFValidate()) {
handleInvalidCSRFToken();
}
ensureCSRFSessionToken();
header('X-CSRF-Token', $_SESSION['csrf_token']);

5
includes/session.php Normal file
View File

@ -0,0 +1,5 @@
<?php
if (session_status() == PHP_SESSION_NONE) {
session_start();
}

View File

@ -18,7 +18,7 @@
* @see http://sirlagz.net/2013/02/08/raspap-webgui/
*/
session_start();
require('includes/csrf.php');
include_once('includes/config.php');
include_once(RASPI_CONFIG.'/raspap.php');
@ -39,12 +39,6 @@ include_once('includes/about.php');
$output = $return = 0;
$page = $_GET['page'];
if (csrfValidateRequest() && !CSRFValidate()) {
handleInvalidCSRFToken();
}
ensureCSRFSessionToken();
if (!isset($_COOKIE['theme'])) {
$theme = "custom.css";
} else {

View File

@ -160,13 +160,22 @@ function setupBtns() {
});
}
function updateCSRFToken(xhr, settings) {
var newToken = xhr.getResponseHeader("X-CSRF-Token");
if (newToken) {
$('meta[name=csrf_token]').attr('content', newToken);
$('[name=csrf_token]:input').attr('value', newToken);
}
}
$.ajaxSetup({
beforeSend: function(xhr, settings) {
var csrfToken = $('meta[name=csrf_token]').attr('content');
if (/^(POST|PATCH|PUT|DELETE)$/i.test(settings.type)) {
xhr.setRequestHeader("X-CSRF-Token", csrfToken);
}
}
},
ajaxComplete: updateCSRFToken
});
$().ready(function(){