mirror of
https://github.com/billz/raspap-webgui.git
synced 2023-10-10 13:37:24 +02:00
Merge pull request #356 from glaszig/security/always-verify-csrf-token
always verify csrf token for resource-modifying requests
This commit is contained in:
commit
f6f85d1c11
@ -1,8 +1,10 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
require_once '../../includes/config.php';
|
require_once '../../includes/config.php';
|
||||||
require_once RASPI_CONFIG.'/raspap.php';
|
require_once RASPI_CONFIG.'/raspap.php';
|
||||||
|
|
||||||
session_start();
|
|
||||||
header('X-Frame-Options: DENY');
|
header('X-Frame-Options: DENY');
|
||||||
header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
|
header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
|
||||||
require_once '../../includes/authenticate.php';
|
require_once '../../includes/authenticate.php';
|
||||||
|
@ -1,4 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
if (filter_input(INPUT_GET, 'tu') == 'h') {
|
if (filter_input(INPUT_GET, 'tu') == 'h') {
|
||||||
|
|
||||||
header('X-Content-Type-Options: nosniff');
|
header('X-Content-Type-Options: nosniff');
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
<?php
|
<?php
|
||||||
session_start();
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
include_once('../../includes/config.php');
|
include_once('../../includes/config.php');
|
||||||
include_once('../../includes/functions.php');
|
include_once('../../includes/functions.php');
|
||||||
|
|
||||||
if(isset($_POST['generate']) && isset($_POST['csrf_token']) && CSRFValidate()) {
|
if(isset($_POST['generate'])) {
|
||||||
$cnfNetworking = array_diff(scandir(RASPI_CONFIG_NETWORKING, 1),array('..','.','dhcpcd.conf'));
|
$cnfNetworking = array_diff(scandir(RASPI_CONFIG_NETWORKING, 1),array('..','.','dhcpcd.conf'));
|
||||||
$cnfNetworking = array_combine($cnfNetworking,$cnfNetworking);
|
$cnfNetworking = array_combine($cnfNetworking,$cnfNetworking);
|
||||||
$strConfFile = "";
|
$strConfFile = "";
|
||||||
|
@ -1,4 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
exec("ls /sys/class/net | grep -v lo", $interfaces);
|
exec("ls /sys/class/net | grep -v lo", $interfaces);
|
||||||
echo json_encode($interfaces);
|
echo json_encode($interfaces);
|
||||||
?>
|
?>
|
||||||
|
@ -1,10 +1,12 @@
|
|||||||
<?php
|
<?php
|
||||||
session_start();
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
include_once('../../includes/config.php');
|
include_once('../../includes/config.php');
|
||||||
include_once('../../includes/functions.php');
|
include_once('../../includes/functions.php');
|
||||||
|
|
||||||
|
|
||||||
if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
|
if(isset($_POST['interface'])) {
|
||||||
$int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);
|
$int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);
|
||||||
if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) {
|
if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) {
|
||||||
touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini');
|
touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini');
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
<?php
|
<?php
|
||||||
session_start();
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
include_once('../../includes/functions.php');
|
include_once('../../includes/functions.php');
|
||||||
|
|
||||||
if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
|
if(isset($_POST['interface'])) {
|
||||||
$int = preg_replace('/[^a-z0-9]/','',$_POST['interface']);
|
$int = preg_replace('/[^a-z0-9]/','',$_POST['interface']);
|
||||||
exec('ip a s '.$int,$intOutput,$intResult);
|
exec('ip a s '.$int,$intOutput,$intResult);
|
||||||
$intOutput = array_map('htmlentities', $intOutput);
|
$intOutput = array_map('htmlentities', $intOutput);
|
||||||
|
@ -1,8 +1,10 @@
|
|||||||
<?php
|
<?php
|
||||||
session_start();
|
|
||||||
|
require('includes/csrf.php');
|
||||||
|
|
||||||
include_once('../../includes/config.php');
|
include_once('../../includes/config.php');
|
||||||
include_once('../../includes/functions.php');
|
include_once('../../includes/functions.php');
|
||||||
if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
|
if(isset($_POST['interface'])) {
|
||||||
$int = $_POST['interface'];
|
$int = $_POST['interface'];
|
||||||
$cfg = [];
|
$cfg = [];
|
||||||
$file = $int.".ini";
|
$file = $int.".ini";
|
||||||
|
@ -6,34 +6,30 @@ function DisplayAuthConfig($username, $password)
|
|||||||
{
|
{
|
||||||
$status = new StatusMessages();
|
$status = new StatusMessages();
|
||||||
if (isset($_POST['UpdateAdminPassword'])) {
|
if (isset($_POST['UpdateAdminPassword'])) {
|
||||||
if (CSRFValidate()) {
|
if (password_verify($_POST['oldpass'], $password)) {
|
||||||
if (password_verify($_POST['oldpass'], $password)) {
|
$new_username=trim($_POST['username']);
|
||||||
$new_username=trim($_POST['username']);
|
if ($_POST['newpass'] !== $_POST['newpassagain']) {
|
||||||
if ($_POST['newpass'] !== $_POST['newpassagain']) {
|
$status->addMessage('New passwords do not match', 'danger');
|
||||||
$status->addMessage('New passwords do not match', 'danger');
|
} elseif ($new_username == '') {
|
||||||
} elseif ($new_username == '') {
|
$status->addMessage('Username must not be empty', 'danger');
|
||||||
$status->addMessage('Username must not be empty', 'danger');
|
|
||||||
} else {
|
|
||||||
if (!file_exists(RASPI_ADMIN_DETAILS)) {
|
|
||||||
$tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');
|
|
||||||
fclose($tmpauth);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
|
|
||||||
fwrite($auth_file, $new_username.PHP_EOL);
|
|
||||||
fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
|
|
||||||
fclose($auth_file);
|
|
||||||
$username = $new_username;
|
|
||||||
$status->addMessage('Admin password updated');
|
|
||||||
} else {
|
|
||||||
$status->addMessage('Failed to update admin password', 'danger');
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
$status->addMessage('Old password does not match', 'danger');
|
if (!file_exists(RASPI_ADMIN_DETAILS)) {
|
||||||
|
$tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');
|
||||||
|
fclose($tmpauth);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
|
||||||
|
fwrite($auth_file, $new_username.PHP_EOL);
|
||||||
|
fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
|
||||||
|
fclose($auth_file);
|
||||||
|
$username = $new_username;
|
||||||
|
$status->addMessage('Admin password updated');
|
||||||
|
} else {
|
||||||
|
$status->addMessage('Failed to update admin password', 'danger');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
error_log('CSRF violation');
|
$status->addMessage('Old password does not match', 'danger');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
@ -44,7 +40,7 @@ function DisplayAuthConfig($username, $password)
|
|||||||
<div class="panel-body">
|
<div class="panel-body">
|
||||||
<p><?php $status->showMessages(); ?></p>
|
<p><?php $status->showMessages(); ?></p>
|
||||||
<form role="form" action="?page=auth_conf" method="POST">
|
<form role="form" action="?page=auth_conf" method="POST">
|
||||||
<?php CSRFToken() ?>
|
<?php echo CSRFTokenFieldTag() ?>
|
||||||
<div class="row">
|
<div class="row">
|
||||||
<div class="form-group col-md-4">
|
<div class="form-group col-md-4">
|
||||||
<label for="username"><?php echo _("Username"); ?></label>
|
<label for="username"><?php echo _("Username"); ?></label>
|
||||||
|
@ -53,7 +53,7 @@ function DisplayWPAConfig()
|
|||||||
if (isset($_POST['connect'])) {
|
if (isset($_POST['connect'])) {
|
||||||
$result = 0;
|
$result = 0;
|
||||||
exec('sudo wpa_cli -i ' . RASPI_WPA_CTRL_INTERFACE . ' select_network '.strval($_POST['connect']));
|
exec('sudo wpa_cli -i ' . RASPI_WPA_CTRL_INTERFACE . ' select_network '.strval($_POST['connect']));
|
||||||
} elseif (isset($_POST['client_settings']) && CSRFValidate()) {
|
} elseif (isset($_POST['client_settings'])) {
|
||||||
$tmp_networks = $networks;
|
$tmp_networks = $networks;
|
||||||
if ($wpa_file = fopen('/tmp/wifidata', 'w')) {
|
if ($wpa_file = fopen('/tmp/wifidata', 'w')) {
|
||||||
fwrite($wpa_file, 'ctrl_interface=DIR=' . RASPI_WPA_CTRL_INTERFACE . ' GROUP=netdev' . PHP_EOL);
|
fwrite($wpa_file, 'ctrl_interface=DIR=' . RASPI_WPA_CTRL_INTERFACE . ' GROUP=netdev' . PHP_EOL);
|
||||||
@ -182,7 +182,7 @@ function DisplayWPAConfig()
|
|||||||
</div>
|
</div>
|
||||||
|
|
||||||
<form method="POST" action="?page=wpa_conf" name="wpa_conf_form">
|
<form method="POST" action="?page=wpa_conf" name="wpa_conf_form">
|
||||||
<?php CSRFToken() ?>
|
<?php echo CSRFTokenFieldTag() ?>
|
||||||
<input type="hidden" name="client_settings" ?>
|
<input type="hidden" name="client_settings" ?>
|
||||||
<script>
|
<script>
|
||||||
function showPassword(index) {
|
function showPassword(index) {
|
||||||
|
11
includes/csrf.php
Normal file
11
includes/csrf.php
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
include_once('includes/functions.php');
|
||||||
|
include_once('includes/session.php');
|
||||||
|
|
||||||
|
if (csrfValidateRequest() && !CSRFValidate()) {
|
||||||
|
handleInvalidCSRFToken();
|
||||||
|
}
|
||||||
|
|
||||||
|
ensureCSRFSessionToken();
|
||||||
|
header('X-CSRF-Token', $_SESSION['csrf_token']);
|
@ -12,64 +12,60 @@ function DisplayDHCPConfig()
|
|||||||
|
|
||||||
$status = new StatusMessages();
|
$status = new StatusMessages();
|
||||||
if (isset($_POST['savedhcpdsettings'])) {
|
if (isset($_POST['savedhcpdsettings'])) {
|
||||||
if (CSRFValidate()) {
|
$errors = '';
|
||||||
$errors = '';
|
define('IFNAMSIZ', 16);
|
||||||
define('IFNAMSIZ', 16);
|
if (!preg_match('/^[a-zA-Z0-9]+$/', $_POST['interface']) ||
|
||||||
if (!preg_match('/^[a-zA-Z0-9]+$/', $_POST['interface']) ||
|
strlen($_POST['interface']) >= IFNAMSIZ) {
|
||||||
strlen($_POST['interface']) >= IFNAMSIZ) {
|
$errors .= _('Invalid interface name.').'<br />'.PHP_EOL;
|
||||||
$errors .= _('Invalid interface name.').'<br />'.PHP_EOL;
|
}
|
||||||
|
|
||||||
|
if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeStart']) &&
|
||||||
|
!empty($_POST['RangeStart'])) { // allow ''/null ?
|
||||||
|
$errors .= _('Invalid DHCP range start.').'<br />'.PHP_EOL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeEnd']) &&
|
||||||
|
!empty($_POST['RangeEnd'])) { // allow ''/null ?
|
||||||
|
$errors .= _('Invalid DHCP range end.').'<br />'.PHP_EOL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!ctype_digit($_POST['RangeLeaseTime']) && $_POST['RangeLeaseTimeUnits'] !== 'infinite') {
|
||||||
|
$errors .= _('Invalid DHCP lease time, not a number.').'<br />'.PHP_EOL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!in_array($_POST['RangeLeaseTimeUnits'], array('m', 'h', 'd', 'infinite'))) {
|
||||||
|
$errors .= _('Unknown DHCP lease time unit.').'<br />'.PHP_EOL;
|
||||||
|
}
|
||||||
|
|
||||||
|
$return = 1;
|
||||||
|
if (empty($errors)) {
|
||||||
|
$config = 'interface='.$_POST['interface'].PHP_EOL.
|
||||||
|
'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd'].
|
||||||
|
',255.255.255.0,';
|
||||||
|
if ($_POST['RangeLeaseTimeUnits'] !== 'infinite') {
|
||||||
|
$config .= $_POST['RangeLeaseTime'];
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeStart']) &&
|
$config .= $_POST['RangeLeaseTimeUnits'].PHP_EOL;
|
||||||
!empty($_POST['RangeStart'])) { // allow ''/null ?
|
|
||||||
$errors .= _('Invalid DHCP range start.').'<br />'.PHP_EOL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeEnd']) &&
|
for ($i=0; $i < count($_POST["static_leases"]["mac"]); $i++) {
|
||||||
!empty($_POST['RangeEnd'])) { // allow ''/null ?
|
$mac = trim($_POST["static_leases"]["mac"][$i]);
|
||||||
$errors .= _('Invalid DHCP range end.').'<br />'.PHP_EOL;
|
$ip = trim($_POST["static_leases"]["ip"][$i]);
|
||||||
}
|
if ($mac != "" && $ip != "") {
|
||||||
|
$config .= "dhcp-host=$mac,$ip".PHP_EOL;
|
||||||
if (!ctype_digit($_POST['RangeLeaseTime']) && $_POST['RangeLeaseTimeUnits'] !== 'infinite') {
|
|
||||||
$errors .= _('Invalid DHCP lease time, not a number.').'<br />'.PHP_EOL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!in_array($_POST['RangeLeaseTimeUnits'], array('m', 'h', 'd', 'infinite'))) {
|
|
||||||
$errors .= _('Unknown DHCP lease time unit.').'<br />'.PHP_EOL;
|
|
||||||
}
|
|
||||||
|
|
||||||
$return = 1;
|
|
||||||
if (empty($errors)) {
|
|
||||||
$config = 'interface='.$_POST['interface'].PHP_EOL.
|
|
||||||
'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd'].
|
|
||||||
',255.255.255.0,';
|
|
||||||
if ($_POST['RangeLeaseTimeUnits'] !== 'infinite') {
|
|
||||||
$config .= $_POST['RangeLeaseTime'];
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$config .= $_POST['RangeLeaseTimeUnits'].PHP_EOL;
|
|
||||||
|
|
||||||
for ($i=0; $i < count($_POST["static_leases"]["mac"]); $i++) {
|
|
||||||
$mac = trim($_POST["static_leases"]["mac"][$i]);
|
|
||||||
$ip = trim($_POST["static_leases"]["ip"][$i]);
|
|
||||||
if ($mac != "" && $ip != "") {
|
|
||||||
$config .= "dhcp-host=$mac,$ip".PHP_EOL;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
file_put_contents("/tmp/dhcpddata", $config);
|
|
||||||
system('sudo cp /tmp/dhcpddata '.RASPI_DNSMASQ_CONFIG, $return);
|
|
||||||
} else {
|
|
||||||
$status->addMessage($errors, 'danger');
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($return == 0) {
|
file_put_contents("/tmp/dhcpddata", $config);
|
||||||
$status->addMessage('Dnsmasq configuration updated successfully', 'success');
|
system('sudo cp /tmp/dhcpddata '.RASPI_DNSMASQ_CONFIG, $return);
|
||||||
} else {
|
|
||||||
$status->addMessage('Dnsmasq configuration failed to be updated.', 'danger');
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
error_log('CSRF violation');
|
$status->addMessage($errors, 'danger');
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($return == 0) {
|
||||||
|
$status->addMessage('Dnsmasq configuration updated successfully', 'success');
|
||||||
|
} else {
|
||||||
|
$status->addMessage('Dnsmasq configuration failed to be updated.', 'danger');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -77,36 +73,28 @@ function DisplayDHCPConfig()
|
|||||||
$dnsmasq_state = ($dnsmasq[0] > 0);
|
$dnsmasq_state = ($dnsmasq[0] > 0);
|
||||||
|
|
||||||
if (isset($_POST['startdhcpd'])) {
|
if (isset($_POST['startdhcpd'])) {
|
||||||
if (CSRFValidate()) {
|
if ($dnsmasq_state) {
|
||||||
if ($dnsmasq_state) {
|
$status->addMessage('dnsmasq already running', 'info');
|
||||||
$status->addMessage('dnsmasq already running', 'info');
|
|
||||||
} else {
|
|
||||||
exec('sudo /etc/init.d/dnsmasq start', $dnsmasq, $return);
|
|
||||||
if ($return == 0) {
|
|
||||||
$status->addMessage('Successfully started dnsmasq', 'success');
|
|
||||||
$dnsmasq_state = true;
|
|
||||||
} else {
|
|
||||||
$status->addMessage('Failed to start dnsmasq', 'danger');
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
error_log('CSRF violation');
|
exec('sudo /etc/init.d/dnsmasq start', $dnsmasq, $return);
|
||||||
|
if ($return == 0) {
|
||||||
|
$status->addMessage('Successfully started dnsmasq', 'success');
|
||||||
|
$dnsmasq_state = true;
|
||||||
|
} else {
|
||||||
|
$status->addMessage('Failed to start dnsmasq', 'danger');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} elseif (isset($_POST['stopdhcpd'])) {
|
} elseif (isset($_POST['stopdhcpd'])) {
|
||||||
if (CSRFValidate()) {
|
if ($dnsmasq_state) {
|
||||||
if ($dnsmasq_state) {
|
exec('sudo /etc/init.d/dnsmasq stop', $dnsmasq, $return);
|
||||||
exec('sudo /etc/init.d/dnsmasq stop', $dnsmasq, $return);
|
if ($return == 0) {
|
||||||
if ($return == 0) {
|
$status->addMessage('Successfully stopped dnsmasq', 'success');
|
||||||
$status->addMessage('Successfully stopped dnsmasq', 'success');
|
$dnsmasq_state = false;
|
||||||
$dnsmasq_state = false;
|
|
||||||
} else {
|
|
||||||
$status->addMessage('Failed to stop dnsmasq', 'danger');
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
$status->addMessage('dnsmasq already stopped', 'info');
|
$status->addMessage('Failed to stop dnsmasq', 'danger');
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
error_log('CSRF violation');
|
$status->addMessage('dnsmasq already stopped', 'info');
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if ($dnsmasq_state) {
|
if ($dnsmasq_state) {
|
||||||
|
@ -54,17 +54,32 @@ function safefilerewrite($fileName, $dataToSave)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Saves a CSRF token in the session
|
||||||
|
*/
|
||||||
|
function ensureCSRFSessionToken()
|
||||||
|
{
|
||||||
|
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* Add CSRF Token to form
|
* Add CSRF Token to form
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
function CSRFToken()
|
function CSRFTokenFieldTag()
|
||||||
{
|
{
|
||||||
?>
|
$token = htmlspecialchars($_SESSION['csrf_token']);
|
||||||
<input id="csrf_token" type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token'], ENT_QUOTES);
|
return '<input type="hidden" name="csrf_token" value="' . $token . '">';
|
||||||
; ?>" />
|
}
|
||||||
<?php
|
|
||||||
|
/**
|
||||||
|
* Retuns a CSRF meta tag (for use with xhr, for example)
|
||||||
|
*/
|
||||||
|
function CSRFMetaTag()
|
||||||
|
{
|
||||||
|
$token = htmlspecialchars($_SESSION['csrf_token']);
|
||||||
|
return '<meta name="csrf_token" content="' . $token . '">';
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -74,7 +89,19 @@ function CSRFToken()
|
|||||||
*/
|
*/
|
||||||
function CSRFValidate()
|
function CSRFValidate()
|
||||||
{
|
{
|
||||||
if (hash_equals($_POST['csrf_token'], $_SESSION['csrf_token'])) {
|
$post_token = $_POST['csrf_token'];
|
||||||
|
$header_token = $_SERVER['HTTP_X_CSRF_TOKEN'];
|
||||||
|
|
||||||
|
if (empty($post_token) && empty($header_token)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$request_token = $post_token;
|
||||||
|
if (empty($post_token)) {
|
||||||
|
$request_token = $header_token;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (hash_equals($_SESSION['csrf_token'], $request_token)) {
|
||||||
return true;
|
return true;
|
||||||
} else {
|
} else {
|
||||||
error_log('CSRF violation');
|
error_log('CSRF violation');
|
||||||
@ -82,6 +109,26 @@ function CSRFValidate()
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Should the request be CSRF-validated?
|
||||||
|
*/
|
||||||
|
function csrfValidateRequest()
|
||||||
|
{
|
||||||
|
$request_method = strtolower($_SERVER['REQUEST_METHOD']);
|
||||||
|
return in_array($request_method, [ "post", "put", "patch", "delete" ]);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Handle invalid CSRF
|
||||||
|
*/
|
||||||
|
function handleInvalidCSRFToken()
|
||||||
|
{
|
||||||
|
header('HTTP/1.1 500 Internal Server Error');
|
||||||
|
header('Content-Type: text/plain');
|
||||||
|
echo 'Invalid CSRF token';
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Test whether array is associative
|
* Test whether array is associative
|
||||||
*/
|
*/
|
||||||
|
@ -22,34 +22,22 @@ function DisplayHostAPDConfig()
|
|||||||
exec("ip -o link show | awk -F': ' '{print $2}'", $interfaces);
|
exec("ip -o link show | awk -F': ' '{print $2}'", $interfaces);
|
||||||
|
|
||||||
if (isset($_POST['SaveHostAPDSettings'])) {
|
if (isset($_POST['SaveHostAPDSettings'])) {
|
||||||
if (CSRFValidate()) {
|
SaveHostAPDConfig($arrSecurity, $arrEncType, $arr80211Standard, $interfaces, $status);
|
||||||
SaveHostAPDConfig($arrSecurity, $arrEncType, $arr80211Standard, $interfaces, $status);
|
|
||||||
} else {
|
|
||||||
error_log('CSRF violation');
|
|
||||||
}
|
|
||||||
} elseif (isset($_POST['StartHotspot'])) {
|
} elseif (isset($_POST['StartHotspot'])) {
|
||||||
if (CSRFValidate()) {
|
$status->addMessage('Attempting to start hotspot', 'info');
|
||||||
$status->addMessage('Attempting to start hotspot', 'info');
|
if ($arrHostapdConf['WifiAPEnable'] == 1) {
|
||||||
if ($arrHostapdConf['WifiAPEnable'] == 1) {
|
exec('sudo /etc/raspap/hostapd/servicestart.sh --interface uap0 --seconds 3', $return);
|
||||||
exec('sudo /etc/raspap/hostapd/servicestart.sh --interface uap0 --seconds 3', $return);
|
|
||||||
} else {
|
|
||||||
exec('sudo /etc/raspap/hostapd/servicestart.sh --seconds 5', $return);
|
|
||||||
}
|
|
||||||
foreach ($return as $line) {
|
|
||||||
$status->addMessage($line, 'info');
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
error_log('CSRF violation');
|
exec('sudo /etc/raspap/hostapd/servicestart.sh --seconds 5', $return);
|
||||||
|
}
|
||||||
|
foreach ($return as $line) {
|
||||||
|
$status->addMessage($line, 'info');
|
||||||
}
|
}
|
||||||
} elseif (isset($_POST['StopHotspot'])) {
|
} elseif (isset($_POST['StopHotspot'])) {
|
||||||
if (CSRFValidate()) {
|
$status->addMessage('Attempting to stop hotspot', 'info');
|
||||||
$status->addMessage('Attempting to stop hotspot', 'info');
|
exec('sudo /etc/init.d/hostapd stop', $return);
|
||||||
exec('sudo /etc/init.d/hostapd stop', $return);
|
foreach ($return as $line) {
|
||||||
foreach ($return as $line) {
|
$status->addMessage($line, 'info');
|
||||||
$status->addMessage($line, 'info');
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
error_log('CSRF violation');
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -95,7 +83,7 @@ function DisplayHostAPDConfig()
|
|||||||
<div class="tab-pane fade in active" id="basic">
|
<div class="tab-pane fade in active" id="basic">
|
||||||
|
|
||||||
<h4><?php echo _("Basic settings") ;?></h4>
|
<h4><?php echo _("Basic settings") ;?></h4>
|
||||||
<?php CSRFToken() ?>
|
<?php echo CSRFTokenFieldTag() ?>
|
||||||
<div class="row">
|
<div class="row">
|
||||||
<div class="form-group col-md-4">
|
<div class="form-group col-md-4">
|
||||||
<label for="cbxinterface"><?php echo _("Interface") ;?></label>
|
<label for="cbxinterface"><?php echo _("Interface") ;?></label>
|
||||||
|
@ -16,8 +16,6 @@ function DisplayNetworkingConfig()
|
|||||||
foreach ($interfaces as $interface) {
|
foreach ($interfaces as $interface) {
|
||||||
exec("ip a show $interface", $$interface);
|
exec("ip a show $interface", $$interface);
|
||||||
}
|
}
|
||||||
|
|
||||||
CSRFToken();
|
|
||||||
?>
|
?>
|
||||||
|
|
||||||
<div class="row">
|
<div class="row">
|
||||||
|
5
includes/session.php
Normal file
5
includes/session.php
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
if (session_status() == PHP_SESSION_NONE) {
|
||||||
|
session_start();
|
||||||
|
}
|
@ -63,13 +63,9 @@ function DisplaySystem()
|
|||||||
$status = new StatusMessages();
|
$status = new StatusMessages();
|
||||||
|
|
||||||
if (isset($_POST['SaveLanguage'])) {
|
if (isset($_POST['SaveLanguage'])) {
|
||||||
if (CSRFValidate()) {
|
if (isset($_POST['locale'])) {
|
||||||
if (isset($_POST['locale'])) {
|
$_SESSION['locale'] = $_POST['locale'];
|
||||||
$_SESSION['locale'] = $_POST['locale'];
|
$status->addMessage('Language setting saved', 'success');
|
||||||
$status->addMessage('Language setting saved', 'success');
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
error_log('CSRF violation');
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -204,7 +200,7 @@ if (isset($_POST['system_shutdown'])) {
|
|||||||
|
|
||||||
<div role="tabpanel" class="tab-pane" id="language">
|
<div role="tabpanel" class="tab-pane" id="language">
|
||||||
<h4><?php echo _("Language settings") ;?></h4>
|
<h4><?php echo _("Language settings") ;?></h4>
|
||||||
<?php CSRFToken() ?>
|
<?php echo CSRFTokenFieldTag() ?>
|
||||||
<div class="row">
|
<div class="row">
|
||||||
<div class="form-group col-md-4">
|
<div class="form-group col-md-4">
|
||||||
<label for="code"><?php echo _("Select a language"); ?></label>
|
<label for="code"><?php echo _("Select a language"); ?></label>
|
||||||
|
12
index.php
12
index.php
@ -18,7 +18,7 @@
|
|||||||
* @see http://sirlagz.net/2013/02/08/raspap-webgui/
|
* @see http://sirlagz.net/2013/02/08/raspap-webgui/
|
||||||
*/
|
*/
|
||||||
|
|
||||||
session_start();
|
require('includes/csrf.php');
|
||||||
|
|
||||||
include_once('includes/config.php');
|
include_once('includes/config.php');
|
||||||
include_once(RASPI_CONFIG.'/raspap.php');
|
include_once(RASPI_CONFIG.'/raspap.php');
|
||||||
@ -39,15 +39,6 @@ include_once('includes/about.php');
|
|||||||
$output = $return = 0;
|
$output = $return = 0;
|
||||||
$page = $_GET['page'];
|
$page = $_GET['page'];
|
||||||
|
|
||||||
if (empty($_SESSION['csrf_token'])) {
|
|
||||||
if (function_exists('mcrypt_create_iv')) {
|
|
||||||
$_SESSION['csrf_token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
|
|
||||||
} else {
|
|
||||||
$_SESSION['csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
$csrf_token = $_SESSION['csrf_token'];
|
|
||||||
|
|
||||||
if (!isset($_COOKIE['theme'])) {
|
if (!isset($_COOKIE['theme'])) {
|
||||||
$theme = "custom.css";
|
$theme = "custom.css";
|
||||||
} else {
|
} else {
|
||||||
@ -60,6 +51,7 @@ $theme_url = 'dist/css/'.htmlspecialchars($theme, ENT_QUOTES);
|
|||||||
<html lang="en">
|
<html lang="en">
|
||||||
<head>
|
<head>
|
||||||
<meta charset="utf-8">
|
<meta charset="utf-8">
|
||||||
|
<?php echo CSRFMetaTag() ?>
|
||||||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||||
<meta name="description" content="">
|
<meta name="description" content="">
|
||||||
|
31
js/custom.js
31
js/custom.js
@ -19,7 +19,7 @@ function createNetmaskAddr(bitCount) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function loadSummary(strInterface) {
|
function loadSummary(strInterface) {
|
||||||
$.post('/ajax/networking/get_ip_summary.php',{interface:strInterface,csrf_token:csrf},function(data){
|
$.post('/ajax/networking/get_ip_summary.php',{interface:strInterface},function(data){
|
||||||
jsonData = JSON.parse(data);
|
jsonData = JSON.parse(data);
|
||||||
console.log(jsonData);
|
console.log(jsonData);
|
||||||
if(jsonData['return'] == 0) {
|
if(jsonData['return'] == 0) {
|
||||||
@ -50,7 +50,7 @@ function setupTabs() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function loadCurrentSettings(strInterface) {
|
function loadCurrentSettings(strInterface) {
|
||||||
$.post('/ajax/networking/get_int_config.php',{interface:strInterface,csrf_token:csrf},function(data){
|
$.post('/ajax/networking/get_int_config.php',{interface:strInterface},function(data){
|
||||||
jsonData = JSON.parse(data);
|
jsonData = JSON.parse(data);
|
||||||
$.each(jsonData['output'],function(i,v) {
|
$.each(jsonData['output'],function(i,v) {
|
||||||
var int = v['interface'];
|
var int = v['interface'];
|
||||||
@ -102,7 +102,6 @@ function saveNetworkSettings(int) {
|
|||||||
}
|
}
|
||||||
});
|
});
|
||||||
arrFormData['interface'] = int;
|
arrFormData['interface'] = int;
|
||||||
arrFormData['csrf_token'] = csrf;
|
|
||||||
$.post('/ajax/networking/save_int_config.php',arrFormData,function(data){
|
$.post('/ajax/networking/save_int_config.php',arrFormData,function(data){
|
||||||
//console.log(data);
|
//console.log(data);
|
||||||
var jsonData = JSON.parse(data);
|
var jsonData = JSON.parse(data);
|
||||||
@ -113,7 +112,6 @@ function saveNetworkSettings(int) {
|
|||||||
function applyNetworkSettings() {
|
function applyNetworkSettings() {
|
||||||
var int = $(this).data('int');
|
var int = $(this).data('int');
|
||||||
arrFormData = {};
|
arrFormData = {};
|
||||||
arrFormData['csrf_token'] = csrf;
|
|
||||||
arrFormData['generate'] = '';
|
arrFormData['generate'] = '';
|
||||||
$.post('/ajax/networking/gen_int_config.php',arrFormData,function(data){
|
$.post('/ajax/networking/gen_int_config.php',arrFormData,function(data){
|
||||||
console.log(data);
|
console.log(data);
|
||||||
@ -162,8 +160,22 @@ function setupBtns() {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
$().ready(function(){
|
function setCSRFTokenHeader(event, xhr, settings) {
|
||||||
csrf = $('#csrf_token').val();
|
var csrfToken = $('meta[name=csrf_token]').attr('content');
|
||||||
|
if (/^(POST|PATCH|PUT|DELETE)$/i.test(settings.type)) {
|
||||||
|
xhr.setRequestHeader("X-CSRF-Token", csrfToken);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function updateCSRFTokens(event, xhr, settings) {
|
||||||
|
var newToken = xhr.getResponseHeader("X-CSRF-Token");
|
||||||
|
if (newToken) {
|
||||||
|
$('meta[name=csrf_token]').attr('content', newToken);
|
||||||
|
$('[name=csrf_token]:input').attr('value', newToken);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function contentLoaded() {
|
||||||
pageCurrent = window.location.href.split("?")[1].split("=")[1];
|
pageCurrent = window.location.href.split("?")[1].split("=")[1];
|
||||||
pageCurrent = pageCurrent.replace("#","");
|
pageCurrent = pageCurrent.replace("#","");
|
||||||
$('#side-menu').metisMenu();
|
$('#side-menu').metisMenu();
|
||||||
@ -174,6 +186,9 @@ $().ready(function(){
|
|||||||
setupBtns();
|
setupBtns();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
});
|
}
|
||||||
|
|
||||||
|
|
||||||
|
$(document)
|
||||||
|
.ajaxSend(setCSRFTokenHeader)
|
||||||
|
.ajaxComplete(updateCSRFTokens)
|
||||||
|
.ready(contentLoaded);
|
||||||
|
Loading…
Reference in New Issue
Block a user