WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

added CSRF protection

This commit is contained in:
Roland Gruber 2015-05-15 19:16:46 +00:00
parent 10a47cb134
commit 35846435f4
11 changed files with 77 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lam/lib/modules.inc
View File

@ -1298,6 +1298,9 @@ class accountContainer {
* Prints the header of the account pages. * Prints the header of the account pages.
*/ */
private function printPageHeader() { private function printPageHeader() {
if (!empty($_POST)) {
validateSecurityToken();
}
include '../main_header.php'; include '../main_header.php';
echo '<script type="text/javascript"> echo '<script type="text/javascript">
jQuery(document).ready(function() { jQuery(document).ready(function() {
@ -1306,6 +1309,7 @@ class accountContainer {
</script>'; </script>';
echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n"; echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
echo '<input type="hidden" name="account_randomID" value="' . $this->randomID . '">'; echo '<input type="hidden" name="account_randomID" value="' . $this->randomID . '">';
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
} }
/** /**

8
lam/templates/delete.php
View File

@ -4,7 +4,7 @@
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Tilo Lutz Copyright (C) 2003 - 2006 Tilo Lutz
Copyright (C) 2007 - 2014 Roland Gruber Copyright (C) 2007 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -62,6 +62,10 @@ if (!isLoggedIn()) {
// Set correct language, codepages, .... // Set correct language, codepages, ....
setlanguage(); setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
if (isset($_POST['type']) && !preg_match('/^[a-z0-9_]+$/i', $_POST['type'])) { if (isset($_POST['type']) && !preg_match('/^[a-z0-9_]+$/i', $_POST['type'])) {
logNewMessage(LOG_ERR, 'Invalid type: ' . $_POST['type']); logNewMessage(LOG_ERR, 'Invalid type: ' . $_POST['type']);
die(); die();
@ -90,6 +94,7 @@ if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) {
echo "<div class=\"".$_GET['type']."-bright smallPaddingContent\">"; echo "<div class=\"".$_GET['type']."-bright smallPaddingContent\">";
echo "<br>\n"; echo "<br>\n";
echo "<form action=\"delete.php\" method=\"post\">\n"; echo "<form action=\"delete.php\" method=\"post\">\n";
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
echo "<input name=\"type\" type=\"hidden\" value=\"" . $_GET['type'] . "\">\n"; echo "<input name=\"type\" type=\"hidden\" value=\"" . $_GET['type'] . "\">\n";
echo "<b>" . _("Do you really want to remove the following accounts?") . "</b>"; echo "<b>" . _("Do you really want to remove the following accounts?") . "</b>";
echo "<br><br>\n"; echo "<br><br>\n";
@ -149,6 +154,7 @@ if (isset($_POST['delete'])) {
// Show HTML Page // Show HTML Page
include 'main_header.php'; include 'main_header.php';
echo "<form action=\"delete.php\" method=\"post\">\n"; echo "<form action=\"delete.php\" method=\"post\">\n";
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
echo "<input name=\"type\" type=\"hidden\" value=\"" . $_POST['type'] . "\">\n"; echo "<input name=\"type\" type=\"hidden\" value=\"" . $_POST['type'] . "\">\n";
echo "<div class=\"".$_POST['type']."-bright smallPaddingContent\"><br>\n"; echo "<div class=\"".$_POST['type']."-bright smallPaddingContent\"><br>\n";
echo "<br>\n"; echo "<br>\n";

7
lam/templates/initsuff.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2013 Roland Gruber Copyright (C) 2003 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -46,6 +46,10 @@ if (!checkIfWriteAccessIsAllowed()) {
setlanguage(); setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
// check if user already pressed button // check if user already pressed button
if (isset($_POST['add_suff']) || isset($_POST['cancel'])) { if (isset($_POST['add_suff']) || isset($_POST['cancel'])) {
if (isset($_POST['add_suff'])) { if (isset($_POST['add_suff'])) {
@ -191,6 +195,7 @@ include 'main_header.php';
$buttonContainer->addElement(new htmlButton('cancel', _("Cancel"))); $buttonContainer->addElement(new htmlButton('cancel', _("Cancel")));
$buttonContainer->addElement(new htmlHiddenInput('new_suff', implode(";", $new_suff))); $buttonContainer->addElement(new htmlHiddenInput('new_suff', implode(";", $new_suff)));
$container->addElement($buttonContainer); $container->addElement($buttonContainer);
addSecurityTokenToMetaHTML($container);
$tabindex = 1; $tabindex = 1;
parseHtml(null, $container, array(), false, $tabindex, 'user'); parseHtml(null, $container, array(), false, $tabindex, 'user');

7
lam/templates/massBuildAccounts.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2004 - 2014 Roland Gruber Copyright (C) 2004 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -56,6 +56,10 @@ if (!isLoggedIn()) {
// Set correct language, codepages, .... // Set correct language, codepages, ....
setlanguage(); setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
// show LDIF if requested // show LDIF if requested
if (isset($_GET['showldif'])) { if (isset($_GET['showldif'])) {
//download file //download file
@ -258,6 +262,7 @@ else {
massPrintBackButton($scope, $selectedModules, $container); massPrintBackButton($scope, $selectedModules, $container);
} }
addSecurityTokenToMetaHTML($container);
$tabindex = 1; $tabindex = 1;
parseHtml(null, $container, array(), false, $tabindex, $scope); parseHtml(null, $container, array(), false, $tabindex, $scope);

8
lam/templates/masscreate.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2004 - 2013 Roland Gruber Copyright (C) 2004 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -60,6 +60,10 @@ if (!isLoggedIn()) {
// Set correct language, codepages, .... // Set correct language, codepages, ....
setlanguage(); setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
// show CSV if requested // show CSV if requested
if (isset($_GET['getCSV'])) { if (isset($_GET['getCSV'])) {
//download file //download file
@ -211,6 +215,7 @@ if (!empty($types)) {
$table->addElement(new htmlButton('submit', _('Ok')), true); $table->addElement(new htmlButton('submit', _('Ok')), true);
} }
addSecurityTokenToMetaHTML($table);
parseHtml(null, $table, array(), false, $tabindex, 'user'); parseHtml(null, $table, array(), false, $tabindex, 'user');
?> ?>
<script type="text/javascript"> <script type="text/javascript">
@ -434,6 +439,7 @@ function showMainPage($scope, $selectedModules) {
} }
$container->addElement($columnContainer, true); $container->addElement($columnContainer, true);
addSecurityTokenToMetaHTML($container);
$tabindex = 1; $tabindex = 1;
parseHtml(null, $container, array(), false, $tabindex, $scope); parseHtml(null, $container, array(), false, $tabindex, $scope);

9
lam/templates/multiEdit.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2013 Roland Gruber Copyright (C) 2013 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -47,6 +47,10 @@ checkIfToolIsActive('toolMultiEdit');
setlanguage(); setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
define('ADD', 'add'); define('ADD', 'add');
define('MOD', 'mod'); define('MOD', 'mod');
define('DEL', 'del'); define('DEL', 'del');
@ -71,7 +75,7 @@ function displayStartPage() {
// display main page // display main page
include 'main_header.php'; include 'main_header.php';
echo '<div class="user-bright smallPaddingContent">'; echo '<div class="user-bright smallPaddingContent">';
echo ("<form action=\"multiEdit.php\" method=\"post\">\n"); echo "<form action=\"multiEdit.php\" method=\"post\">\n";
$errors = array(); $errors = array();
$tabindex = 1; $tabindex = 1;
$container = new htmlTable(); $container = new htmlTable();
@ -174,6 +178,7 @@ function displayStartPage() {
runActions($container); runActions($container);
} }
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user'); parseHtml(null, $container, array(), false, $tabindex, 'user');
echo ("</form>\n"); echo ("</form>\n");

10
lam/templates/ou_edit.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2012 Roland Gruber Copyright (C) 2003 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -47,6 +47,10 @@ checkIfToolIsActive('toolOUEditor');
setlanguage(); setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
$types = $_SESSION['config']->get_ActiveTypes(); $types = $_SESSION['config']->get_ActiveTypes();
// check if deletion was canceled // check if deletion was canceled
@ -121,6 +125,7 @@ if (isset($_POST['createOU']) || isset($_POST['deleteOU'])) {
$container->addElement(new htmlButton('abort', _("Cancel"))); $container->addElement(new htmlButton('abort', _("Cancel")));
$container->addElement(new htmlHiddenInput('deleteOU', 'submit')); $container->addElement(new htmlHiddenInput('deleteOU', 'submit'));
$container->addElement(new htmlHiddenInput('deletename', $_POST['deleteableOU'])); $container->addElement(new htmlHiddenInput('deletename', $_POST['deleteableOU']));
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user'); parseHtml(null, $container, array(), false, $tabindex, 'user');
echo "</form>"; echo "</form>";
echo '</div>'; echo '</div>';
@ -145,7 +150,7 @@ function display_main($message, $error) {
// display main page // display main page
include 'main_header.php'; include 'main_header.php';
echo '<div class="user-bright smallPaddingContent">'; echo '<div class="user-bright smallPaddingContent">';
echo ("<form action=\"ou_edit.php\" method=\"post\">\n"); echo "<form action=\"ou_edit.php\" method=\"post\">\n";
$tabindex = 1; $tabindex = 1;
$container = new htmlTable(); $container = new htmlTable();
@ -208,6 +213,7 @@ function display_main($message, $error) {
$container->addElement(new htmlHelpLink('602'), true); $container->addElement(new htmlHelpLink('602'), true);
} }
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user'); parseHtml(null, $container, array(), false, $tabindex, 'user');
echo ("</form>\n"); echo ("</form>\n");
echo '</div>'; echo '</div>';

10
lam/templates/pdfedit/pdfmain.php
View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner Copyright (C) 2003 - 2006 Michael Duergner
2005 - 2014 Roland Gruber 2005 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -49,6 +49,10 @@ if (!checkIfWriteAccessIsAllowed()) die();
checkIfToolIsActive('toolPDFEditor'); checkIfToolIsActive('toolPDFEditor');
if (!empty($_POST)) {
validateSecurityToken();
}
setlanguage(); setlanguage();
// Unset pdf structure definitions in session if set // Unset pdf structure definitions in session if set
@ -163,6 +167,7 @@ include '../main_header.php';
?> ?>
<div class="user-bright smallPaddingContent"> <div class="user-bright smallPaddingContent">
<form enctype="multipart/form-data" action="pdfmain.php" method="post" name="pdfmainForm" > <form enctype="multipart/form-data" action="pdfmain.php" method="post" name="pdfmainForm" >
<input type="hidden" name="<?php echo getSecurityTokenName(); ?>" value="<?php echo getSecurityTokenValue(); ?>">
<?php <?php
if (isset($_GET['savedSuccessfully'])) { if (isset($_GET['savedSuccessfully'])) {
$message = new htmlStatusMessage("INFO", _("PDF structure was successfully saved."), htmlspecialchars($_GET['savedSuccessfully'])); $message = new htmlStatusMessage("INFO", _("PDF structure was successfully saved."), htmlspecialchars($_GET['savedSuccessfully']));
@ -294,6 +299,7 @@ include '../main_header.php';
$container->addElement(new htmlHelpLink('236')); $container->addElement(new htmlHelpLink('236'));
$container->addElement(new htmlHiddenInput('importexport', '1')); $container->addElement(new htmlHiddenInput('importexport', '1'));
$container->addElement(new htmlHiddenInput('scope', $scope), true); $container->addElement(new htmlHiddenInput('scope', $scope), true);
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user'); parseHtml(null, $container, array(), false, $tabindex, 'user');
@ -340,6 +346,7 @@ include '../main_header.php';
$container->addElement($exportPasswd); $container->addElement($exportPasswd);
$container->addElement(new htmlHelpLink('236')); $container->addElement(new htmlHelpLink('236'));
$container->addElement(new htmlHiddenInput('importexport', '1'), true); $container->addElement(new htmlHiddenInput('importexport', '1'), true);
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user'); parseHtml(null, $container, array(), false, $tabindex, 'user');
@ -354,6 +361,7 @@ echo '<div id="deleteProfileDialog" class="hidden"><form id="deleteProfileForm"
echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">'; echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">';
echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">'; echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">';
echo '<input type="hidden" name="deleteProfile" value="true">'; echo '<input type="hidden" name="deleteProfile" value="true">';
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
echo '</form></div>'; echo '</form></div>';
include '../main_footer.php'; include '../main_footer.php';

7
lam/templates/pdfedit/pdfpage.php
View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner Copyright (C) 2003 - 2006 Michael Duergner
2007 - 2014 Roland Gruber 2007 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -55,6 +55,10 @@ checkIfToolIsActive('toolPDFEditor');
setlanguage(); setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
// check if user is logged in, if not go to login // check if user is logged in, if not go to login
if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) { if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
metaRefresh("../login.php"); metaRefresh("../login.php");
@ -643,6 +647,7 @@ $buttonContainer->addElement(new htmlHiddenInput('modules', $modules));
$buttonContainer->addElement(new htmlHiddenInput('type', $_GET['type'])); $buttonContainer->addElement(new htmlHiddenInput('type', $_GET['type']));
$container->addElement($buttonContainer, true); $container->addElement($buttonContainer, true);
addSecurityTokenToMetaHTML($container);
$tabindex = 1; $tabindex = 1;
parseHtml(null, $container, array(), false, $tabindex, $_GET['type']); parseHtml(null, $container, array(), false, $tabindex, $_GET['type']);

10
lam/templates/profedit/profilemain.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2014 Roland Gruber Copyright (C) 2003 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -47,6 +47,10 @@ checkIfToolIsActive('toolProfileEditor');
setlanguage(); setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
$types = $_SESSION['config']->get_ActiveTypes(); $types = $_SESSION['config']->get_ActiveTypes();
$profileClasses = array(); $profileClasses = array();
$profileClassesTemp = array(); $profileClassesTemp = array();
@ -89,6 +93,7 @@ for ($i = 0; $i < sizeof($profileClasses); $i++) {
include '../main_header.php'; include '../main_header.php';
echo "<div class=\"user-bright smallPaddingContent\">\n"; echo "<div class=\"user-bright smallPaddingContent\">\n";
echo "<form name=\"profilemainForm\" action=\"profilemain.php\" method=\"post\">\n"; echo "<form name=\"profilemainForm\" action=\"profilemain.php\" method=\"post\">\n";
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
$container = new htmlTable(); $container = new htmlTable();
$container->addElement(new htmlTitle(_("Profile editor")), true); $container->addElement(new htmlTitle(_("Profile editor")), true);
@ -261,6 +266,7 @@ for ($i = 0; $i < sizeof($profileClasses); $i++) {
$container->addElement(new htmlHelpLink('236')); $container->addElement(new htmlHelpLink('236'));
$container->addElement(new htmlHiddenInput('importexport', '1')); $container->addElement(new htmlHiddenInput('importexport', '1'));
$container->addElement(new htmlHiddenInput('scope', $scope), true); $container->addElement(new htmlHiddenInput('scope', $scope), true);
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user'); parseHtml(null, $container, array(), false, $tabindex, 'user');
@ -308,6 +314,7 @@ $exportPasswd->setIsPassword(true);
$container->addElement($exportPasswd); $container->addElement($exportPasswd);
$container->addElement(new htmlHelpLink('236')); $container->addElement(new htmlHelpLink('236'));
$container->addElement(new htmlHiddenInput('importexport', '1'), true); $container->addElement(new htmlHiddenInput('importexport', '1'), true);
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user'); parseHtml(null, $container, array(), false, $tabindex, 'user');
@ -322,6 +329,7 @@ echo '<div id="deleteProfileDialog" class="hidden"><form id="deleteProfileForm"
echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">'; echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">';
echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">'; echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">';
echo '<input type="hidden" name="deleteProfile" value="true">'; echo '<input type="hidden" name="deleteProfile" value="true">';
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
echo '</form></div>'; echo '</form></div>';
include '../main_footer.php'; include '../main_footer.php';

9
lam/templates/profedit/profilepage.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2014 Roland Gruber Copyright (C) 2003 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -51,6 +51,10 @@ checkIfToolIsActive('toolProfileEditor');
setlanguage(); setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
// check if user is logged in, if not go to login // check if user is logged in, if not go to login
if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) { if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
metaRefresh("../login.php"); metaRefresh("../login.php");
@ -169,7 +173,8 @@ elseif (isset($_GET['edit'])) {
} }
// display formular // display formular
echo ("<form action=\"profilepage.php?type=$type\" method=\"post\">\n"); echo "<form action=\"profilepage.php?type=$type\" method=\"post\">\n";
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
$profName = ''; $profName = '';
if (isset($_GET['edit'])) { if (isset($_GET['edit'])) {