Implement token system to fix CSRF vulnerabilities

Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.

Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

1 files changed, 3 insertions, 2 deletions

diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php
index d3b602c..6081643 100644
--- a/web/template/pkg_comment_form.php
+++ b/web/template/pkg_comment_form.php
@@ -1,6 +1,6 @@
 <?php
 # Add a comment to this package
-if (isset($_REQUEST['comment'])) {
+if (isset($_REQUEST['comment']) && check_token()) {
 
 	# Insert the comment
 	$dbh = db_connect();
@@ -53,13 +53,14 @@ if (isset($_REQUEST['comment'])) {
 	<form action='<?php echo $_SERVER['REQUEST_URI'] ?>' method='post'>
 	<div style="padding: 1%">
 <?php
-if (isset($_REQUEST['comment'])) {
+if (isset($_REQUEST['comment']) && check_token()) {
 	echo '<b>' . __('Comment has been added.') . '</b>';
 }
 ?>
 	<input type='hidden' name='ID' value="<?php echo intval($_REQUEST['ID']) ?>" />
 	<?php echo __('Enter your comment below.') ?><br />
 	<textarea name='comment' cols='80' rows='10' style="width: 100%"></textarea><br />
+	<input type='hidden' name='token' value='<?php echo htmlspecialchars($_COOKIE['AURSID']) ?>' />
 	<input type='submit' value="<?php echo __("Submit") ?>" />
 	<input type='reset' value="<?php echo __("Reset") ?>" />
 	</div>