diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php index 7a23952a..8a0d63c4 100644 --- a/src/messenger/webim/libs/common.php +++ b/src/messenger/webim/libs/common.php @@ -765,4 +765,24 @@ function jspath() return "js/$jsver"; } -?> \ No newline at end of file +/* authorization token check for CSRF attack */ +function csrfchecktoken(){ + if(!isset($_SESSION['csrf_token'])){ + $_SESSION['csrf_token']=sha1(rand(10000000,99999999)); + } + // check the turing code + if ($_SERVER['REQUEST_METHOD'] == 'POST'){ + //if token match + if(!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])){ + + die("CSRF failure"); + } + } +} + +/* print csrf token as a hidden field*/ +function print_csrf_token_input(){ + echo ""; +} + +?> diff --git a/src/messenger/webim/libs/operator_settings.php b/src/messenger/webim/libs/operator_settings.php index 1ede6ef7..1fc9d64a 100644 --- a/src/messenger/webim/libs/operator_settings.php +++ b/src/messenger/webim/libs/operator_settings.php @@ -36,4 +36,4 @@ function setup_operator_settings_tabs($opId, $active) } } -?> \ No newline at end of file +?> diff --git a/src/messenger/webim/operator/cannededit.php b/src/messenger/webim/operator/cannededit.php index a1c07453..fed68d2f 100644 --- a/src/messenger/webim/operator/cannededit.php +++ b/src/messenger/webim/operator/cannededit.php @@ -24,6 +24,8 @@ require_once('../libs/common.php'); require_once('../libs/operator.php'); require_once('../libs/pagination.php'); +csrfchecktoken(); + $operator = check_login(); loadsettings(); diff --git a/src/messenger/webim/operator/operator.php b/src/messenger/webim/operator/operator.php index bd7e5c09..946c4021 100644 --- a/src/messenger/webim/operator/operator.php +++ b/src/messenger/webim/operator/operator.php @@ -23,6 +23,8 @@ require_once('../libs/common.php'); require_once('../libs/operator.php'); require_once('../libs/operator_settings.php'); +csrfchecktoken(); + $operator = check_login(); $page = array('opid' => ''); diff --git a/src/messenger/webim/operator/settings.php b/src/messenger/webim/operator/settings.php index 057c7ae3..913ef0fe 100644 --- a/src/messenger/webim/operator/settings.php +++ b/src/messenger/webim/operator/settings.php @@ -24,6 +24,8 @@ require_once('../libs/operator.php'); require_once('../libs/settings.php'); require_once('../libs/styles.php'); +csrfchecktoken(); + $operator = check_login(); force_password($operator); @@ -116,4 +118,4 @@ prepare_menu($operator); setup_settings_tabs(0); start_html_output(); require('../view/settings.php'); -?> \ No newline at end of file +?> diff --git a/src/messenger/webim/view/agent.php b/src/messenger/webim/view/agent.php index 1049139a..207da650 100644 --- a/src/messenger/webim/view/agent.php +++ b/src/messenger/webim/view/agent.php @@ -50,6 +50,10 @@ require_once('inc_errors.php');
+ + + +
@@ -130,4 +134,4 @@ require_once('inc_errors.php'); } /* content */ require_once('inc_main.php'); -?> \ No newline at end of file +?> diff --git a/src/messenger/webim/view/cannededit.php b/src/messenger/webim/view/cannededit.php index 200b69c0..9f15f211 100644 --- a/src/messenger/webim/view/cannededit.php +++ b/src/messenger/webim/view/cannededit.php @@ -44,6 +44,10 @@ require_once('inc_errors.php'); ?> + + + + @@ -80,4 +84,4 @@ require_once('inc_errors.php'); } /* content */ require_once('inc_main.php'); -?> \ No newline at end of file +?> diff --git a/src/messenger/webim/view/settings.php b/src/messenger/webim/view/settings.php index 3ee86d1b..82df63f7 100644 --- a/src/messenger/webim/view/settings.php +++ b/src/messenger/webim/view/settings.php @@ -40,6 +40,9 @@ require_once('inc_errors.php'); + + +
@@ -164,4 +167,4 @@ require_once('inc_errors.php'); } /* content */ require_once('inc_main.php'); -?> \ No newline at end of file +?>