having token checks on POST forms

Conflicts: src/messenger/webim/operator/cannededit.php
2025-01-22 18:10:34 +03:00 · 2012-04-30 16:41:55 +01:00 · 2012-04-30 16:41:55 +01:00 · 5e75270cd0
commit 5e75270cd0
parent 2d793bcb94
8 changed files with 43 additions and 6 deletions
--- a/src/messenger/webim/libs/common.php
+++ b/src/messenger/webim/libs/common.php
@ -765,4 +765,24 @@ function jspath()
 	return "js/$jsver";
 }
 /* authorization token check for CSRF attack */
 function csrfchecktoken(){
  if(!isset($_SESSION['csrf_token'])){
      $_SESSION['csrf_token']=sha1(rand(10000000,99999999));
    }
 		// check the turing code
    if ($_SERVER['REQUEST_METHOD'] == 'POST'){
      //if token match
      if(!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])){
        die("CSRF failure");
      }
    }
 }
 /* print csrf token as a hidden field*/
 function print_csrf_token_input(){
  echo "<input name='csrf_token' type='hidden' value='".$_SESSION['csrf_token']."' />";
 }
 ?>
--- a/src/messenger/webim/operator/cannededit.php
+++ b/src/messenger/webim/operator/cannededit.php
@ -24,6 +24,8 @@ require_once('../libs/common.php');
 require_once('../libs/operator.php');
 require_once('../libs/pagination.php');
 csrfchecktoken();
 $operator = check_login();
 loadsettings();
--- a/src/messenger/webim/operator/operator.php
+++ b/src/messenger/webim/operator/operator.php
@ -23,6 +23,8 @@ require_once('../libs/common.php');
 require_once('../libs/operator.php');
 require_once('../libs/operator_settings.php');
 csrfchecktoken();
 $operator = check_login();
 $page = array('opid' => '');
--- a/src/messenger/webim/operator/settings.php
+++ b/src/messenger/webim/operator/settings.php
@ -24,6 +24,8 @@ require_once('../libs/operator.php');
 require_once('../libs/settings.php');
 require_once('../libs/styles.php');
 csrfchecktoken();
 $operator = check_login();
 force_password($operator);
--- a/src/messenger/webim/view/agent.php
+++ b/src/messenger/webim/view/agent.php
@ -50,6 +50,10 @@ require_once('inc_errors.php');
 <?php if( $page['opid'] || $page['canmodify'] ) { ?>
 <form name="agentForm" method="post" action="<?php echo $webimroot ?>/operator/operator.php">
 <!-- add auth token -->
 <?php print_csrf_token_input() ?>
 <input type="hidden" name="opid" value="<?php echo $page['opid'] ?>"/>
 	<div>
 <?php if(!$page['needChangePassword']) { print_tabbar(); } ?>
--- a/src/messenger/webim/view/cannededit.php
+++ b/src/messenger/webim/view/cannededit.php
@ -44,6 +44,10 @@ require_once('inc_errors.php');
 ?>
 <form name="cannedForm" method="post" action="<?php echo $webimroot ?>/operator/cannededit.php">
 <!-- add auth token -->
 <?php print_csrf_token_input() ?>
 <input type="hidden" name="key" value="<?php echo $page['key'] ?>"/>
 <?php if(!$page['key']) { ?>
 <input type="hidden" name="lang" value="<?php echo $page['locale'] ?>"/>
--- a/src/messenger/webim/view/settings.php
+++ b/src/messenger/webim/view/settings.php
@ -40,6 +40,9 @@ require_once('inc_errors.php');
 <form name="settings" method="post" action="<?php echo $webimroot ?>/operator/settings.php">
 <!-- add auth token -->
 <?php print_csrf_token_input() ?>
 	<div>
 <?php print_tabbar(); ?>
 	<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">