From 8abf075e2f8dbf044b9f5bb98bc27f0e1c61dca4 Mon Sep 17 00:00:00 2001
From: YuFei Zhu <phil@mohc.net>
Date: Mon, 30 Apr 2012 17:09:11 +0100
Subject: [PATCH] enable act=del url check for auth tokens for csrf attacks

---
 src/messenger/webim/libs/common.php        | 24 +++++++++++++++-------
 src/messenger/webim/operator/operators.php |  2 ++
 src/messenger/webim/view/agents.php        |  4 ++--
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php
index 4c934032..f91fde5e 100644
--- a/src/messenger/webim/libs/common.php
+++ b/src/messenger/webim/libs/common.php
@@ -690,17 +690,22 @@ function jspath()
 
 /* authorization token check for CSRF attack */
 function csrfchecktoken(){
+  /* if auth token not set, set it now */
   if(!isset($_SESSION['csrf_token'])){
       $_SESSION['csrf_token']=sha1(rand(10000000,99999999));
-    }
-		// check the turing code
-    if ($_SERVER['REQUEST_METHOD'] == 'POST'){
-      //if token match
-      if(!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])){
+  }
 
-        die("CSRF failure");
-      }
+  // check the turing code for post requests and del requests
+  if ($_SERVER['REQUEST_METHOD'] == 'POST'){
+    //if token match
+    if(!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])){
+
+      die("CSRF failure");
     }
+  } else if($_GET['act'] == 'del' && $_GET['csrf_token'] != $_SESSION['csrf_token']){
+      
+    die("CSRF failure");
+  }
 }
 
 /* print csrf token as a hidden field*/
@@ -708,4 +713,9 @@ function print_csrf_token_input(){
   echo "<input name='csrf_token' type='hidden' value='".$_SESSION['csrf_token']."' />";
 }
 
+/* print csrf token in url format */
+function print_csrf_token_in_url(){
+  echo "&amp;csrf_token=".$_SESSION['csrf_token'];
+}
+
 ?>
diff --git a/src/messenger/webim/operator/operators.php b/src/messenger/webim/operator/operators.php
index b73d976f..d725b220 100644
--- a/src/messenger/webim/operator/operators.php
+++ b/src/messenger/webim/operator/operators.php
@@ -22,6 +22,8 @@
 require_once('../libs/common.php');
 require_once('../libs/operator.php');
 
+csrfchecktoken();
+
 $operator = check_login();
 
 if (isset($_GET['act']) && $_GET['act'] == 'del') {
diff --git a/src/messenger/webim/view/agents.php b/src/messenger/webim/view/agents.php
index b544f11b..add00d1a 100644
--- a/src/messenger/webim/view/agents.php
+++ b/src/messenger/webim/view/agents.php
@@ -86,7 +86,7 @@ require_once('inc_errors.php');
 	</td>
 <?php if($page['canmodify']) { ?>
 	<td>
-		<a class="removelink" id="i<?php echo $a['operatorid'] ?>" href="<?php echo $webimroot ?>/operator/operators.php?act=del&amp;id=<?php echo $a['operatorid'] ?>">
+  <a class="removelink" id="i<?php echo $a['operatorid'] ?>" href="<?php echo $webimroot ?>/operator/operators.php?act=del&amp;id=<?php echo $a['operatorid'] ?><?php print_csrf_token_in_url() ?>">
 			remove
 		</a>
 	</td>
@@ -106,4 +106,4 @@ $('a.removelink').click(function(){
 } /* content */
 
 require_once('inc_main.php');
-?>
\ No newline at end of file
+?>