added CSRF protection

2015-05-15 19:16:46 +00:00 · 2015-05-15 19:16:46 +00:00 · 35846435f4
parent 10a47cb134
commit 35846435f4
11 changed files with 77 additions and 14 deletions
--- a/lam/lib/modules.inc
+++ b/lam/lib/modules.inc
@ -1298,6 +1298,9 @@ class accountContainer {
 	 * Prints the header of the account pages.
 	 */
 	private function printPageHeader() {
+		if (!empty($_POST)) {
+			validateSecurityToken();
+		}
 		include '../main_header.php';
 		echo '<script type="text/javascript">
 				jQuery(document).ready(function() {
@ -1306,6 +1309,7 @@ class accountContainer {
 			</script>';
 		echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
 		echo '<input type="hidden" name="account_randomID" value="' . $this->randomID . '">';		
+		echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';		
 	}
 	
 	/**
--- a/lam/templates/delete.php
+++ b/lam/templates/delete.php
@ -4,7 +4,7 @@

 	This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
 	Copyright (C) 2003 - 2006  Tilo Lutz
-	Copyright (C) 2007 - 2014  Roland Gruber
+	Copyright (C) 2007 - 2015  Roland Gruber

 	This program is free software; you can redistribute it and/or modify
 	it under the terms of the GNU General Public License as published by
@ -62,6 +62,10 @@ if (!isLoggedIn()) {
 // Set correct language, codepages, ....
 setlanguage();

+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 if (isset($_POST['type']) && !preg_match('/^[a-z0-9_]+$/i', $_POST['type'])) {
 	logNewMessage(LOG_ERR, 'Invalid type: ' . $_POST['type']);
 	die();
@ -90,6 +94,7 @@ if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) {
 	echo "<div class=\"".$_GET['type']."-bright smallPaddingContent\">";
 	echo "<br>\n";
 	echo "<form action=\"delete.php\" method=\"post\">\n";
+	echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
 	echo "<input name=\"type\" type=\"hidden\" value=\"" . $_GET['type'] . "\">\n";
 	echo "<b>" . _("Do you really want to remove the following accounts?") . "</b>";
 	echo "<br><br>\n";
@ -149,6 +154,7 @@ if (isset($_POST['delete'])) {
 	// Show HTML Page
 	include 'main_header.php';
 	echo "<form action=\"delete.php\" method=\"post\">\n";
+	echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
 	echo "<input name=\"type\" type=\"hidden\" value=\"" . $_POST['type'] . "\">\n";
 	echo "<div class=\"".$_POST['type']."-bright smallPaddingContent\"><br>\n";
 	echo "<br>\n";
--- a/lam/templates/initsuff.php
+++ b/lam/templates/initsuff.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2013  Roland Gruber
+  Copyright (C) 2003 - 2015  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -46,6 +46,10 @@ if (!checkIfWriteAccessIsAllowed()) {

 setlanguage();

+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 // check if user already pressed button
 if (isset($_POST['add_suff']) || isset($_POST['cancel'])) {
 	if (isset($_POST['add_suff'])) {
@ -191,6 +195,7 @@ include 'main_header.php';
 	$buttonContainer->addElement(new htmlButton('cancel', _("Cancel")));
 	$buttonContainer->addElement(new htmlHiddenInput('new_suff', implode(";", $new_suff)));
 	$container->addElement($buttonContainer);
+	addSecurityTokenToMetaHTML($container);
 	
 	$tabindex = 1;
 	parseHtml(null, $container, array(), false, $tabindex, 'user');
--- a/lam/templates/massBuildAccounts.php
+++ b/lam/templates/massBuildAccounts.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2004 - 2014  Roland Gruber
+  Copyright (C) 2004 - 2015  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -56,6 +56,10 @@ if (!isLoggedIn()) {
 // Set correct language, codepages, ....
 setlanguage();

+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 // show LDIF if requested
 if (isset($_GET['showldif'])) {
 	//download file
@ -258,6 +262,7 @@ else {
 	massPrintBackButton($scope, $selectedModules, $container);
 }

+addSecurityTokenToMetaHTML($container);
 $tabindex = 1;
 parseHtml(null, $container, array(), false, $tabindex, $scope);

--- a/lam/templates/masscreate.php
+++ b/lam/templates/masscreate.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2004 - 2013  Roland Gruber
+  Copyright (C) 2004 - 2015  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -60,6 +60,10 @@ if (!isLoggedIn()) {
 // Set correct language, codepages, ....
 setlanguage();

+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 // show CSV if requested
 if (isset($_GET['getCSV'])) {
 	//download file
@ -211,6 +215,7 @@ if (!empty($types)) {
 	$table->addElement(new htmlButton('submit', _('Ok')), true);
 }

+addSecurityTokenToMetaHTML($table);
 parseHtml(null, $table, array(), false, $tabindex, 'user');
 ?>
 <script type="text/javascript">
@ -434,6 +439,7 @@ function showMainPage($scope, $selectedModules) {
 	}
 	$container->addElement($columnContainer, true);
 	
+	addSecurityTokenToMetaHTML($container);
 	$tabindex = 1;
 	parseHtml(null, $container, array(), false, $tabindex, $scope);
 	
--- a/lam/templates/multiEdit.php
+++ b/lam/templates/multiEdit.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2013  Roland Gruber
+  Copyright (C) 2013 - 2015  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -47,6 +47,10 @@ checkIfToolIsActive('toolMultiEdit');

 setlanguage();

+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 define('ADD', 'add');
 define('MOD', 'mod');
 define('DEL', 'del');
@ -71,7 +75,7 @@ function displayStartPage() {
 	// display main page
 	include 'main_header.php';
 	echo '<div class="user-bright smallPaddingContent">';
-	echo ("<form action=\"multiEdit.php\" method=\"post\">\n");
+	echo "<form action=\"multiEdit.php\" method=\"post\">\n";
 	$errors = array();
 	$tabindex = 1;
 	$container = new htmlTable();
@ -174,6 +178,7 @@ function displayStartPage() {
 		runActions($container);
 	}
 	
+	addSecurityTokenToMetaHTML($container);
 	
 	parseHtml(null, $container, array(), false, $tabindex, 'user');
 	echo ("</form>\n");
--- a/lam/templates/ou_edit.php
+++ b/lam/templates/ou_edit.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2012  Roland Gruber
+  Copyright (C) 2003 - 2015  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -47,6 +47,10 @@ checkIfToolIsActive('toolOUEditor');

 setlanguage();

+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 $types = $_SESSION['config']->get_ActiveTypes();

 // check if deletion was canceled
@ -120,7 +124,8 @@ if (isset($_POST['createOU']) || isset($_POST['deleteOU'])) {
 			$container->addElement(new htmlButton('sure', _("Delete")));			
 			$container->addElement(new htmlButton('abort', _("Cancel")));
 			$container->addElement(new htmlHiddenInput('deleteOU', 'submit'));		
-			$container->addElement(new htmlHiddenInput('deletename', $_POST['deleteableOU']));		
+			$container->addElement(new htmlHiddenInput('deletename', $_POST['deleteableOU']));
+			addSecurityTokenToMetaHTML($container);		
 			parseHtml(null, $container, array(), false, $tabindex, 'user');
 			echo "</form>";
 			echo '</div>';
@ -145,7 +150,7 @@ function display_main($message, $error) {
 	// display main page
 	include 'main_header.php';
 	echo '<div class="user-bright smallPaddingContent">';
-	echo ("<form action=\"ou_edit.php\" method=\"post\">\n");
+	echo "<form action=\"ou_edit.php\" method=\"post\">\n";

 	$tabindex = 1;
 	$container = new htmlTable();
@ -208,6 +213,7 @@ function display_main($message, $error) {
 		$container->addElement(new htmlHelpLink('602'), true);
 	}
 	
+	addSecurityTokenToMetaHTML($container);
 	parseHtml(null, $container, array(), false, $tabindex, 'user');
 	echo ("</form>\n");
 	echo '</div>';
--- a/lam/templates/pdfedit/pdfmain.php
+++ b/lam/templates/pdfedit/pdfmain.php
@ -4,7 +4,7 @@ $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
  Copyright (C) 2003 - 2006  Michael Duergner
-                2005 - 2014  Roland Gruber
+                2005 - 2015  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -49,6 +49,10 @@ if (!checkIfWriteAccessIsAllowed()) die();

 checkIfToolIsActive('toolPDFEditor');

+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 setlanguage();

 // Unset pdf structure definitions in session if set
@ -163,6 +167,7 @@ include '../main_header.php';
 ?>
 <div class="user-bright smallPaddingContent">
 <form enctype="multipart/form-data" action="pdfmain.php" method="post" name="pdfmainForm" >
+<input type="hidden" name="<?php echo getSecurityTokenName(); ?>" value="<?php echo getSecurityTokenValue(); ?>">
 	<?php
 		if (isset($_GET['savedSuccessfully'])) {
 			$message = new htmlStatusMessage("INFO", _("PDF structure was successfully saved."), htmlspecialchars($_GET['savedSuccessfully']));
@ -294,6 +299,7 @@ include '../main_header.php';
 			$container->addElement(new htmlHelpLink('236'));
 			$container->addElement(new htmlHiddenInput('importexport', '1'));
 			$container->addElement(new htmlHiddenInput('scope', $scope), true);
+			addSecurityTokenToMetaHTML($container);
 			
 			parseHtml(null, $container, array(), false, $tabindex, 'user');

@ -340,6 +346,7 @@ include '../main_header.php';
 		$container->addElement($exportPasswd);
 		$container->addElement(new htmlHelpLink('236'));
 		$container->addElement(new htmlHiddenInput('importexport', '1'), true);
+		addSecurityTokenToMetaHTML($container);
 		
 		parseHtml(null, $container, array(), false, $tabindex, 'user');

@ -354,6 +361,7 @@ echo '<div id="deleteProfileDialog" class="hidden"><form id="deleteProfileForm"
 	echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">';
 	echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">';
 	echo '<input type="hidden" name="deleteProfile" value="true">';
+	echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
 echo '</form></div>';

 include '../main_footer.php';
--- a/lam/templates/pdfedit/pdfpage.php
+++ b/lam/templates/pdfedit/pdfpage.php
@ -4,7 +4,7 @@ $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
  Copyright (C) 2003 - 2006  Michael Duergner
-                2007 - 2014  Roland Gruber
+                2007 - 2015  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -55,6 +55,10 @@ checkIfToolIsActive('toolPDFEditor');

 setlanguage();

+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 // check if user is logged in, if not go to login
 if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
 	metaRefresh("../login.php");
@ -643,6 +647,7 @@ $buttonContainer->addElement(new htmlHiddenInput('modules', $modules));
 $buttonContainer->addElement(new htmlHiddenInput('type', $_GET['type']));

 $container->addElement($buttonContainer, true);
+addSecurityTokenToMetaHTML($container);

 $tabindex = 1;
 parseHtml(null, $container, array(), false, $tabindex, $_GET['type']);
--- a/lam/templates/profedit/profilemain.php
+++ b/lam/templates/profedit/profilemain.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2014  Roland Gruber
+  Copyright (C) 2003 - 2015  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -47,6 +47,10 @@ checkIfToolIsActive('toolProfileEditor');

 setlanguage();

+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 $types = $_SESSION['config']->get_ActiveTypes();
 $profileClasses = array();
 $profileClassesTemp = array();
@ -89,6 +93,7 @@ for ($i = 0; $i < sizeof($profileClasses); $i++) {
 include '../main_header.php';
 echo "<div class=\"user-bright smallPaddingContent\">\n";
 echo "<form name=\"profilemainForm\" action=\"profilemain.php\" method=\"post\">\n";
+echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';

 $container = new htmlTable();
 $container->addElement(new htmlTitle(_("Profile editor")), true);
@ -261,6 +266,7 @@ for ($i = 0; $i < sizeof($profileClasses); $i++) {
 	$container->addElement(new htmlHelpLink('236'));
 	$container->addElement(new htmlHiddenInput('importexport', '1'));
 	$container->addElement(new htmlHiddenInput('scope', $scope), true);
+	addSecurityTokenToMetaHTML($container);
 	
 	parseHtml(null, $container, array(), false, $tabindex, 'user');

@ -308,6 +314,7 @@ $exportPasswd->setIsPassword(true);
 $container->addElement($exportPasswd);
 $container->addElement(new htmlHelpLink('236'));
 $container->addElement(new htmlHiddenInput('importexport', '1'), true);
+addSecurityTokenToMetaHTML($container);

 parseHtml(null, $container, array(), false, $tabindex, 'user');

@ -322,6 +329,7 @@ echo '<div id="deleteProfileDialog" class="hidden"><form id="deleteProfileForm"
 	echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">';
 	echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">';
 	echo '<input type="hidden" name="deleteProfile" value="true">';
+	echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
 echo '</form></div>';

 include '../main_footer.php';
--- a/lam/templates/profedit/profilepage.php
+++ b/lam/templates/profedit/profilepage.php
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2014  Roland Gruber
+  Copyright (C) 2003 - 2015  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -51,6 +51,10 @@ checkIfToolIsActive('toolProfileEditor');

 setlanguage();

+if (!empty($_POST)) {
+	validateSecurityToken();
+}
+
 // check if user is logged in, if not go to login
 if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
 	metaRefresh("../login.php");
@ -169,7 +173,8 @@ elseif (isset($_GET['edit'])) {
 }

 // display formular
-echo ("<form action=\"profilepage.php?type=$type\" method=\"post\">\n");
+echo "<form action=\"profilepage.php?type=$type\" method=\"post\">\n";
+echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';

 $profName = '';
 if (isset($_GET['edit'])) {