CSRF protection

master
andryyy 2017-05-15 11:37:12 +02:00
parent fccdabb113
commit e91c6916ab
6 changed files with 37 additions and 23 deletions

View File

@ -351,6 +351,7 @@ $tfa_data = get_tfa();
<?php <?php
$lang_admin = json_encode($lang['admin']); $lang_admin = json_encode($lang['admin']);
echo "var lang = ". $lang_admin . ";\n"; echo "var lang = ". $lang_admin . ";\n";
echo "var csrf_token = '". $_SESSION['CSRF']['TOKEN'] . "';\n";
echo "var pagination_size = '". $PAGINATION_SIZE . "';\n"; echo "var pagination_size = '". $PAGINATION_SIZE . "';\n";
?> ?>
</script> </script>

View File

@ -225,6 +225,7 @@ $(document).ready(function() {
} }
}); });
}); });
$("<input type='hidden' value='<?=$_SESSION['CSRF']['TOKEN'];?>' />").attr("id", "csrf_token").attr("name", "csrf_token").appendTo("form");
}); });
</script> </script>

View File

@ -15,21 +15,8 @@ else {
} }
session_set_cookie_params($GLOBALS['SESSION_LIFETIME'], '/', $_SERVER['SERVER_NAME'], $IS_HTTPS, true); session_set_cookie_params($GLOBALS['SESSION_LIFETIME'], '/', $_SERVER['SERVER_NAME'], $IS_HTTPS, true);
session_start(); session_start();
if (!isset($_SESSION['CSRF']['TOKEN'])) {
// Handle logouts $_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));
if (isset($_POST["logout"])) {
if (isset($_SESSION["dual-login"])) {
$_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"];
$_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"];
unset($_SESSION["dual-login"]);
}
else {
session_regenerate_id(true);
session_unset();
session_destroy();
session_write_close();
header("Location: /");
}
} }
// Set session IP and UA // Set session IP and UA
@ -51,12 +38,36 @@ function session_check() {
if ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT']) { if ($_SESSION['SESS_REMOTE_UA'] != $_SERVER['HTTP_USER_AGENT']) {
return false; return false;
} }
if (!empty($_POST)) {
if ($_SESSION['CSRF']['TOKEN'] != $_POST['csrf_token']) {
return false;
}
$_SESSION['CSRF']['TOKEN'] = bin2hex(random_bytes(32));
$_SESSION['CSRF']['TIME'] = time();
}
return true; return true;
} }
if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) { if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) {
session_regenerate_id(true); $_SESSION['return'] = array(
session_unset(); 'type' => 'warning',
session_destroy(); 'msg' => 'Form token invalid or timed out'
session_write_close(); );
header("Location: /"); $_POST = array();
} }
// Handle logouts
if (isset($_POST["logout"])) {
if (isset($_SESSION["dual-login"])) {
$_SESSION["mailcow_cc_username"] = $_SESSION["dual-login"]["username"];
$_SESSION["mailcow_cc_role"] = $_SESSION["dual-login"]["role"];
unset($_SESSION["dual-login"]);
}
else {
session_regenerate_id(true);
session_unset();
session_destroy();
session_write_close();
header("Location: /");
}
}

View File

@ -52,7 +52,7 @@ $(document).ready(function() {
$.ajax({ $.ajax({
type: "POST", type: "POST",
dataType: "json", dataType: "json",
data: { "items": JSON.stringify(data_array) }, data: { "items": JSON.stringify(data_array), "csrf_token": csrf_token },
url: '/api/v1/' + api_url, url: '/api/v1/' + api_url,
jsonp: false, jsonp: false,
complete: function (data) { complete: function (data) {

View File

@ -43,7 +43,7 @@ $(document).ready(function() {
$.ajax({ $.ajax({
type: "POST", type: "POST",
dataType: "json", dataType: "json",
data: { "items": JSON.stringify(data_array), "attr": JSON.stringify(api_attr) }, data: { "items": JSON.stringify(data_array), "attr": JSON.stringify(api_attr), "csrf_token": csrf_token },
url: '/api/v1/' + api_url, url: '/api/v1/' + api_url,
jsonp: false, jsonp: false,
complete: function (data) { complete: function (data) {
@ -76,7 +76,7 @@ $(document).ready(function() {
$.ajax({ $.ajax({
type: "POST", type: "POST",
dataType: "json", dataType: "json",
data: { "items": JSON.stringify(data_array) }, data: { "items": JSON.stringify(data_array), "csrf_token": csrf_token },
url: '/api/v1/' + api_url, url: '/api/v1/' + api_url,
jsonp: false, jsonp: false,
complete: function (data) { complete: function (data) {

View File

@ -172,6 +172,7 @@ $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
<?php <?php
$lang_mailbox = json_encode($lang['mailbox']); $lang_mailbox = json_encode($lang['mailbox']);
echo "var lang = ". $lang_mailbox . ";\n"; echo "var lang = ". $lang_mailbox . ";\n";
echo "var csrf_token = '". $_SESSION['CSRF']['TOKEN'] . "';\n";
$role = ($_SESSION['mailcow_cc_role'] == "admin") ? 'admin' : 'domainadmin'; $role = ($_SESSION['mailcow_cc_role'] == "admin") ? 'admin' : 'domainadmin';
echo "var role = '". $role . "';\n"; echo "var role = '". $role . "';\n";
echo "var pagination_size = '". $PAGINATION_SIZE . "';\n"; echo "var pagination_size = '". $PAGINATION_SIZE . "';\n";