Browse Source

send CSRF token in a response header,

update the page's CSRF tokens with the new token
from the response header,
verify csrf token in ajax endpoints,
initialize a session for every endpoint
pull/356/head
glaszig 3 years ago
parent
commit
da69d3d768
  1. 4
      ajax/bandwidth/get_bandwidth.php
  2. 3
      ajax/bandwidth/get_bandwidth_hourly.php
  3. 4
      ajax/networking/gen_int_config.php
  4. 3
      ajax/networking/get_all_interfaces.php
  5. 4
      ajax/networking/get_int_config.php
  6. 4
      ajax/networking/get_ip_summary.php
  7. 4
      ajax/networking/save_int_config.php
  8. 11
      includes/csrf.php
  9. 5
      includes/session.php
  10. 8
      index.php
  11. 11
      js/custom.js

4
ajax/bandwidth/get_bandwidth.php

@ -1,8 +1,10 @@
<?php
require('includes/csrf.php');
require_once '../../includes/config.php';
require_once RASPI_CONFIG.'/raspap.php';
session_start();
header('X-Frame-Options: DENY');
header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
require_once '../../includes/authenticate.php';

3
ajax/bandwidth/get_bandwidth_hourly.php

@ -1,4 +1,7 @@
<?php
require('includes/csrf.php');
if (filter_input(INPUT_GET, 'tu') == 'h') {
header('X-Content-Type-Options: nosniff');

4
ajax/networking/gen_int_config.php

@ -1,5 +1,7 @@
<?php
session_start();
require('includes/csrf.php');
include_once('../../includes/config.php');
include_once('../../includes/functions.php');

3
ajax/networking/get_all_interfaces.php

@ -1,4 +1,7 @@
<?php
require('includes/csrf.php');
exec("ls /sys/class/net | grep -v lo", $interfaces);
echo json_encode($interfaces);
?>

4
ajax/networking/get_int_config.php

@ -1,5 +1,7 @@
<?php
session_start();
require('includes/csrf.php');
include_once('../../includes/config.php');
include_once('../../includes/functions.php');

4
ajax/networking/get_ip_summary.php

@ -1,5 +1,7 @@
<?php
session_start();
require('includes/csrf.php');
include_once('../../includes/functions.php');
if(isset($_POST['interface'])) {

4
ajax/networking/save_int_config.php

@ -1,5 +1,7 @@
<?php
session_start();
require('includes/csrf.php');
include_once('../../includes/config.php');
include_once('../../includes/functions.php');
if(isset($_POST['interface'])) {

11
includes/csrf.php

@ -0,0 +1,11 @@
<?php
include_once('includes/functions.php');
include_once('includes/session.php');
if (csrfValidateRequest() && !CSRFValidate()) {
handleInvalidCSRFToken();
}
ensureCSRFSessionToken();
header('X-CSRF-Token', $_SESSION['csrf_token']);

5
includes/session.php

@ -0,0 +1,5 @@
<?php
if (session_status() == PHP_SESSION_NONE) {
session_start();
}

8
index.php

@ -18,7 +18,7 @@
* @see http://sirlagz.net/2013/02/08/raspap-webgui/
*/
session_start();
require('includes/csrf.php');
include_once('includes/config.php');
include_once(RASPI_CONFIG.'/raspap.php');
@ -39,12 +39,6 @@ include_once('includes/about.php');
$output = $return = 0;
$page = $_GET['page'];
if (csrfValidateRequest() && !CSRFValidate()) {
handleInvalidCSRFToken();
}
ensureCSRFSessionToken();
if (!isset($_COOKIE['theme'])) {
$theme = "custom.css";
} else {

11
js/custom.js

@ -160,13 +160,22 @@ function setupBtns() {
});
}
function updateCSRFToken(xhr, settings) {
var newToken = xhr.getResponseHeader("X-CSRF-Token");
if (newToken) {
$('meta[name=csrf_token]').attr('content', newToken);
$('[name=csrf_token]:input').attr('value', newToken);
}
}
$.ajaxSetup({
beforeSend: function(xhr, settings) {
var csrfToken = $('meta[name=csrf_token]').attr('content');
if (/^(POST|PATCH|PUT|DELETE)$/i.test(settings.type)) {
xhr.setRequestHeader("X-CSRF-Token", csrfToken);
}
}
},
ajaxComplete: updateCSRFToken
});
$().ready(function(){

Loading…
Cancel
Save