Implement token system to fix CSRF vulnerabilities

Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.

Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

1 files changed, 36 insertions, 34 deletions

diff --git a/web/html/packages.php b/web/html/packages.php
index dc06c7e..7f31d3d 100644
--- a/web/html/packages.php
+++ b/web/html/packages.php
@@ -36,46 +36,48 @@ if (isset($_POST['IDs'])) {
 
 # Determine what action to do
 $output = "";
-if (current_action("do_Flag")) {
-	$output = pkg_flag($atype, $ids, true);
-} elseif (current_action("do_UnFlag")) {
-	$output = pkg_flag($atype, $ids, False);
-} elseif (current_action("do_Adopt")) {
-	$output = pkg_adopt($atype, $ids, true);
-} elseif (current_action("do_Disown")) {
-	$output = pkg_adopt($atype, $ids, False);
-} elseif (current_action("do_Vote")) {
-	$output = pkg_vote($atype, $ids, true);
-} elseif (current_action("do_UnVote")) {
-	$output = pkg_vote($atype, $ids, False);
-} elseif (current_action("do_Delete")) {
-	if (isset($_POST['confirm_Delete'])) {
-		if (!isset($_POST['merge_Into']) || empty($_POST['merge_Into'])) {
-			$output = pkg_delete($atype, $ids, NULL);
-			unset($_GET['ID']);
-		}
-		else {
-			$mergepkgid = pkgid_from_name($_POST['merge_Into']);
-			if ($mergepkgid) {
-				$output = pkg_delete($atype, $ids, $mergepkgid);
+if (check_token()) {
+	if (current_action("do_Flag")) {
+		$output = pkg_flag($atype, $ids, true);
+	} elseif (current_action("do_UnFlag")) {
+		$output = pkg_flag($atype, $ids, False);
+	} elseif (current_action("do_Adopt")) {
+		$output = pkg_adopt($atype, $ids, true);
+	} elseif (current_action("do_Disown")) {
+		$output = pkg_adopt($atype, $ids, False);
+	} elseif (current_action("do_Vote")) {
+		$output = pkg_vote($atype, $ids, true);
+	} elseif (current_action("do_UnVote")) {
+		$output = pkg_vote($atype, $ids, False);
+	} elseif (current_action("do_Delete")) {
+		if (isset($_POST['confirm_Delete'])) {
+			if (!isset($_POST['merge_Into']) || empty($_POST['merge_Into'])) {
+				$output = pkg_delete($atype, $ids, NULL);
 				unset($_GET['ID']);
 			}
 			else {
-				$output = __("Cannot find package to merge votes and comments into.");
+				$mergepkgid = pkgid_from_name($_POST['merge_Into']);
+				if ($mergepkgid) {
+					$output = pkg_delete($atype, $ids, $mergepkgid);
+					unset($_GET['ID']);
+				}
+				else {
+					$output = __("Cannot find package to merge votes and comments into.");
+				}
 			}
 		}
+		else {
+			$output = __("The selected packages have not been deleted, check the confirmation checkbox.");
+		}
+	} elseif (current_action("do_Notify")) {
+		$output = pkg_notify($atype, $ids);
+	} elseif (current_action("do_UnNotify")) {
+		$output = pkg_notify($atype, $ids, False);
+	} elseif (current_action("do_DeleteComment")) {
+		$output = pkg_delete_comment($atype);
+	} elseif (current_action("do_ChangeCategory")) {
+		$output = pkg_change_category($atype);
 	}
-	else {
-		$output = __("The selected packages have not been deleted, check the confirmation checkbox.");
-	}
-} elseif (current_action("do_Notify")) {
-	$output = pkg_notify($atype, $ids);
-} elseif (current_action("do_UnNotify")) {
-	$output = pkg_notify($atype, $ids, False);
-} elseif (current_action("do_DeleteComment")) {
-	$output = pkg_delete_comment($atype);
-} elseif (current_action("do_ChangeCategory")) {
-	$output = pkg_change_category($atype);
 }
 
 html_header($title);