Mibew/tray
1
0
Fork 0
mirror of https://github.com/Mibew/tray.git synced 2025-01-22 18:10:34 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

having token checks on POST forms

Browse Source
This commit is contained in:
YuFei Zhu 2012-04-30 16:41:55 +01:00
parent 1ab3efb86f
commit b84b439358
8 changed files with 44 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/messenger/webim/libs/common.php
View File

@ -688,4 +688,24 @@ function jspath()
return "js/$jsver"; return "js/$jsver";
} }
?> /* authorization token check for CSRF attack */
function csrfchecktoken(){
if(!isset($_SESSION['csrf_token'])){
$_SESSION['csrf_token']=sha1(rand(10000000,99999999));
}
// check the turing code
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
//if token match
if(!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])){
die("CSRF failure");
}
}
}
/* print csrf token as a hidden field*/
function print_csrf_token_input(){
echo "<input name='csrf_token' type='hidden' value='".$_SESSION['csrf_token']."' />";
}
?>

2
src/messenger/webim/libs/operator_settings.php
View File

@ -44,4 +44,4 @@ function setup_operator_settings_tabs($opId, $active)
} }
} }
?> ?>

4
src/messenger/webim/operator/cannededit.php
View File

@ -23,6 +23,8 @@ require_once('../libs/common.php');
require_once('../libs/operator.php'); require_once('../libs/operator.php');
require_once('../libs/pagination.php'); require_once('../libs/pagination.php');
csrfchecktoken();
function load_message($key) function load_message($key)
{ {
global $mysqlprefix; global $mysqlprefix;
@ -101,4 +103,4 @@ prepare_menu($operator, false);
start_html_output(); start_html_output();
require('../view/cannededit.php'); require('../view/cannededit.php');
exit; exit;
?> ?>

2
src/messenger/webim/operator/operator.php
View File

@ -23,6 +23,8 @@ require_once('../libs/common.php');
require_once('../libs/operator.php'); require_once('../libs/operator.php');
require_once('../libs/operator_settings.php'); require_once('../libs/operator_settings.php');
csrfchecktoken();
$operator = check_login(); $operator = check_login();
$page = array('opid' => ''); $page = array('opid' => '');

4
src/messenger/webim/operator/settings.php
View File

@ -23,6 +23,8 @@ require_once('../libs/common.php');
require_once('../libs/operator.php'); require_once('../libs/operator.php');
require_once('../libs/settings.php'); require_once('../libs/settings.php');
csrfchecktoken();
$operator = check_login(); $operator = check_login();
$page = array('agentId' => ''); $page = array('agentId' => '');
@ -104,4 +106,4 @@ prepare_menu($operator);
setup_settings_tabs(0); setup_settings_tabs(0);
start_html_output(); start_html_output();
require('../view/settings.php'); require('../view/settings.php');
?> ?>

6
src/messenger/webim/view/agent.php
View File

@ -50,6 +50,10 @@ require_once('inc_errors.php');
<?php if( $page['opid'] || $page['canmodify'] ) { ?> <?php if( $page['opid'] || $page['canmodify'] ) { ?>
<form name="agentForm" method="post" action="<?php echo $webimroot ?>/operator/operator.php"> <form name="agentForm" method="post" action="<?php echo $webimroot ?>/operator/operator.php">
<!-- add auth token -->
<?php print_csrf_token_input() ?>
<input type="hidden" name="opid" value="<?php echo $page['opid'] ?>"/> <input type="hidden" name="opid" value="<?php echo $page['opid'] ?>"/>
<div> <div>
<?php if(!$page['needChangePassword']) { print_tabbar(); } ?> <?php if(!$page['needChangePassword']) { print_tabbar(); } ?>
@ -130,4 +134,4 @@ require_once('inc_errors.php');
} /* content */ } /* content */
require_once('inc_main.php'); require_once('inc_main.php');
?> ?>

6
src/messenger/webim/view/cannededit.php
View File

@ -44,6 +44,10 @@ require_once('inc_errors.php');
?> ?>
<form name="cannedForm" method="post" action="<?php echo $webimroot ?>/operator/cannededit.php"> <form name="cannedForm" method="post" action="<?php echo $webimroot ?>/operator/cannededit.php">
<!-- add auth token -->
<?php print_csrf_token_input() ?>
<input type="hidden" name="key" value="<?php echo $page['key'] ?>"/> <input type="hidden" name="key" value="<?php echo $page['key'] ?>"/>
<?php if(!$page['key']) { ?> <?php if(!$page['key']) { ?>
<input type="hidden" name="lang" value="<?php echo $page['locale'] ?>"/> <input type="hidden" name="lang" value="<?php echo $page['locale'] ?>"/>
@ -73,4 +77,4 @@ require_once('inc_errors.php');
} /* content */ } /* content */
require_once('inc_main.php'); require_once('inc_main.php');
?> ?>

5
src/messenger/webim/view/settings.php
View File

@ -40,6 +40,9 @@ require_once('inc_errors.php');
<form name="settings" method="post" action="<?php echo $webimroot ?>/operator/settings.php"> <form name="settings" method="post" action="<?php echo $webimroot ?>/operator/settings.php">
<!-- add auth token -->
<?php print_csrf_token_input() ?>
<div> <div>
<?php print_tabbar(); ?> <?php print_tabbar(); ?>
<div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner"> <div class="mform"><div class="formtop"><div class="formtopi"></div></div><div class="forminner">
@ -155,4 +158,4 @@ require_once('inc_errors.php');
} /* content */ } /* content */
require_once('inc_main.php'); require_once('inc_main.php');
?> ?>