From 3c0c880661b445342d272fb21ea261ae7ef36931 Mon Sep 17 00:00:00 2001 From: Dmitriy Simushev Date: Tue, 17 Mar 2015 14:41:31 +0000 Subject: [PATCH] Add CSRF protection for password recovery forms --- .../Controller/PasswordRecoveryController.php | 22 +++++++++++++++++-- .../server_side/password_recovery.handlebars | 2 ++ .../password_recovery_reset.handlebars | 2 ++ 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/src/mibew/libs/classes/Mibew/Controller/PasswordRecoveryController.php b/src/mibew/libs/classes/Mibew/Controller/PasswordRecoveryController.php index 80689989..9a6bddc6 100644 --- a/src/mibew/libs/classes/Mibew/Controller/PasswordRecoveryController.php +++ b/src/mibew/libs/classes/Mibew/Controller/PasswordRecoveryController.php @@ -38,6 +38,8 @@ class PasswordRecoveryController extends AbstractController */ public function indexAction(Request $request) { + set_csrf_token(); + if ($this->getOperator()) { // If the operator is logged in just redirect him to the home page. return $this->redirect($request->getUriForPath('/operator')); @@ -53,7 +55,14 @@ class PasswordRecoveryController extends AbstractController ); $login_or_email = ''; - if ($request->request->has('loginoremail')) { + if ($request->isMethod('POST')) { + // When HTTP GET method is used the form is just rendered but the + // user does not pass any data. Thus we need to prevent CSRF attacks + // only for POST requests + csrf_check_token($request); + } + + if ($request->isMethod('POST') && $request->request->has('loginoremail')) { $login_or_email = $request->request->get('loginoremail'); $to_restore = MailUtils::isValidAddress($login_or_email) @@ -123,6 +132,8 @@ class PasswordRecoveryController extends AbstractController */ public function resetAction(Request $request) { + set_csrf_token(); + $page = array( 'version' => MIBEW_VERSION, 'showform' => true, @@ -133,6 +144,13 @@ class PasswordRecoveryController extends AbstractController 'errors' => array(), ); + if ($request->isMethod('POST')) { + // When HTTP GET method is used the form is just rendered but the + // user does not pass any data. Thus we need to prevent CSRF attacks + // only for POST requests + csrf_check_token($request); + } + // Make sure user id is specified and its format is correct. $op_id = $request->isMethod('GET') ? $request->query->get('id') @@ -159,7 +177,7 @@ class PasswordRecoveryController extends AbstractController $page['showform'] = false; } - if (count($page['errors']) == 0 && $request->request->has('password')) { + if (count($page['errors']) == 0 && $request->isMethod('POST') && $request->request->has('password')) { $password = $request->request->get('password'); $password_confirm = $request->request->get('passwordConfirm'); diff --git a/src/mibew/styles/pages/default/templates_src/server_side/password_recovery.handlebars b/src/mibew/styles/pages/default/templates_src/server_side/password_recovery.handlebars index 5ba72268..d0ceb08f 100644 --- a/src/mibew/styles/pages/default/templates_src/server_side/password_recovery.handlebars +++ b/src/mibew/styles/pages/default/templates_src/server_side/password_recovery.handlebars @@ -19,6 +19,8 @@ {{else}}
+ {{csrfTokenInput}} +
diff --git a/src/mibew/styles/pages/default/templates_src/server_side/password_recovery_reset.handlebars b/src/mibew/styles/pages/default/templates_src/server_side/password_recovery_reset.handlebars index a0d8df90..07d54d22 100644 --- a/src/mibew/styles/pages/default/templates_src/server_side/password_recovery_reset.handlebars +++ b/src/mibew/styles/pages/default/templates_src/server_side/password_recovery_reset.handlebars @@ -19,6 +19,8 @@
{{else}} + {{csrfTokenInput}} +