added CSRF protection
This commit is contained in:
parent
10a47cb134
commit
35846435f4
|
@ -1298,6 +1298,9 @@ class accountContainer {
|
|||
* Prints the header of the account pages.
|
||||
*/
|
||||
private function printPageHeader() {
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
include '../main_header.php';
|
||||
echo '<script type="text/javascript">
|
||||
jQuery(document).ready(function() {
|
||||
|
@ -1306,6 +1309,7 @@ class accountContainer {
|
|||
</script>';
|
||||
echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
|
||||
echo '<input type="hidden" name="account_randomID" value="' . $this->randomID . '">';
|
||||
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2006 Tilo Lutz
|
||||
Copyright (C) 2007 - 2014 Roland Gruber
|
||||
Copyright (C) 2007 - 2015 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -62,6 +62,10 @@ if (!isLoggedIn()) {
|
|||
// Set correct language, codepages, ....
|
||||
setlanguage();
|
||||
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
|
||||
if (isset($_POST['type']) && !preg_match('/^[a-z0-9_]+$/i', $_POST['type'])) {
|
||||
logNewMessage(LOG_ERR, 'Invalid type: ' . $_POST['type']);
|
||||
die();
|
||||
|
@ -90,6 +94,7 @@ if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) {
|
|||
echo "<div class=\"".$_GET['type']."-bright smallPaddingContent\">";
|
||||
echo "<br>\n";
|
||||
echo "<form action=\"delete.php\" method=\"post\">\n";
|
||||
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
|
||||
echo "<input name=\"type\" type=\"hidden\" value=\"" . $_GET['type'] . "\">\n";
|
||||
echo "<b>" . _("Do you really want to remove the following accounts?") . "</b>";
|
||||
echo "<br><br>\n";
|
||||
|
@ -149,6 +154,7 @@ if (isset($_POST['delete'])) {
|
|||
// Show HTML Page
|
||||
include 'main_header.php';
|
||||
echo "<form action=\"delete.php\" method=\"post\">\n";
|
||||
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
|
||||
echo "<input name=\"type\" type=\"hidden\" value=\"" . $_POST['type'] . "\">\n";
|
||||
echo "<div class=\"".$_POST['type']."-bright smallPaddingContent\"><br>\n";
|
||||
echo "<br>\n";
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2013 Roland Gruber
|
||||
Copyright (C) 2003 - 2015 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -46,6 +46,10 @@ if (!checkIfWriteAccessIsAllowed()) {
|
|||
|
||||
setlanguage();
|
||||
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
|
||||
// check if user already pressed button
|
||||
if (isset($_POST['add_suff']) || isset($_POST['cancel'])) {
|
||||
if (isset($_POST['add_suff'])) {
|
||||
|
@ -191,6 +195,7 @@ include 'main_header.php';
|
|||
$buttonContainer->addElement(new htmlButton('cancel', _("Cancel")));
|
||||
$buttonContainer->addElement(new htmlHiddenInput('new_suff', implode(";", $new_suff)));
|
||||
$container->addElement($buttonContainer);
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
|
||||
$tabindex = 1;
|
||||
parseHtml(null, $container, array(), false, $tabindex, 'user');
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2004 - 2014 Roland Gruber
|
||||
Copyright (C) 2004 - 2015 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -56,6 +56,10 @@ if (!isLoggedIn()) {
|
|||
// Set correct language, codepages, ....
|
||||
setlanguage();
|
||||
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
|
||||
// show LDIF if requested
|
||||
if (isset($_GET['showldif'])) {
|
||||
//download file
|
||||
|
@ -258,6 +262,7 @@ else {
|
|||
massPrintBackButton($scope, $selectedModules, $container);
|
||||
}
|
||||
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
$tabindex = 1;
|
||||
parseHtml(null, $container, array(), false, $tabindex, $scope);
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2004 - 2013 Roland Gruber
|
||||
Copyright (C) 2004 - 2015 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -60,6 +60,10 @@ if (!isLoggedIn()) {
|
|||
// Set correct language, codepages, ....
|
||||
setlanguage();
|
||||
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
|
||||
// show CSV if requested
|
||||
if (isset($_GET['getCSV'])) {
|
||||
//download file
|
||||
|
@ -211,6 +215,7 @@ if (!empty($types)) {
|
|||
$table->addElement(new htmlButton('submit', _('Ok')), true);
|
||||
}
|
||||
|
||||
addSecurityTokenToMetaHTML($table);
|
||||
parseHtml(null, $table, array(), false, $tabindex, 'user');
|
||||
?>
|
||||
<script type="text/javascript">
|
||||
|
@ -434,6 +439,7 @@ function showMainPage($scope, $selectedModules) {
|
|||
}
|
||||
$container->addElement($columnContainer, true);
|
||||
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
$tabindex = 1;
|
||||
parseHtml(null, $container, array(), false, $tabindex, $scope);
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2013 Roland Gruber
|
||||
Copyright (C) 2013 - 2015 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -47,6 +47,10 @@ checkIfToolIsActive('toolMultiEdit');
|
|||
|
||||
setlanguage();
|
||||
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
|
||||
define('ADD', 'add');
|
||||
define('MOD', 'mod');
|
||||
define('DEL', 'del');
|
||||
|
@ -71,7 +75,7 @@ function displayStartPage() {
|
|||
// display main page
|
||||
include 'main_header.php';
|
||||
echo '<div class="user-bright smallPaddingContent">';
|
||||
echo ("<form action=\"multiEdit.php\" method=\"post\">\n");
|
||||
echo "<form action=\"multiEdit.php\" method=\"post\">\n";
|
||||
$errors = array();
|
||||
$tabindex = 1;
|
||||
$container = new htmlTable();
|
||||
|
@ -174,6 +178,7 @@ function displayStartPage() {
|
|||
runActions($container);
|
||||
}
|
||||
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
|
||||
parseHtml(null, $container, array(), false, $tabindex, 'user');
|
||||
echo ("</form>\n");
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2012 Roland Gruber
|
||||
Copyright (C) 2003 - 2015 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -47,6 +47,10 @@ checkIfToolIsActive('toolOUEditor');
|
|||
|
||||
setlanguage();
|
||||
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
|
||||
$types = $_SESSION['config']->get_ActiveTypes();
|
||||
|
||||
// check if deletion was canceled
|
||||
|
@ -120,7 +124,8 @@ if (isset($_POST['createOU']) || isset($_POST['deleteOU'])) {
|
|||
$container->addElement(new htmlButton('sure', _("Delete")));
|
||||
$container->addElement(new htmlButton('abort', _("Cancel")));
|
||||
$container->addElement(new htmlHiddenInput('deleteOU', 'submit'));
|
||||
$container->addElement(new htmlHiddenInput('deletename', $_POST['deleteableOU']));
|
||||
$container->addElement(new htmlHiddenInput('deletename', $_POST['deleteableOU']));
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
parseHtml(null, $container, array(), false, $tabindex, 'user');
|
||||
echo "</form>";
|
||||
echo '</div>';
|
||||
|
@ -145,7 +150,7 @@ function display_main($message, $error) {
|
|||
// display main page
|
||||
include 'main_header.php';
|
||||
echo '<div class="user-bright smallPaddingContent">';
|
||||
echo ("<form action=\"ou_edit.php\" method=\"post\">\n");
|
||||
echo "<form action=\"ou_edit.php\" method=\"post\">\n";
|
||||
|
||||
$tabindex = 1;
|
||||
$container = new htmlTable();
|
||||
|
@ -208,6 +213,7 @@ function display_main($message, $error) {
|
|||
$container->addElement(new htmlHelpLink('602'), true);
|
||||
}
|
||||
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
parseHtml(null, $container, array(), false, $tabindex, 'user');
|
||||
echo ("</form>\n");
|
||||
echo '</div>';
|
||||
|
|
|
@ -4,7 +4,7 @@ $Id$
|
|||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2006 Michael Duergner
|
||||
2005 - 2014 Roland Gruber
|
||||
2005 - 2015 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -49,6 +49,10 @@ if (!checkIfWriteAccessIsAllowed()) die();
|
|||
|
||||
checkIfToolIsActive('toolPDFEditor');
|
||||
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
|
||||
setlanguage();
|
||||
|
||||
// Unset pdf structure definitions in session if set
|
||||
|
@ -163,6 +167,7 @@ include '../main_header.php';
|
|||
?>
|
||||
<div class="user-bright smallPaddingContent">
|
||||
<form enctype="multipart/form-data" action="pdfmain.php" method="post" name="pdfmainForm" >
|
||||
<input type="hidden" name="<?php echo getSecurityTokenName(); ?>" value="<?php echo getSecurityTokenValue(); ?>">
|
||||
<?php
|
||||
if (isset($_GET['savedSuccessfully'])) {
|
||||
$message = new htmlStatusMessage("INFO", _("PDF structure was successfully saved."), htmlspecialchars($_GET['savedSuccessfully']));
|
||||
|
@ -294,6 +299,7 @@ include '../main_header.php';
|
|||
$container->addElement(new htmlHelpLink('236'));
|
||||
$container->addElement(new htmlHiddenInput('importexport', '1'));
|
||||
$container->addElement(new htmlHiddenInput('scope', $scope), true);
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
|
||||
parseHtml(null, $container, array(), false, $tabindex, 'user');
|
||||
|
||||
|
@ -340,6 +346,7 @@ include '../main_header.php';
|
|||
$container->addElement($exportPasswd);
|
||||
$container->addElement(new htmlHelpLink('236'));
|
||||
$container->addElement(new htmlHiddenInput('importexport', '1'), true);
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
|
||||
parseHtml(null, $container, array(), false, $tabindex, 'user');
|
||||
|
||||
|
@ -354,6 +361,7 @@ echo '<div id="deleteProfileDialog" class="hidden"><form id="deleteProfileForm"
|
|||
echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">';
|
||||
echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">';
|
||||
echo '<input type="hidden" name="deleteProfile" value="true">';
|
||||
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
|
||||
echo '</form></div>';
|
||||
|
||||
include '../main_footer.php';
|
||||
|
|
|
@ -4,7 +4,7 @@ $Id$
|
|||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2006 Michael Duergner
|
||||
2007 - 2014 Roland Gruber
|
||||
2007 - 2015 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -55,6 +55,10 @@ checkIfToolIsActive('toolPDFEditor');
|
|||
|
||||
setlanguage();
|
||||
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
|
||||
// check if user is logged in, if not go to login
|
||||
if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
|
||||
metaRefresh("../login.php");
|
||||
|
@ -643,6 +647,7 @@ $buttonContainer->addElement(new htmlHiddenInput('modules', $modules));
|
|||
$buttonContainer->addElement(new htmlHiddenInput('type', $_GET['type']));
|
||||
|
||||
$container->addElement($buttonContainer, true);
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
|
||||
$tabindex = 1;
|
||||
parseHtml(null, $container, array(), false, $tabindex, $_GET['type']);
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2014 Roland Gruber
|
||||
Copyright (C) 2003 - 2015 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -47,6 +47,10 @@ checkIfToolIsActive('toolProfileEditor');
|
|||
|
||||
setlanguage();
|
||||
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
|
||||
$types = $_SESSION['config']->get_ActiveTypes();
|
||||
$profileClasses = array();
|
||||
$profileClassesTemp = array();
|
||||
|
@ -89,6 +93,7 @@ for ($i = 0; $i < sizeof($profileClasses); $i++) {
|
|||
include '../main_header.php';
|
||||
echo "<div class=\"user-bright smallPaddingContent\">\n";
|
||||
echo "<form name=\"profilemainForm\" action=\"profilemain.php\" method=\"post\">\n";
|
||||
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
|
||||
|
||||
$container = new htmlTable();
|
||||
$container->addElement(new htmlTitle(_("Profile editor")), true);
|
||||
|
@ -261,6 +266,7 @@ for ($i = 0; $i < sizeof($profileClasses); $i++) {
|
|||
$container->addElement(new htmlHelpLink('236'));
|
||||
$container->addElement(new htmlHiddenInput('importexport', '1'));
|
||||
$container->addElement(new htmlHiddenInput('scope', $scope), true);
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
|
||||
parseHtml(null, $container, array(), false, $tabindex, 'user');
|
||||
|
||||
|
@ -308,6 +314,7 @@ $exportPasswd->setIsPassword(true);
|
|||
$container->addElement($exportPasswd);
|
||||
$container->addElement(new htmlHelpLink('236'));
|
||||
$container->addElement(new htmlHiddenInput('importexport', '1'), true);
|
||||
addSecurityTokenToMetaHTML($container);
|
||||
|
||||
parseHtml(null, $container, array(), false, $tabindex, 'user');
|
||||
|
||||
|
@ -322,6 +329,7 @@ echo '<div id="deleteProfileDialog" class="hidden"><form id="deleteProfileForm"
|
|||
echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">';
|
||||
echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">';
|
||||
echo '<input type="hidden" name="deleteProfile" value="true">';
|
||||
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
|
||||
echo '</form></div>';
|
||||
|
||||
include '../main_footer.php';
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2014 Roland Gruber
|
||||
Copyright (C) 2003 - 2015 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -51,6 +51,10 @@ checkIfToolIsActive('toolProfileEditor');
|
|||
|
||||
setlanguage();
|
||||
|
||||
if (!empty($_POST)) {
|
||||
validateSecurityToken();
|
||||
}
|
||||
|
||||
// check if user is logged in, if not go to login
|
||||
if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
|
||||
metaRefresh("../login.php");
|
||||
|
@ -169,7 +173,8 @@ elseif (isset($_GET['edit'])) {
|
|||
}
|
||||
|
||||
// display formular
|
||||
echo ("<form action=\"profilepage.php?type=$type\" method=\"post\">\n");
|
||||
echo "<form action=\"profilepage.php?type=$type\" method=\"post\">\n";
|
||||
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
|
||||
|
||||
$profName = '';
|
||||
if (isset($_GET['edit'])) {
|
||||
|
|
Loading…
Reference in New Issue