1
0
mirror of https://github.com/billz/raspap-webgui.git synced 2023-10-10 13:37:24 +02:00

always verify csrf token for resource-modifying requests,

that is post, put, patch, delete
This commit is contained in:
glaszig 2019-07-30 17:05:00 +02:00
parent 93b458197a
commit f989b8060b
2 changed files with 24 additions and 0 deletions

View File

@ -82,6 +82,26 @@ function CSRFValidate()
} }
} }
/**
* Should the request be CSRF-validated?
*/
function csrfValidateRequest()
{
$request_method = strtolower($_SERVER['REQUEST_METHOD']);
return in_array($request_method, [ "post", "put", "patch", "delete" ]);
}
/**
* Handle invalid CSRF
*/
function handleInvalidCSRFToken()
{
header('HTTP/1.1 500 Internal Server Error');
header('Content-Type: text/plain');
echo 'Invalid CSRF token';
exit;
}
/** /**
* Test whether array is associative * Test whether array is associative
*/ */

View File

@ -39,6 +39,10 @@ include_once('includes/about.php');
$output = $return = 0; $output = $return = 0;
$page = $_GET['page']; $page = $_GET['page'];
if (csrfValidateRequest() && !CSRFValidate()) {
handleInvalidCSRFToken();
}
if (empty($_SESSION['csrf_token'])) { if (empty($_SESSION['csrf_token'])) {
if (function_exists('mcrypt_create_iv')) { if (function_exists('mcrypt_create_iv')) {
$_SESSION['csrf_token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); $_SESSION['csrf_token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));