diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php index e40b1a8d..7208284e 100644 --- a/src/messenger/webim/libs/common.php +++ b/src/messenger/webim/libs/common.php @@ -523,7 +523,7 @@ function no_field($key) function failed_uploading_file($filename, $key) { return getlocal2("errors.failed.uploading.file", - array($filename, getlocal($key))); + array($filename, getlocal($key))); } function wrong_field($key) @@ -766,43 +766,47 @@ function jspath() } /* authorization token check for CSRF attack */ -function csrfchecktoken(){ - setcsrftoken(); +function csrfchecktoken() +{ + setcsrftoken(); - // check the turing code for post requests and del requests - if ($_SERVER['REQUEST_METHOD'] == 'POST'){ - //if token match - if(!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])){ + // check the turing code for post requests and del requests + if ($_SERVER['REQUEST_METHOD'] == 'POST') { + //if token match + if (!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])) { - die("CSRF failure"); - } - } else if(isset($_GET['act'])){ - if(($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']){ - - die("CSRF failure"); - } - } + die("CSRF failure"); + } + } else if (isset($_GET['act'])) { + if (($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']) { + + die("CSRF failure"); + } + } } /* print csrf token as a hidden field*/ -function print_csrf_token_input(){ - setcsrftoken(); +function print_csrf_token_input() +{ + setcsrftoken(); - echo "<input name='csrf_token' type='hidden' value='".$_SESSION['csrf_token']."' />"; + echo "<input name='csrf_token' type='hidden' value='" . $_SESSION['csrf_token'] . "' />"; } /* print csrf token in url format */ -function print_csrf_token_in_url(){ - setcsrftoken(); - - echo "&csrf_token=".$_SESSION['csrf_token']; +function print_csrf_token_in_url() +{ + setcsrftoken(); + + echo "&csrf_token=" . $_SESSION['csrf_token']; } /* set csrf token */ -function setcsrftoken(){ - if(!isset($_SESSION['csrf_token'])){ - $_SESSION['csrf_token']=sha1(rand(10000000,99999999)); - } +function setcsrftoken() +{ + if (!isset($_SESSION['csrf_token'])) { + $_SESSION['csrf_token'] = sha1(rand(10000000, 99999999)); + } } ?> diff --git a/src/messenger/webim/operator/avatar.php b/src/messenger/webim/operator/avatar.php index 2479adac..26f062b5 100644 --- a/src/messenger/webim/operator/avatar.php +++ b/src/messenger/webim/operator/avatar.php @@ -23,9 +23,8 @@ require_once('../libs/common.php'); require_once('../libs/operator.php'); require_once('../libs/operator_settings.php'); -csrfchecktoken(); - $operator = check_login(); +csrfchecktoken(); $opId = verifyparam("op", "/^\d{1,9}$/"); $page = array('opid' => $opId, 'avatar' => ''); diff --git a/src/messenger/webim/operator/canned.php b/src/messenger/webim/operator/canned.php index f21fc0a5..d66670f3 100644 --- a/src/messenger/webim/operator/canned.php +++ b/src/messenger/webim/operator/canned.php @@ -26,10 +26,9 @@ require_once('../libs/settings.php'); require_once('../libs/groups.php'); require_once('../libs/pagination.php'); -csrfchecktoken(); - $operator = check_login(); force_password($operator); +csrfchecktoken(); loadsettings(); diff --git a/src/messenger/webim/operator/cannededit.php b/src/messenger/webim/operator/cannededit.php index fed68d2f..baff9b86 100644 --- a/src/messenger/webim/operator/cannededit.php +++ b/src/messenger/webim/operator/cannededit.php @@ -24,9 +24,8 @@ require_once('../libs/common.php'); require_once('../libs/operator.php'); require_once('../libs/pagination.php'); -csrfchecktoken(); - $operator = check_login(); +csrfchecktoken(); loadsettings(); $stringid = verifyparam("key", "/^\d{0,9}$/", ""); diff --git a/src/messenger/webim/operator/features.php b/src/messenger/webim/operator/features.php index b5e834bd..dc693845 100644 --- a/src/messenger/webim/operator/features.php +++ b/src/messenger/webim/operator/features.php @@ -23,9 +23,8 @@ require_once('../libs/common.php'); require_once('../libs/operator.php'); require_once('../libs/settings.php'); -csrfchecktoken(); - $operator = check_login(); +csrfchecktoken(); $page = array('agentId' => ''); $errors = array(); diff --git a/src/messenger/webim/operator/operator.php b/src/messenger/webim/operator/operator.php index 946c4021..9ef25b8a 100644 --- a/src/messenger/webim/operator/operator.php +++ b/src/messenger/webim/operator/operator.php @@ -23,9 +23,8 @@ require_once('../libs/common.php'); require_once('../libs/operator.php'); require_once('../libs/operator_settings.php'); -csrfchecktoken(); - $operator = check_login(); +csrfchecktoken(); $page = array('opid' => ''); $errors = array(); diff --git a/src/messenger/webim/operator/operators.php b/src/messenger/webim/operator/operators.php index c2e8b06e..d8c08288 100644 --- a/src/messenger/webim/operator/operators.php +++ b/src/messenger/webim/operator/operators.php @@ -22,11 +22,9 @@ require_once('../libs/common.php'); require_once('../libs/operator.php'); -csrfchecktoken(); - $operator = check_login(); force_password($operator); - +csrfchecktoken(); if (isset($_GET['act'])) { diff --git a/src/messenger/webim/operator/performance.php b/src/messenger/webim/operator/performance.php index 58b5d25a..61c4108f 100644 --- a/src/messenger/webim/operator/performance.php +++ b/src/messenger/webim/operator/performance.php @@ -23,9 +23,8 @@ require_once('../libs/common.php'); require_once('../libs/operator.php'); require_once('../libs/settings.php'); -csrfchecktoken(); - $operator = check_login(); +csrfchecktoken(); $page = array('agentId' => ''); $errors = array(); diff --git a/src/messenger/webim/operator/permissions.php b/src/messenger/webim/operator/permissions.php index 79bd67f7..a8074abb 100644 --- a/src/messenger/webim/operator/permissions.php +++ b/src/messenger/webim/operator/permissions.php @@ -23,8 +23,8 @@ require_once('../libs/common.php'); require_once('../libs/operator.php'); require_once('../libs/operator_settings.php'); -csrfchecktoken(); $operator = check_login(); +csrfchecktoken(); function update_operator_permissions($operatorid, $newvalue) { diff --git a/src/messenger/webim/operator/settings.php b/src/messenger/webim/operator/settings.php index 913ef0fe..4f4275bf 100644 --- a/src/messenger/webim/operator/settings.php +++ b/src/messenger/webim/operator/settings.php @@ -24,10 +24,9 @@ require_once('../libs/operator.php'); require_once('../libs/settings.php'); require_once('../libs/styles.php'); -csrfchecktoken(); - $operator = check_login(); force_password($operator); +csrfchecktoken(); $page = array('agentId' => ''); $errors = array(); diff --git a/src/messenger/webim/operator/translate.php b/src/messenger/webim/operator/translate.php index 669da9a7..76856f2d 100644 --- a/src/messenger/webim/operator/translate.php +++ b/src/messenger/webim/operator/translate.php @@ -23,8 +23,6 @@ require_once('../libs/common.php'); require_once('../libs/operator.php'); require_once('../libs/pagination.php'); -csrfchecktoken(); - function compare_localization_by_l1($a, $b) { if ($a == $b) { @@ -122,7 +120,7 @@ function get_auxiliary($s) $operator = check_login(); force_password($operator); - +csrfchecktoken(); $source = verifyparam("source", "/^[\w-]{2,5}$/", $default_locale); $target = verifyparam("target", "/^[\w-]{2,5}$/", $current_locale); diff --git a/src/messenger/webim/view/agent.php b/src/messenger/webim/view/agent.php index 207da650..e8bb8bdc 100644 --- a/src/messenger/webim/view/agent.php +++ b/src/messenger/webim/view/agent.php @@ -50,10 +50,7 @@ require_once('inc_errors.php'); <?php if( $page['opid'] || $page['canmodify'] ) { ?> <form name="agentForm" method="post" action="<?php echo $webimroot ?>/operator/operator.php"> - -<!-- add auth token --> <?php print_csrf_token_input() ?> - <input type="hidden" name="opid" value="<?php echo $page['opid'] ?>"/> <div> <?php if(!$page['needChangePassword']) { print_tabbar(); } ?> diff --git a/src/messenger/webim/view/avatar.php b/src/messenger/webim/view/avatar.php index b949f2f6..3219f8ce 100644 --- a/src/messenger/webim/view/avatar.php +++ b/src/messenger/webim/view/avatar.php @@ -36,10 +36,7 @@ require_once('inc_errors.php'); ?> <form name="avatarForm" method="post" action="<?php echo $webimroot ?>/operator/avatar.php" enctype="multipart/form-data"> - -<!-- add csrf token --> <?php print_csrf_token_input() ?> - <input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/> <div> <?php print_tabbar(); ?> diff --git a/src/messenger/webim/view/cannededit.php b/src/messenger/webim/view/cannededit.php index 9f15f211..ef1e54a7 100644 --- a/src/messenger/webim/view/cannededit.php +++ b/src/messenger/webim/view/cannededit.php @@ -44,10 +44,7 @@ require_once('inc_errors.php'); ?> <form name="cannedForm" method="post" action="<?php echo $webimroot ?>/operator/cannededit.php"> - -<!-- add auth token --> <?php print_csrf_token_input() ?> - <input type="hidden" name="key" value="<?php echo $page['key'] ?>"/> <?php if(!$page['key']) { ?> <input type="hidden" name="lang" value="<?php echo $page['locale'] ?>"/> diff --git a/src/messenger/webim/view/features.php b/src/messenger/webim/view/features.php index 5f6c2667..c5d5c345 100644 --- a/src/messenger/webim/view/features.php +++ b/src/messenger/webim/view/features.php @@ -85,10 +85,7 @@ require_once('inc_errors.php'); <?php } ?> <form name="features" method="post" action="<?php echo $webimroot ?>/operator/features.php"> - -<!-- add auth token --> <?php print_csrf_token_input() ?> - <input type="hidden" name="sent" value="true"/> <div> <?php print_tabbar(); ?> diff --git a/src/messenger/webim/view/performance.php b/src/messenger/webim/view/performance.php index 1a0cde2f..881796d8 100644 --- a/src/messenger/webim/view/performance.php +++ b/src/messenger/webim/view/performance.php @@ -39,10 +39,7 @@ require_once('inc_errors.php'); <?php } ?> <form name="performance" method="post" action="<?php echo $webimroot ?>/operator/performance.php"> - -<!-- add auth token --> <?php print_csrf_token_input() ?> - <div> <?php print_tabbar(); ?> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> diff --git a/src/messenger/webim/view/permissions.php b/src/messenger/webim/view/permissions.php index 7bf433e8..4920e3a2 100644 --- a/src/messenger/webim/view/permissions.php +++ b/src/messenger/webim/view/permissions.php @@ -39,10 +39,7 @@ require_once('inc_errors.php'); <?php } ?> <form name="permissionsForm" method="post" action="<?php echo $webimroot ?>/operator/permissions.php"> - -<!-- add csrf token --> <?php print_csrf_token_input() ?> - <input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/> <div> <?php print_tabbar(); ?> diff --git a/src/messenger/webim/view/settings.php b/src/messenger/webim/view/settings.php index 82df63f7..cf91944c 100644 --- a/src/messenger/webim/view/settings.php +++ b/src/messenger/webim/view/settings.php @@ -39,10 +39,7 @@ require_once('inc_errors.php'); <?php } ?> <form name="settings" method="post" action="<?php echo $webimroot ?>/operator/settings.php"> - -<!-- add auth token --> <?php print_csrf_token_input() ?> - <div> <?php print_tabbar(); ?> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> diff --git a/src/messenger/webim/view/translate.php b/src/messenger/webim/view/translate.php index 0b72c222..9d62f4e0 100644 --- a/src/messenger/webim/view/translate.php +++ b/src/messenger/webim/view/translate.php @@ -44,10 +44,7 @@ require_once('inc_errors.php'); ?> <form name="translateForm" method="post" action="<?php echo $webimroot ?>/operator/translate.php"> - -<!-- add auth token --> <?php print_csrf_token_input() ?> - <input type="hidden" name="key" value="<?php echo $page['key'] ?>"/> <input type="hidden" name="target" value="<?php echo $page['target'] ?>"/> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">