Add CSRF protection for password recovery forms

2025-02-07 08:14:42 +03:00 · 2015-03-17 14:41:31 +00:00 · 2015-03-17 14:41:31 +00:00 · 3c0c880661
commit 3c0c880661
parent e122d020eb
3 changed files with 24 additions and 2 deletions
--- a/src/mibew/libs/classes/Mibew/Controller/PasswordRecoveryController.php
+++ b/src/mibew/libs/classes/Mibew/Controller/PasswordRecoveryController.php
@ -38,6 +38,8 @@ class PasswordRecoveryController extends AbstractController
     */
    public function indexAction(Request $request)
    {
+        set_csrf_token();
+
        if ($this->getOperator()) {
            // If the operator is logged in just redirect him to the home page.
            return $this->redirect($request->getUriForPath('/operator'));
@ -53,7 +55,14 @@ class PasswordRecoveryController extends AbstractController
        );
        $login_or_email = '';

-        if ($request->request->has('loginoremail')) {
+        if ($request->isMethod('POST')) {
+            // When HTTP GET method is used the form is just rendered but the
+            // user does not pass any data. Thus we need to prevent CSRF attacks
+            // only for POST requests
+            csrf_check_token($request);
+        }
+
+        if ($request->isMethod('POST') && $request->request->has('loginoremail')) {
            $login_or_email = $request->request->get('loginoremail');

            $to_restore = MailUtils::isValidAddress($login_or_email)
@ -123,6 +132,8 @@ class PasswordRecoveryController extends AbstractController
     */
    public function resetAction(Request $request)
    {
+        set_csrf_token();
+
        $page = array(
            'version' => MIBEW_VERSION,
            'showform' => true,
@ -133,6 +144,13 @@ class PasswordRecoveryController extends AbstractController
            'errors' => array(),
        );

+        if ($request->isMethod('POST')) {
+            // When HTTP GET method is used the form is just rendered but the
+            // user does not pass any data. Thus we need to prevent CSRF attacks
+            // only for POST requests
+            csrf_check_token($request);
+        }
+
        // Make sure user id is specified and its format is correct.
        $op_id = $request->isMethod('GET')
            ? $request->query->get('id')
@ -159,7 +177,7 @@ class PasswordRecoveryController extends AbstractController
            $page['showform'] = false;
        }

-        if (count($page['errors']) == 0 && $request->request->has('password')) {
+        if (count($page['errors']) == 0 && $request->isMethod('POST') && $request->request->has('password')) {
            $password = $request->request->get('password');
            $password_confirm = $request->request->get('passwordConfirm');

--- a/src/mibew/styles/pages/default/templates_src/server_side/password_recovery.handlebars
+++ b/src/mibew/styles/pages/default/templates_src/server_side/password_recovery.handlebars
@ -19,6 +19,8 @@
            </div>
        {{else}}
            <form name="restoreForm" method="post" action="{{route "password_recovery"}}">
+                {{csrfTokenInput}}
+
                <div id="login-pane">

                    <div class="header">
--- a/src/mibew/styles/pages/default/templates_src/server_side/password_recovery_reset.handlebars
+++ b/src/mibew/styles/pages/default/templates_src/server_side/password_recovery_reset.handlebars
@ -19,6 +19,8 @@
            </div>
        {{else}}
            <form name="resetForm" method="post" action="{{route "password_recovery_reset"}}">
+                {{csrfTokenInput}}
+
                <input type="hidden" name="id" value="{{id}}"/>
                <input type="hidden" name="token" value="{{token}}"/>