Add antiCSRF() in every form

2021-08-05 14:04:33 +02:00 · 2021-08-05 14:04:33 +02:00 · 6449402763
parent 66f472f678
commit 6449402763
16 changed files with 35 additions and 2 deletions
--- a/auth/login.php
+++ b/auth/login.php
@ -18,6 +18,8 @@ Pas de compte ? <a class="authButton" href="register">En créer un</a>

 if (isset($_POST['username']) AND isset($_POST['password'])) {

+  antiCSRF();
+
  if (!checkPasswordFormat($_POST['password']))
    exit("Le format du mot de passe n'est pas valide !");

--- a/auth/password.php
+++ b/auth/password.php
@ -18,6 +18,8 @@

 if (isset($_SESSION['username']) AND isset($_POST['newPassword']) AND isset($_POST['currentPassword'])) {

+  antiCSRF();
+
  if (checkPassword($_SESSION['username'], $_POST['currentPassword'])) {

    if (!checkPasswordFormat($_POST['newPassword']))
--- a/auth/register.php
+++ b/auth/register.php
@ -4,6 +4,8 @@

 if (isset($_POST['username']) AND isset($_POST['password'])) {

+  antiCSRF();
+
  if (!checkPasswordFormat($_POST['password']))
    exit("Le format du mot de passe n'est pas valide !");

--- a/ht/gemini-domain.php
+++ b/ht/gemini-domain.php
@ -55,6 +55,8 @@

 if (isset($_POST['domain']) AND isset($_POST['dir']) AND isset($_SESSION['username'])) {

+  antiCSRF();
+
  checkDomainFormat($_POST['domain']);

  if (!in_array($_POST['dir'], $notYetEnabledDirs))
--- a/ht/gemini-onion.php
+++ b/ht/gemini-onion.php
@ -49,6 +49,8 @@

 if (isset($_POST['dir']) AND isset($_SESSION['username'])) {

+  antiCSRF();
+
  if (!in_array($_POST['dir'], $notYetEnabledDirs))
    exit("ERROR : Wrong value for dir");

--- a/ht/http-onion.php
+++ b/ht/http-onion.php
@ -49,6 +49,8 @@

 if (isset($_POST['dir']) AND isset($_SESSION['username'])) {

+  antiCSRF();
+
  if (!in_array($_POST['dir'], $notYetEnabledDirs))
    exit("ERROR : Wrong value for dir");

--- a/ht/https-domain.php
+++ b/ht/https-domain.php
@ -56,6 +56,8 @@

 if (isset($_POST['domain']) AND isset($_POST['dir']) AND isset($_SESSION['username'])) {

+  antiCSRF();
+
  checkDomainFormat($_POST['domain']);

  if (!in_array($_POST['dir'], $notYetEnabledDirs))
--- a/ht/le.php
+++ b/ht/le.php
@ -12,7 +12,9 @@

 <?php

-if (isset($_POST['domain'])) {
+if (isset($_POST['domaine']) AND isset($_SESSION['username'])) {
+
+  antiCSRF();

  exec(SUDO_PATH . " " . MANIVER_PATH . " le-install " . $_POST['domain'], $output);
  addNiverLog($_SESSION['username'] . " installed a Let's Encrypt certificate on their site", $output);
--- a/ht/sftp.php
+++ b/ht/sftp.php
@ -18,6 +18,9 @@ if ($_SESSION['sftp_enabled'] == false) { ?>
 <?php

  if (isset($_SESSION['username']) AND isset($_POST['password'])) {
+
+    antiCSRF();
+
    // Setup SFTP access
    exec(SUDO_PATH . " " . MANIVER_PATH . " setup-user " . $_SESSION['username'] . " " . $_POST['password'], $output);
    addNiverLog($_SESSION['username'] . " enabled SFTP on their account", $output);
--- a/inc/ns.inc.php
+++ b/inc/ns.inc.php
@ -9,6 +9,7 @@ function nsCommonRequirements() {
    AND isset($_POST['ttl-multiplier'])
    AND isset($_SESSION['username'])
  ) {
+    antiCSRF();
    return true;
  }
 }
--- a/ns/dnssec.php
+++ b/ns/dnssec.php
@ -25,6 +25,8 @@ Afin d'activer DNSSEC, vous devez indiquer un enregistrement DS à la zone paren

 if (isset($_POST['zone']) AND isset($_SESSION['username'])) {

+  antiCSRF();
+
  nsCheckZonePossession($_POST['zone']);

  exec(KEYMGR_PATH . " " . $_POST['zone'] . " ds", $output);
--- a/ns/zone.php
+++ b/ns/zone.php
@ -11,6 +11,8 @@

 if (isset($_POST['domain']) AND isset($_SESSION['username'])) {

+  antiCSRF();
+
  checkAbsoluteDomainFormat($_POST['domain']);

  $db = new PDO('sqlite:' . DB_PATH);
--- a/reg/ds.php
+++ b/reg/ds.php
@ -64,6 +64,8 @@

 if (isset($_POST['zone']) AND isset($_POST['keytag']) AND isset($_POST['algo']) AND isset($_POST['key']) AND isset($_SESSION['username'])) {

+  antiCSRF();
+
  if (!($_POST['algo'] === "8")
      AND !($_POST['algo'] === "13")
      AND !($_POST['algo'] === "14")
--- a/reg/glue.php
+++ b/reg/glue.php
@ -41,7 +41,9 @@

 <?php

-if (isset($_POST['action']) AND isset($_POST['subdomain']) AND isset($_POST['suffix']) AND isset($_POST['ip'])) {
+if (isset($_POST['action']) AND isset($_POST['subdomain']) AND isset($_POST['suffix']) AND isset($_POST['ip']) AND isset($_SESSION['username'])) {
+
+  antiCSRF();

  if (!$suffixes)
    exit("ERROR : You don't own any domain");
--- a/reg/ns.php
+++ b/reg/ns.php
@ -36,6 +36,8 @@

 if (isset($_POST['domain']) AND isset($_POST['action']) AND isset($_POST['ns']) AND isset($_SESSION['username'])) {

+  antiCSRF();
+
  regCheckDomainPossession($_POST['domain']);
  checkAbsoluteDomainFormat($_POST['ns']);

--- a/reg/register.php
+++ b/reg/register.php
@ -139,6 +139,9 @@ Ce domaine doit être composé uniquement d'au moins 4 lettres latines non accen
 <?php

 if (isset($_POST['subdomain']) AND isset($_POST['suffix']) AND isset($_SESSION['username'])) {
+
+  antiCSRF();
+
  if (preg_match("/" . SUBDOMAIN_REGEX . "/", $_POST['subdomain'])) {

    if (!in_array($_POST['suffix'], SUFFIXES))