added CSRF protection

This commit is contained in:
Roland Gruber 2015-05-15 19:16:46 +00:00
parent 10a47cb134
commit 35846435f4
11 changed files with 77 additions and 14 deletions

View File

@ -1298,6 +1298,9 @@ class accountContainer {
* Prints the header of the account pages.
*/
private function printPageHeader() {
if (!empty($_POST)) {
validateSecurityToken();
}
include '../main_header.php';
echo '<script type="text/javascript">
jQuery(document).ready(function() {
@ -1306,6 +1309,7 @@ class accountContainer {
</script>';
echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
echo '<input type="hidden" name="account_randomID" value="' . $this->randomID . '">';
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
}
/**

View File

@ -4,7 +4,7 @@
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Tilo Lutz
Copyright (C) 2007 - 2014 Roland Gruber
Copyright (C) 2007 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -62,6 +62,10 @@ if (!isLoggedIn()) {
// Set correct language, codepages, ....
setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
if (isset($_POST['type']) && !preg_match('/^[a-z0-9_]+$/i', $_POST['type'])) {
logNewMessage(LOG_ERR, 'Invalid type: ' . $_POST['type']);
die();
@ -90,6 +94,7 @@ if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) {
echo "<div class=\"".$_GET['type']."-bright smallPaddingContent\">";
echo "<br>\n";
echo "<form action=\"delete.php\" method=\"post\">\n";
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
echo "<input name=\"type\" type=\"hidden\" value=\"" . $_GET['type'] . "\">\n";
echo "<b>" . _("Do you really want to remove the following accounts?") . "</b>";
echo "<br><br>\n";
@ -149,6 +154,7 @@ if (isset($_POST['delete'])) {
// Show HTML Page
include 'main_header.php';
echo "<form action=\"delete.php\" method=\"post\">\n";
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
echo "<input name=\"type\" type=\"hidden\" value=\"" . $_POST['type'] . "\">\n";
echo "<div class=\"".$_POST['type']."-bright smallPaddingContent\"><br>\n";
echo "<br>\n";

View File

@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2013 Roland Gruber
Copyright (C) 2003 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -46,6 +46,10 @@ if (!checkIfWriteAccessIsAllowed()) {
setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
// check if user already pressed button
if (isset($_POST['add_suff']) || isset($_POST['cancel'])) {
if (isset($_POST['add_suff'])) {
@ -191,6 +195,7 @@ include 'main_header.php';
$buttonContainer->addElement(new htmlButton('cancel', _("Cancel")));
$buttonContainer->addElement(new htmlHiddenInput('new_suff', implode(";", $new_suff)));
$container->addElement($buttonContainer);
addSecurityTokenToMetaHTML($container);
$tabindex = 1;
parseHtml(null, $container, array(), false, $tabindex, 'user');

View File

@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2004 - 2014 Roland Gruber
Copyright (C) 2004 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -56,6 +56,10 @@ if (!isLoggedIn()) {
// Set correct language, codepages, ....
setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
// show LDIF if requested
if (isset($_GET['showldif'])) {
//download file
@ -258,6 +262,7 @@ else {
massPrintBackButton($scope, $selectedModules, $container);
}
addSecurityTokenToMetaHTML($container);
$tabindex = 1;
parseHtml(null, $container, array(), false, $tabindex, $scope);

View File

@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2004 - 2013 Roland Gruber
Copyright (C) 2004 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -60,6 +60,10 @@ if (!isLoggedIn()) {
// Set correct language, codepages, ....
setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
// show CSV if requested
if (isset($_GET['getCSV'])) {
//download file
@ -211,6 +215,7 @@ if (!empty($types)) {
$table->addElement(new htmlButton('submit', _('Ok')), true);
}
addSecurityTokenToMetaHTML($table);
parseHtml(null, $table, array(), false, $tabindex, 'user');
?>
<script type="text/javascript">
@ -434,6 +439,7 @@ function showMainPage($scope, $selectedModules) {
}
$container->addElement($columnContainer, true);
addSecurityTokenToMetaHTML($container);
$tabindex = 1;
parseHtml(null, $container, array(), false, $tabindex, $scope);

View File

@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2013 Roland Gruber
Copyright (C) 2013 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -47,6 +47,10 @@ checkIfToolIsActive('toolMultiEdit');
setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
define('ADD', 'add');
define('MOD', 'mod');
define('DEL', 'del');
@ -71,7 +75,7 @@ function displayStartPage() {
// display main page
include 'main_header.php';
echo '<div class="user-bright smallPaddingContent">';
echo ("<form action=\"multiEdit.php\" method=\"post\">\n");
echo "<form action=\"multiEdit.php\" method=\"post\">\n";
$errors = array();
$tabindex = 1;
$container = new htmlTable();
@ -174,6 +178,7 @@ function displayStartPage() {
runActions($container);
}
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user');
echo ("</form>\n");

View File

@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2012 Roland Gruber
Copyright (C) 2003 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -47,6 +47,10 @@ checkIfToolIsActive('toolOUEditor');
setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
$types = $_SESSION['config']->get_ActiveTypes();
// check if deletion was canceled
@ -121,6 +125,7 @@ if (isset($_POST['createOU']) || isset($_POST['deleteOU'])) {
$container->addElement(new htmlButton('abort', _("Cancel")));
$container->addElement(new htmlHiddenInput('deleteOU', 'submit'));
$container->addElement(new htmlHiddenInput('deletename', $_POST['deleteableOU']));
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user');
echo "</form>";
echo '</div>';
@ -145,7 +150,7 @@ function display_main($message, $error) {
// display main page
include 'main_header.php';
echo '<div class="user-bright smallPaddingContent">';
echo ("<form action=\"ou_edit.php\" method=\"post\">\n");
echo "<form action=\"ou_edit.php\" method=\"post\">\n";
$tabindex = 1;
$container = new htmlTable();
@ -208,6 +213,7 @@ function display_main($message, $error) {
$container->addElement(new htmlHelpLink('602'), true);
}
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user');
echo ("</form>\n");
echo '</div>';

View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner
2005 - 2014 Roland Gruber
2005 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -49,6 +49,10 @@ if (!checkIfWriteAccessIsAllowed()) die();
checkIfToolIsActive('toolPDFEditor');
if (!empty($_POST)) {
validateSecurityToken();
}
setlanguage();
// Unset pdf structure definitions in session if set
@ -163,6 +167,7 @@ include '../main_header.php';
?>
<div class="user-bright smallPaddingContent">
<form enctype="multipart/form-data" action="pdfmain.php" method="post" name="pdfmainForm" >
<input type="hidden" name="<?php echo getSecurityTokenName(); ?>" value="<?php echo getSecurityTokenValue(); ?>">
<?php
if (isset($_GET['savedSuccessfully'])) {
$message = new htmlStatusMessage("INFO", _("PDF structure was successfully saved."), htmlspecialchars($_GET['savedSuccessfully']));
@ -294,6 +299,7 @@ include '../main_header.php';
$container->addElement(new htmlHelpLink('236'));
$container->addElement(new htmlHiddenInput('importexport', '1'));
$container->addElement(new htmlHiddenInput('scope', $scope), true);
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user');
@ -340,6 +346,7 @@ include '../main_header.php';
$container->addElement($exportPasswd);
$container->addElement(new htmlHelpLink('236'));
$container->addElement(new htmlHiddenInput('importexport', '1'), true);
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user');
@ -354,6 +361,7 @@ echo '<div id="deleteProfileDialog" class="hidden"><form id="deleteProfileForm"
echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">';
echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">';
echo '<input type="hidden" name="deleteProfile" value="true">';
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
echo '</form></div>';
include '../main_footer.php';

View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner
2007 - 2014 Roland Gruber
2007 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -55,6 +55,10 @@ checkIfToolIsActive('toolPDFEditor');
setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
// check if user is logged in, if not go to login
if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
metaRefresh("../login.php");
@ -643,6 +647,7 @@ $buttonContainer->addElement(new htmlHiddenInput('modules', $modules));
$buttonContainer->addElement(new htmlHiddenInput('type', $_GET['type']));
$container->addElement($buttonContainer, true);
addSecurityTokenToMetaHTML($container);
$tabindex = 1;
parseHtml(null, $container, array(), false, $tabindex, $_GET['type']);

View File

@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2014 Roland Gruber
Copyright (C) 2003 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -47,6 +47,10 @@ checkIfToolIsActive('toolProfileEditor');
setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
$types = $_SESSION['config']->get_ActiveTypes();
$profileClasses = array();
$profileClassesTemp = array();
@ -89,6 +93,7 @@ for ($i = 0; $i < sizeof($profileClasses); $i++) {
include '../main_header.php';
echo "<div class=\"user-bright smallPaddingContent\">\n";
echo "<form name=\"profilemainForm\" action=\"profilemain.php\" method=\"post\">\n";
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
$container = new htmlTable();
$container->addElement(new htmlTitle(_("Profile editor")), true);
@ -261,6 +266,7 @@ for ($i = 0; $i < sizeof($profileClasses); $i++) {
$container->addElement(new htmlHelpLink('236'));
$container->addElement(new htmlHiddenInput('importexport', '1'));
$container->addElement(new htmlHiddenInput('scope', $scope), true);
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user');
@ -308,6 +314,7 @@ $exportPasswd->setIsPassword(true);
$container->addElement($exportPasswd);
$container->addElement(new htmlHelpLink('236'));
$container->addElement(new htmlHiddenInput('importexport', '1'), true);
addSecurityTokenToMetaHTML($container);
parseHtml(null, $container, array(), false, $tabindex, 'user');
@ -322,6 +329,7 @@ echo '<div id="deleteProfileDialog" class="hidden"><form id="deleteProfileForm"
echo '<input id="profileDeleteType" type="hidden" name="profileDeleteType" value="">';
echo '<input id="profileDeleteName" type="hidden" name="profileDeleteName" value="">';
echo '<input type="hidden" name="deleteProfile" value="true">';
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
echo '</form></div>';
include '../main_footer.php';

View File

@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2014 Roland Gruber
Copyright (C) 2003 - 2015 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -51,6 +51,10 @@ checkIfToolIsActive('toolProfileEditor');
setlanguage();
if (!empty($_POST)) {
validateSecurityToken();
}
// check if user is logged in, if not go to login
if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
metaRefresh("../login.php");
@ -169,7 +173,8 @@ elseif (isset($_GET['edit'])) {
}
// display formular
echo ("<form action=\"profilepage.php?type=$type\" method=\"post\">\n");
echo "<form action=\"profilepage.php?type=$type\" method=\"post\">\n";
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
$profName = '';
if (isset($_GET['edit'])) {