deblan/pdnsmanager
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Added csrf protection

Browse source
This commit is contained in:
Lukas Metzger 2016-01-29 16:52:23 +01:00
parent 9b31f83f6d
commit f628e147cd
20 changed files with 87 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
add-domain.php
View file

@ -97,7 +97,7 @@ limitations under the License.
</row> </row>
</div> </div>
<?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?>
</body> </body>
</html> </html>

5
api/add-domain.php
View file

@ -23,6 +23,11 @@ require_once '../lib/soa-mail.php';
$input = json_decode(file_get_contents('php://input')); $input = json_decode(file_get_contents('php://input'));
if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
echo "Permission denied!";
exit();
}
if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") { if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") {
echo "Permission denied!"; echo "Permission denied!";
exit(); exit();

5
api/domains.php
View file

@ -22,6 +22,11 @@ require_once '../lib/session.php';
$input = json_decode(file_get_contents('php://input')); $input = json_decode(file_get_contents('php://input'));
if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
echo "Permission denied!";
exit();
}
if(isset($input->action) && $input->action == "getDomains") { if(isset($input->action) && $input->action == "getDomains") {
$sql = " $sql = "

5
api/edit-master.php
View file

@ -24,6 +24,11 @@ require_once '../lib/update-serial.php';
$input = json_decode(file_get_contents('php://input')); $input = json_decode(file_get_contents('php://input'));
if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
echo "Permission denied!";
exit();
}
//Permission check //Permission check
if(isset($input->domain)) { if(isset($input->domain)) {
$permquery = $db->prepare("SELECT * FROM permissions WHERE user=? AND domain=?"); $permquery = $db->prepare("SELECT * FROM permissions WHERE user=? AND domain=?");

5
api/edit-user.php
View file

@ -22,6 +22,11 @@ require_once '../lib/session.php';
$input = json_decode(file_get_contents('php://input')); $input = json_decode(file_get_contents('php://input'));
if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
echo "Permission denied!";
exit();
}
if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") { if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") {
echo "Permission denied!"; echo "Permission denied!";
exit(); exit();

4
api/index.php
View file

@ -38,8 +38,10 @@ if (password_verify($input->password, $password)) {
$randomSecret = base64_encode(openssl_random_pseudo_bytes(32)); $randomSecret = base64_encode(openssl_random_pseudo_bytes(32));
$_SESSION['secret'] = $randomSecret; $_SESSION['secret'] = $randomSecret;
setcookie("authSecret", $randomSecret, 0, "/", "", false, true); setcookie("authSecret", $randomSecret, 0, "/", "", false, true);
$csrfToken = base64_encode(openssl_random_pseudo_bytes(32));
$_SESSION['csrfToken'] = $csrfToken;
} else { } else {
$retval['status'] = "fail"; $retval['status'] = "fail";
} }

5
api/install.php
View file

@ -24,6 +24,11 @@ if(file_exists("../config/config-user.php")) {
//Get input //Get input
$input = json_decode(file_get_contents('php://input')); $input = json_decode(file_get_contents('php://input'));
if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
echo "Permission denied!";
exit();
}
//Database command //Database command
$sql = " $sql = "
CREATE TABLE IF NOT EXISTS domains ( CREATE TABLE IF NOT EXISTS domains (

5
api/password.php
View file

@ -22,6 +22,11 @@ require_once '../lib/session.php';
$input = json_decode(file_get_contents('php://input')); $input = json_decode(file_get_contents('php://input'));
if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
echo "Permission denied!";
exit();
}
if(isset($input->action) && $input->action == "changePassword") { if(isset($input->action) && $input->action == "changePassword") {
$passwordHash = password_hash($input->password, PASSWORD_DEFAULT); $passwordHash = password_hash($input->password, PASSWORD_DEFAULT);

5
api/users.php
View file

@ -22,6 +22,11 @@ require_once '../lib/session.php';
$input = json_decode(file_get_contents('php://input')); $input = json_decode(file_get_contents('php://input'));
if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
echo "Permission denied!";
exit();
}
if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") { if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") {
echo "Permission denied!"; echo "Permission denied!";
exit(); exit();

1
domains.php
View file

@ -101,5 +101,6 @@ limitations under the License.
</div> </div>
</div> </div>
</div> </div>
<?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?>
</body> </body>
</html> </html>

1
edit-master.php
View file

@ -160,6 +160,7 @@ limitations under the License.
</table> </table>
</div> </div>
</div> </div>
<?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?>
</body> </body>
</html> </html>

1
edit-user.php
View file

@ -100,6 +100,7 @@ limitations under the License.
</row> </row>
</div> </div>
<?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?>
</body> </body>
</html> </html>

3
js/add-domain.js
View file

@ -62,7 +62,8 @@ function saveData(callback) {
retry: $('#zone-retry').val(), retry: $('#zone-retry').val(),
expire: $('#zone-expire').val(), expire: $('#zone-expire').val(),
ttl: $('#zone-ttl').val(), ttl: $('#zone-ttl').val(),
action: "addDomain" action: "addDomain",
csrfToken: $('#csrfToken').text()
}; };
$.post( $.post(

7
js/domains.js
View file

@ -54,7 +54,9 @@ $(document).ready(function() {
}); });
function requestData() { function requestData() {
var restrictions = {}; var restrictions = {
csrfToken: $('#csrfToken').text()
};
restrictions.sort = sort; restrictions.sort = sort;
@ -128,7 +130,8 @@ function deleteDomain() {
function deleteDomainWithId(id, callback) { function deleteDomainWithId(id, callback) {
var data = { var data = {
action: "deleteDomain", action: "deleteDomain",
id: id id: id,
csrfToken: $('#csrfToken').text()
}; };
$.post( $.post(

25
js/edit-master.js
View file

@ -124,7 +124,9 @@ function recreateTable(data) {
} }
function requestRecordData() { function requestRecordData() {
var restrictions = {}; var restrictions = {
csrfToken: $('#csrfToken').text()
};
restrictions.sort = sort; restrictions.sort = sort;
@ -159,7 +161,8 @@ function requestRecordData() {
function requestSoaData() { function requestSoaData() {
var data = { var data = {
action: "getSoa" action: "getSoa",
csrfToken: $('#csrfToken').text()
}; };
data.domain = location.hash.substring(1); data.domain = location.hash.substring(1);
@ -181,7 +184,8 @@ function requestSoaData() {
function requestSerial() { function requestSerial() {
var data = { var data = {
action: "getSerial" action: "getSerial",
csrfToken: $('#csrfToken').text()
}; };
data.domain = location.hash.substring(1); data.domain = location.hash.substring(1);
@ -198,7 +202,8 @@ function requestSerial() {
function saveSoaData() { function saveSoaData() {
var data = { var data = {
action: "saveSoa" action: "saveSoa",
csrfToken: $('#csrfToken').text()
}; };
data.domain = location.hash.substring(1); data.domain = location.hash.substring(1);
@ -268,7 +273,8 @@ function saveRecord() {
prio: tableRow.children('td').eq(4).children('input').val(), prio: tableRow.children('td').eq(4).children('input').val(),
ttl: tableRow.children('td').eq(5).children('input').val(), ttl: tableRow.children('td').eq(5).children('input').val(),
action: "saveRecord", action: "saveRecord",
domain: location.hash.substring(1) domain: location.hash.substring(1),
csrfToken: $('#csrfToken').text()
}; };
tableRow.children('td').eq(0).empty().text(data.id); tableRow.children('td').eq(0).empty().text(data.id);
@ -309,7 +315,8 @@ function addRecord() {
prio: $('#addPrio').val(), prio: $('#addPrio').val(),
ttl: $('#addTtl').val(), ttl: $('#addTtl').val(),
action: "addRecord", action: "addRecord",
domain: location.hash.substring(1) domain: location.hash.substring(1),
csrfToken: $('#csrfToken').text()
}; };
$.post( $.post(
@ -344,7 +351,8 @@ function trashClicked() {
var data = { var data = {
id: $(this).parent().parent().children().eq(0).text(), id: $(this).parent().parent().children().eq(0).text(),
domain: location.hash.substring(1), domain: location.hash.substring(1),
action: "removeRecord" action: "removeRecord",
csrfToken: $('#csrfToken').text()
}; };
var lineAffected = $(this).parent().parent(); var lineAffected = $(this).parent().parent();
@ -363,7 +371,8 @@ function trashClicked() {
function requestDomainName() { function requestDomainName() {
var data = { var data = {
action: "getDomainName", action: "getDomainName",
domain: location.hash.substring(1) domain: location.hash.substring(1),
csrfToken: $('#csrfToken').text()
}; };
$.post( $.post(

18
js/edit-user.js
View file

@ -111,7 +111,8 @@ function addUser() {
name: $('#user-name').val(), name: $('#user-name').val(),
password: $('#user-password').val(), password: $('#user-password').val(),
type: $('#user-type').val(), type: $('#user-type').val(),
action: "addUser" action: "addUser",
csrfToken: $('#csrfToken').text()
}; };
$.post( $.post(
@ -128,7 +129,8 @@ function addUser() {
function getUserData() { function getUserData() {
var data = { var data = {
id: location.hash.substring(1), id: location.hash.substring(1),
action: "getUserData" action: "getUserData",
csrfToken: $('#csrfToken').text()
}; };
$.post( $.post(
@ -147,7 +149,8 @@ function saveUserChanges() {
id: location.hash.substring(1), id: location.hash.substring(1),
name: $('#user-name').val(), name: $('#user-name').val(),
type: $('#user-type').val(), type: $('#user-type').val(),
action: "saveUserChanges" action: "saveUserChanges",
csrfToken: $('#csrfToken').text()
}; };
if($('#user-password').val().length > 0) { if($('#user-password').val().length > 0) {
@ -165,7 +168,8 @@ function saveUserChanges() {
function requestPermissions() { function requestPermissions() {
var data = { var data = {
id: location.hash.substring(1), id: location.hash.substring(1),
action: "getPermissions" action: "getPermissions",
csrfToken: $('#csrfToken').text()
}; };
$.post( $.post(
@ -195,7 +199,8 @@ function removePermission() {
var data = { var data = {
domainId: $(this).parent().parent().data("id"), domainId: $(this).parent().parent().data("id"),
userId: location.hash.substring(1), userId: location.hash.substring(1),
action: "removePermission" action: "removePermission",
csrfToken: $('#csrfToken').text()
}; };
var lineToRemove = $(this).parent().parent(); var lineToRemove = $(this).parent().parent();
@ -214,7 +219,8 @@ function addPermissions() {
var data = { var data = {
action: "addPermissions", action: "addPermissions",
userId: location.hash.substring(1), userId: location.hash.substring(1),
domains: $('#permissions select#selectAdd').val() domains: $('#permissions select#selectAdd').val(),
csrfToken: $('#csrfToken').text()
} }
$.post( $.post(

3
js/password.js
View file

@ -46,7 +46,8 @@ function savePassword() {
var data = { var data = {
password: $('#user-password').val(), password: $('#user-password').val(),
action: "changePassword" action: "changePassword",
csrfToken: $('#csrfToken').text()
}; };
$.post( $.post(

7
js/users.js
View file

@ -54,7 +54,9 @@ $(document).ready(function() {
}); });
function requestData() { function requestData() {
var restrictions = {}; var restrictions = {
csrfToken: $('#csrfToken').text()
};
restrictions.sort = sort; restrictions.sort = sort;
@ -123,7 +125,8 @@ function deleteDomain() {
function deleteUserWithId(id, callback) { function deleteUserWithId(id, callback) {
var data = { var data = {
action: "deleteUser", action: "deleteUser",
id: id id: id,
csrfToken: $('#csrfToken').text()
}; };
$.post( $.post(

1
password.php
View file

@ -74,6 +74,7 @@ limitations under the License.
</row> </row>
</div> </div>
<?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?>
</body> </body>
</html> </html>

1
users.php
View file

@ -101,5 +101,6 @@ limitations under the License.
</div> </div>
</div> </div>
</div> </div>
<?php echo '<span class="hidden" id="csrfToken">' . $_SESSION['csrfToken'] . '</span>'; ?>
</body> </body>
</html> </html>