From 2c93f0a98f0f6380fd07ea17fd16afa2c6e4925b Mon Sep 17 00:00:00 2001 From: canyonknight Date: Sat, 23 Jun 2012 14:40:11 -0400 Subject: Implement token system to fix CSRF vulnerabilities Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/html/packages.php | 70 ++++++++++++++++++++++++++------------------------- 1 file changed, 36 insertions(+), 34 deletions(-) (limited to 'web/html/packages.php') diff --git a/web/html/packages.php b/web/html/packages.php index dc06c7e..7f31d3d 100644 --- a/web/html/packages.php +++ b/web/html/packages.php @@ -36,46 +36,48 @@ if (isset($_POST['IDs'])) { # Determine what action to do $output = ""; -if (current_action("do_Flag")) { - $output = pkg_flag($atype, $ids, true); -} elseif (current_action("do_UnFlag")) { - $output = pkg_flag($atype, $ids, False); -} elseif (current_action("do_Adopt")) { - $output = pkg_adopt($atype, $ids, true); -} elseif (current_action("do_Disown")) { - $output = pkg_adopt($atype, $ids, False); -} elseif (current_action("do_Vote")) { - $output = pkg_vote($atype, $ids, true); -} elseif (current_action("do_UnVote")) { - $output = pkg_vote($atype, $ids, False); -} elseif (current_action("do_Delete")) { - if (isset($_POST['confirm_Delete'])) { - if (!isset($_POST['merge_Into']) || empty($_POST['merge_Into'])) { - $output = pkg_delete($atype, $ids, NULL); - unset($_GET['ID']); - } - else { - $mergepkgid = pkgid_from_name($_POST['merge_Into']); - if ($mergepkgid) { - $output = pkg_delete($atype, $ids, $mergepkgid); +if (check_token()) { + if (current_action("do_Flag")) { + $output = pkg_flag($atype, $ids, true); + } elseif (current_action("do_UnFlag")) { + $output = pkg_flag($atype, $ids, False); + } elseif (current_action("do_Adopt")) { + $output = pkg_adopt($atype, $ids, true); + } elseif (current_action("do_Disown")) { + $output = pkg_adopt($atype, $ids, False); + } elseif (current_action("do_Vote")) { + $output = pkg_vote($atype, $ids, true); + } elseif (current_action("do_UnVote")) { + $output = pkg_vote($atype, $ids, False); + } elseif (current_action("do_Delete")) { + if (isset($_POST['confirm_Delete'])) { + if (!isset($_POST['merge_Into']) || empty($_POST['merge_Into'])) { + $output = pkg_delete($atype, $ids, NULL); unset($_GET['ID']); } else { - $output = __("Cannot find package to merge votes and comments into."); + $mergepkgid = pkgid_from_name($_POST['merge_Into']); + if ($mergepkgid) { + $output = pkg_delete($atype, $ids, $mergepkgid); + unset($_GET['ID']); + } + else { + $output = __("Cannot find package to merge votes and comments into."); + } } } + else { + $output = __("The selected packages have not been deleted, check the confirmation checkbox."); + } + } elseif (current_action("do_Notify")) { + $output = pkg_notify($atype, $ids); + } elseif (current_action("do_UnNotify")) { + $output = pkg_notify($atype, $ids, False); + } elseif (current_action("do_DeleteComment")) { + $output = pkg_delete_comment($atype); + } elseif (current_action("do_ChangeCategory")) { + $output = pkg_change_category($atype); } - else { - $output = __("The selected packages have not been deleted, check the confirmation checkbox."); - } -} elseif (current_action("do_Notify")) { - $output = pkg_notify($atype, $ids); -} elseif (current_action("do_UnNotify")) { - $output = pkg_notify($atype, $ids, False); -} elseif (current_action("do_DeleteComment")) { - $output = pkg_delete_comment($atype); -} elseif (current_action("do_ChangeCategory")) { - $output = pkg_change_category($atype); } html_header($title); -- cgit v1.2.3-54-g00ecf