From 69b98efa35d48d794394df938741fdfc342cfb84 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Tue, 27 Aug 2013 02:18:59 +0200
Subject: Re-add CRSF tokens to most package actions

We fixed all known CRSF vulnerabilities in commit 2c93f0a (Implement
token system to fix CSRF vulnerabilities, 2012-06-23). c349cb2 (Add
virtual path support for package actions, 2012-07-17) partly reverted
this by injecting a valid CRSF token when virtual paths are in use.

This patch allows for keeping the virtual path feature, while
reintroducing POST forms and CRSF tokens. Actions like package flagging,
votes and notifications are no longer prone to CRSF (see FS#35437 for
details).

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/template/pkg_details.php | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'web/template/pkg_details.php')

diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php
index bd54923..0484924 100644
--- a/web/template/pkg_details.php
+++ b/web/template/pkg_details.php
@@ -41,6 +41,7 @@ $sources = package_sources($row["ID"]);
 				<?php if ($row["OutOfDateTS"] === NULL): ?>
 				<li>
 					<form action="<?= get_pkg_uri($row['Name']) . 'flag/'; ?>" method="post">
+						<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
 						<input type="submit" class="button text-button" name="do_Flag" value="<?= __('Flag package out-of-date') ?>" />
 					</form>
 				</li>
@@ -48,6 +49,7 @@ $sources = package_sources($row["ID"]);
 				($uid == $row["MaintainerUID"] || $atype == "Trusted User" || $atype == "Developer")): ?>
 				<li>
 					<form action="<?= get_pkg_uri($row['Name']) . 'unflag/'; ?>" method="post">
+						<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
 						<input type="submit" class="button text-button" name="do_UnFlag" value="<?= __('Unflag package') ?>" />
 					</form>
 				</li>
@@ -55,12 +57,14 @@ $sources = package_sources($row["ID"]);
 				<?php if (user_voted($uid, $row['ID'])): ?>
 				<li>
 					<form action="<?= get_pkg_uri($row['Name']) . 'unvote/'; ?>" method="post">
+						<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
 						<input type="submit" class="button text-button" name="do_UnVote" value="<?= __('Remove vote') ?>" />
 					</form>
 				</li>
 				<?php else: ?>
 				<li>
 					<form action="<?= get_pkg_uri($row['Name']) . 'vote/'; ?>" method="post">
+						<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
 						<input type="submit" class="button text-button" name="do_Vote" value="<?= __('Vote for this package') ?>" />
 					</form>
 				</li>
@@ -68,12 +72,14 @@ $sources = package_sources($row["ID"]);
 				<?php if (user_notify($uid, $row['ID'])): ?>
 				<li>
 					<form action="<?= get_pkg_uri($row['Name']) . 'unnotify/'; ?>" method="post">
+						<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
 						<input type="submit" class="button text-button" name="do_UnNotify" value="<?= __('Disable notifications') ?>" />
 					</form>
 				</li>
 				<?php else: ?>
 				<li>
 					<form action="<?= get_pkg_uri($row['Name']) . 'notify/'; ?>" method="post">
+						<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
 						<input type="submit" class="button text-button" name="do_Notify" value="<?= __('Notify of new comments') ?>" />
 					</form>
 				</li>
-- 
cgit v1.2.3-54-g00ecf