Check for CSRF at only one place in the code
This commit is contained in:
parent
deb219d758
commit
b7e69d8b41
|
|
@ -2,11 +2,6 @@
|
|||
|
||||
require "init.php";
|
||||
|
||||
function antiCSRF() {
|
||||
if (!isset($_SERVER['HTTP_SEC_FETCH_SITE']) OR $_SERVER['HTTP_SEC_FETCH_SITE'] !== "same-origin")
|
||||
userError("Anti-CSRF verification failed ! (Wrong or unset Sec-Fetch-Site HTTP header)");
|
||||
}
|
||||
|
||||
// Session initialisation (with cookies)
|
||||
if (
|
||||
isset($_COOKIE['niver-session-key']) // Resume session
|
||||
|
|
@ -75,7 +70,7 @@ $cssFileName = Less_Cache::Get($absoluteLessFiles, $options, THEME);
|
|||
<!DOCTYPE html>
|
||||
<html lang="fr">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<meta charset="utf-8">
|
||||
<title><?php
|
||||
if (isset($page['title']) AND $page['title'] != "Accueil")
|
||||
echo $page['title'] . " < ";
|
||||
|
|
@ -85,10 +80,8 @@ $cssFileName = Less_Cache::Get($absoluteLessFiles, $options, THEME);
|
|||
<link type="text/css" rel="stylesheet" href="<?= CONF['common']['prefix'] ?>/css/<?= $cssFileName ?>">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<header>
|
||||
|
||||
<nav>
|
||||
<a href="..">Niver</a><?php
|
||||
if (isset($page['service']))
|
||||
|
|
@ -96,15 +89,20 @@ $cssFileName = Less_Cache::Get($absoluteLessFiles, $options, THEME);
|
|||
if (PAGE != "index")
|
||||
echo ' > <a href="' . PAGE . '">' . $page['title'] . "</a>";
|
||||
?>
|
||||
|
||||
</nav>
|
||||
|
||||
<?php if (isset($page['title'])) { ?>
|
||||
<h1><?= $page['title'] ?></h1>
|
||||
<?php } ?>
|
||||
|
||||
</header>
|
||||
<main>
|
||||
|
||||
<?php
|
||||
|
||||
if (isset($page['title']))
|
||||
echo "<h1>" . $page['title'] . "</h1>";
|
||||
|
||||
// Protect against cross-site request forgery if a POST request is received
|
||||
if (empty($_POST) === false AND (isset($_SERVER['HTTP_SEC_FETCH_SITE']) !== true OR $_SERVER['HTTP_SEC_FETCH_SITE'] !== "same-origin"))
|
||||
userError("Anti-CSRF verification failed ! (Wrong or unset <code>Sec-Fetch-Site</code> HTTP header)");
|
||||
|
||||
function closeHTML() {
|
||||
?>
|
||||
</main>
|
||||
|
|
|
|||
|
|
@ -17,15 +17,14 @@
|
|||
<br>
|
||||
<select required="" name="zone" id="zone">
|
||||
<option value="" disabled="" selected="">-</option>
|
||||
|
||||
<?php
|
||||
$zones = nsListUserZones($_SESSION['username']);
|
||||
|
||||
if (!empty($zones)) {
|
||||
if (!empty($zones))
|
||||
foreach ($zones as $zone)
|
||||
echo "<option value='" . $zone . "'>" . $zone . "</option>";
|
||||
}
|
||||
?>
|
||||
|
||||
</select>
|
||||
</div>
|
||||
</fieldset>
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ html {
|
|||
}
|
||||
|
||||
h1 {
|
||||
text-align: center;
|
||||
font-size: @fontSize + 25px;
|
||||
line-height: @fontSize + 30px
|
||||
}
|
||||
|
|
|
|||
7
ns.php
7
ns.php
|
|
@ -1,15 +1,12 @@
|
|||
<?php
|
||||
|
||||
function nsCommonRequirements() {
|
||||
if (isset($_POST['action'])
|
||||
return (isset($_POST['action'])
|
||||
AND isset($_POST['zone'])
|
||||
AND isset($_POST['ttl-value'])
|
||||
AND isset($_POST['ttl-multiplier'])
|
||||
AND isset($_SESSION['username'])
|
||||
) {
|
||||
antiCSRF();
|
||||
return true;
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
function nsParseCommonRequirements() {
|
||||
|
|
|
|||
|
|
@ -18,8 +18,6 @@ Pas de compte ? <a class="authButton" href="register">En créer un</a>
|
|||
|
||||
if (isset($_POST['username']) AND isset($_POST['password'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
checkPasswordFormat($_POST['password']);
|
||||
|
||||
checkUsernameFormat($_POST['username']);
|
||||
|
|
|
|||
|
|
@ -18,8 +18,6 @@
|
|||
|
||||
if (isset($_SESSION['username']) AND isset($_POST['newPassword']) AND isset($_POST['currentPassword'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
checkPasswordFormat($_POST['newPassword']);
|
||||
|
||||
if (checkPassword($_SESSION['username'], $_POST['currentPassword']) !== true)
|
||||
|
|
|
|||
|
|
@ -4,8 +4,6 @@
|
|||
|
||||
if (isset($_POST['username']) AND isset($_POST['password'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
checkPasswordFormat($_POST['password']);
|
||||
|
||||
checkUsernameFormat($_POST['username']);
|
||||
|
|
|
|||
|
|
@ -30,8 +30,6 @@ if (isset($_SESSION['username'])) {
|
|||
|
||||
if (isset($_POST['dir']) AND isset($_SESSION['username'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
if ($dirsStatuses[$_POST['dir']] !== false)
|
||||
userError("Wrong value for <code>dir</code>.");
|
||||
|
||||
|
|
|
|||
|
|
@ -36,8 +36,6 @@ if (isset($_SESSION['username'])) {
|
|||
|
||||
if (isset($_POST['domain']) AND isset($_POST['dir']) AND isset($_SESSION['username'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
checkDomainFormat($_POST['domain']);
|
||||
|
||||
if ($dirsStatuses[$_POST['dir']] !== false)
|
||||
|
|
|
|||
|
|
@ -22,8 +22,6 @@
|
|||
|
||||
if (isset($_POST['domain']) AND isset($_SESSION['username'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
exec(CONF['ht']['sudo_path'] . " " . CONF['ht']['certbot_path'] . " certonly --dry-run --test-cert --webroot --webroot-path /srv/acme --register-unsafely-without-email --agree-tos --domain " . $_POST['domain'], $output, $returnCode);
|
||||
|
||||
// Log Certbot response
|
||||
|
|
|
|||
|
|
@ -27,8 +27,6 @@ Afin d'activer DNSSEC, vous devez indiquer un enregistrement DS à la zone paren
|
|||
|
||||
if (isset($_POST['zone']) AND isset($_SESSION['username'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
nsCheckZonePossession($_POST['zone']);
|
||||
|
||||
$zoneContent = file_get_contents(CONF['ns']['knot_zones_path'] . "/" . $_POST['zone'] . "zone");
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@
|
|||
|
||||
if (isset($_POST['domain']) AND isset($_SESSION['username'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
checkAbsoluteDomainFormat($_POST['domain']);
|
||||
|
||||
$db = new PDO('sqlite:' . DB_PATH);
|
||||
|
|
|
|||
|
|
@ -70,8 +70,6 @@
|
|||
|
||||
if (isset($_POST['zone']) AND isset($_POST['keytag']) AND isset($_POST['algo']) AND isset($_POST['key']) AND isset($_SESSION['username'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
if (!($_POST['algo'] === "8")
|
||||
AND !($_POST['algo'] === "13")
|
||||
AND !($_POST['algo'] === "14")
|
||||
|
|
|
|||
|
|
@ -43,8 +43,6 @@
|
|||
|
||||
if (isset($_POST['action']) AND isset($_POST['subdomain']) AND isset($_POST['suffix']) AND isset($_POST['ip']) AND isset($_SESSION['username'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
if (in_array($_POST['suffix'], $suffixes) !== true)
|
||||
userError("You don't own this domain.");
|
||||
|
||||
|
|
|
|||
|
|
@ -36,8 +36,6 @@
|
|||
|
||||
if (isset($_POST['domain']) AND isset($_POST['action']) AND isset($_POST['ns']) AND isset($_SESSION['username'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
regCheckDomainPossession($_POST['domain']);
|
||||
checkAbsoluteDomainFormat($_POST['ns']);
|
||||
|
||||
|
|
|
|||
|
|
@ -17,8 +17,6 @@ Ce domaine doit être composé uniquement d'au moins 4 lettres latines non accen
|
|||
|
||||
if (isset($_POST['subdomain']) AND isset($_SESSION['username'])) {
|
||||
|
||||
antiCSRF();
|
||||
|
||||
if (preg_match("/" . CONF['reg']['subdomain_regex'] . "/", $_POST['subdomain']) !== 1)
|
||||
userError("Erreur : Le nom de domaine doit être composé uniquement d'entre 4 et 63 lettres minuscules (a-z)");
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue