CSRF protection
andryyy
parent
88b0f84f3c
commit
4c6cfa66a8
|
|
@ -351,6 +351,7 @@ $tfa_data = get_tfa();
|
||||||
<?php
|
<?php
|
||||||
$lang_admin = json_encode($lang['admin']);
|
$lang_admin = json_encode($lang['admin']);
|
||||||
echo "var lang = ". $lang_admin . ";\n";
|
echo "var lang = ". $lang_admin . ";\n";
|
||||||
|
echo "var csrf_token = '". $_SESSION['CSRF']['TOKEN'] . "';\n";
|
||||||
echo "var pagination_size = '". $PAGINATION_SIZE . "';\n";
|
echo "var pagination_size = '". $PAGINATION_SIZE . "';\n";
|
||||||
?>
|
?>
|
||||||
</script>
|
</script>
|
||||||
|
|
|
||||||
|
|
@ -225,6 +225,7 @@ $(document).ready(function() {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
$("<input type='hidden' value='<?=$_SESSION['CSRF']['TOKEN'];?>' />").attr("id", "csrf_token").attr("name", "csrf_token").appendTo("form");
|
||||||
});
|
});
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,21 +15,8 @@ else {
|
||||||
}
|
}
|
||||||
session_set_cookie_params($GLOBALS['SESSION_LIFETIME'], '/', $_SERVER['SERVER_NAME'], $IS_HTTPS, true);
|
session_set_cookie_params($GLOBALS['SESSION_LIFETIME'], '/', $_SERVER['SERVER_NAME'], $IS_HTTPS, true);
|
||||||
session_start();
|
session_start();
|
||||||
|
if (!isset($_SESSION['CSRF']['TOKEN'])) {
|
||||||
// Handle logouts
|
$_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));
|
||||||
if (isset($_POST["logout"])) {
|
|
||||||
if (isset($_SESSION["dual-login"])) {
|
|
||||||
$_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"];
|
|
||||||
$_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"];
|
|
||||||
unset($_SESSION["dual-login"]);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
session_regenerate_id(true);
|
|
||||||
session_unset();
|
|
||||||
session_destroy();
|
|
||||||
session_write_close();
|
|
||||||
header("Location: /");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set session IP and UA
|
// Set session IP and UA
|
||||||
|
|
@ -51,12 +38,36 @@ function session_check() {
|
||||||
if ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT']) {
|
if ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT']) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
if (!empty($_POST)) {
|
||||||
|
if ($_SESSION['CSRF']['TOKEN'] != $_POST['csrf_token']) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
$_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));
|
||||||
|
$_SESSION['CSRF']['TIME'] = time();
|
||||||
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) {
|
if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) {
|
||||||
session_regenerate_id(true);
|
$_SESSION['return'] = array(
|
||||||
session_unset();
|
'type' => 'warning',
|
||||||
session_destroy();
|
'msg' => 'Form token invalid or timed out'
|
||||||
session_write_close();
|
);
|
||||||
header("Location: /");
|
$_POST = array();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Handle logouts
|
||||||
|
if (isset($_POST["logout"])) {
|
||||||
|
if (isset($_SESSION["dual-login"])) {
|
||||||
|
$_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"];
|
||||||
|
$_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"];
|
||||||
|
unset($_SESSION["dual-login"]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
session_regenerate_id(true);
|
||||||
|
session_unset();
|
||||||
|
session_destroy();
|
||||||
|
session_write_close();
|
||||||
|
header("Location: /");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -52,7 +52,7 @@ $(document).ready(function() {
|
||||||
$.ajax({
|
$.ajax({
|
||||||
type: "POST",
|
type: "POST",
|
||||||
dataType: "json",
|
dataType: "json",
|
||||||
data: { "items": JSON.stringify(data_array) },
|
data: { "items": JSON.stringify(data_array), "csrf_token": csrf_token },
|
||||||
url: '/api/v1/' + api_url,
|
url: '/api/v1/' + api_url,
|
||||||
jsonp: false,
|
jsonp: false,
|
||||||
complete: function (data) {
|
complete: function (data) {
|
||||||
|
|
|
||||||
|
|
@ -43,7 +43,7 @@ $(document).ready(function() {
|
||||||
$.ajax({
|
$.ajax({
|
||||||
type: "POST",
|
type: "POST",
|
||||||
dataType: "json",
|
dataType: "json",
|
||||||
data: { "items": JSON.stringify(data_array), "attr": JSON.stringify(api_attr) },
|
data: { "items": JSON.stringify(data_array), "attr": JSON.stringify(api_attr), "csrf_token": csrf_token },
|
||||||
url: '/api/v1/' + api_url,
|
url: '/api/v1/' + api_url,
|
||||||
jsonp: false,
|
jsonp: false,
|
||||||
complete: function (data) {
|
complete: function (data) {
|
||||||
|
|
@ -76,7 +76,7 @@ $(document).ready(function() {
|
||||||
$.ajax({
|
$.ajax({
|
||||||
type: "POST",
|
type: "POST",
|
||||||
dataType: "json",
|
dataType: "json",
|
||||||
data: { "items": JSON.stringify(data_array) },
|
data: { "items": JSON.stringify(data_array), "csrf_token": csrf_token },
|
||||||
url: '/api/v1/' + api_url,
|
url: '/api/v1/' + api_url,
|
||||||
jsonp: false,
|
jsonp: false,
|
||||||
complete: function (data) {
|
complete: function (data) {
|
||||||
|
|
|
||||||
|
|
@ -172,6 +172,7 @@ $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
|
||||||
<?php
|
<?php
|
||||||
$lang_mailbox = json_encode($lang['mailbox']);
|
$lang_mailbox = json_encode($lang['mailbox']);
|
||||||
echo "var lang = ". $lang_mailbox . ";\n";
|
echo "var lang = ". $lang_mailbox . ";\n";
|
||||||
|
echo "var csrf_token = '". $_SESSION['CSRF']['TOKEN'] . "';\n";
|
||||||
$role = ($_SESSION['mailcow_cc_role'] == "admin") ? 'admin' : 'domainadmin';
|
$role = ($_SESSION['mailcow_cc_role'] == "admin") ? 'admin' : 'domainadmin';
|
||||||
echo "var role = '". $role . "';\n";
|
echo "var role = '". $role . "';\n";
|
||||||
echo "var pagination_size = '". $PAGINATION_SIZE . "';\n";
|
echo "var pagination_size = '". $PAGINATION_SIZE . "';\n";
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue