Contacts: implemented CSRF prevention.

2025-01-30 19:52:17 +01:00 · 2012-06-13 17:35:42 +02:00 · 2012-06-13 17:35:42 +02:00 · aa73a32b89
commit aa73a32b89
parent f3e19ca230
14 changed files with 52 additions and 6 deletions
--- a/ajax/activation.php
+++ b/ajax/activation.php
@ -10,6 +10,7 @@
 
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();

 $bookid = $_POST['bookid'];
 $book = OC_Contacts_App::getAddressbook($bookid);// is owner access check
--- a/ajax/addcontact.php
+++ b/ajax/addcontact.php
@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();

 $aid = isset($_POST['aid'])?$_POST['aid']:null;
 if(!$aid) {
--- a/ajax/addproperty.php
+++ b/ajax/addproperty.php
@ -23,6 +23,16 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+foreach($_SERVER as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+foreach($_POST as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+foreach($_GET as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+OCP\JSON::callCheck();

 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));
--- a/ajax/createaddressbook.php
+++ b/ajax/createaddressbook.php
@ -11,6 +11,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();

 $userid = OCP\USER::getUser();
 $name = trim(strip_tags($_POST['name']));
--- a/ajax/cropphoto.php
+++ b/ajax/cropphoto.php
@ -25,10 +25,12 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');

 $tmpkey = $_GET['tmpkey'];
+$requesttoken = $_GET['requesttoken'];
 $id = $_GET['id'];
 $tmpl = new OCP\Template("contacts", "part.cropphoto");
 $tmpl->assign('tmpkey', $tmpkey);
 $tmpl->assign('id', $id);
+$tmpl->assign('requesttoken', $requesttoken);
 $page = $tmpl->fetchPage();

 OCP\JSON::success(array('data' => array( 'page' => $page )));
--- a/ajax/deletebook.php
+++ b/ajax/deletebook.php
@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();

 //$id = $_GET['id'];
 $id = $_POST['id'];
--- a/ajax/deletecard.php
+++ b/ajax/deletecard.php
@ -28,6 +28,17 @@ function bailOut($msg) {
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
+
+// foreach($_SERVER as $key=>$value) {
+// 	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.$value, OCP\Util::DEBUG);
+// }
+foreach($_POST as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+foreach($_GET as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}

 $id = isset($_POST['id'])?$_POST['id']:null;
 if(!$id) {
--- a/ajax/deleteproperty.php
+++ b/ajax/deleteproperty.php
@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();

 $id = $_POST['id'];
 $checksum = $_POST['checksum'];
--- a/ajax/savecrop.php
+++ b/ajax/savecrop.php
@ -22,6 +22,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();

 // Firefox and Konqueror tries to download application/json for me.  --Arthur
 OCP\JSON::setContentTypeHeader('text/plain');
--- a/ajax/saveproperty.php
+++ b/ajax/saveproperty.php
@ -20,10 +20,6 @@
 *
 */

-// Check if we are a user
-OCP\JSON::checkLoggedIn();
-OCP\JSON::checkAppEnabled('contacts');
-
 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));
 	OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG);
@ -33,6 +29,21 @@ function debug($msg) {
 	OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG);
 }

+// Check if we are a user
+OCP\JSON::checkLoggedIn();
+OCP\JSON::checkAppEnabled('contacts');
+
+foreach($_SERVER as $key=>$value) {
+	debug('_SERVER: '.$key.'=>'.print_r($value, true));
+}
+foreach($_POST as $key=>$value) {
+	debug('_POST: '.$key.'=>'.print_r($value, true));
+}
+foreach($_GET as $key=>$value) {
+	debug('_GET: '.$key.'=>'.print_r($value, true));
+}
+OCP\JSON::callCheck();
+
 $id = isset($_POST['id'])?$_POST['id']:null;
 $name = isset($_POST['name'])?$_POST['name']:null;
 $value = isset($_POST['value'])?$_POST['value']:null;
--- a/ajax/uploadphoto.php
+++ b/ajax/uploadphoto.php
@ -23,6 +23,8 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
+
 // Firefox and Konqueror tries to download application/json for me.  --Arthur
 OCP\JSON::setContentTypeHeader('text/plain');
 function bailOut($msg) {
--- a/js/contacts.js
+++ b/js/contacts.js
@ -622,7 +622,7 @@ Contacts={
 				q = q + '&id=' + this.id + '&name=' + name;
 				if(checksum != undefined && checksum != '') { // save
 					q = q + '&checksum=' + checksum;
-					//console.log('Saving: ' + q);
+					console.log('Saving: ' + q);
 					$(obj).attr('disabled', 'disabled');
 					$.post(OC.filePath('contacts', 'ajax', 'saveproperty.php'),q,function(jsondata){
 						if(jsondata.status == 'success'){
@ -640,7 +640,7 @@ Contacts={
 						}
 					},'json');
 				} else { // add
-					//console.log('Adding: ' + q);
+					console.log('Adding: ' + q);
 					$(obj).attr('disabled', 'disabled');
 					$.post(OC.filePath('contacts', 'ajax', 'addproperty.php'),q,function(jsondata){
 						if(jsondata.status == 'success'){
--- a/templates/part.contact.php
+++ b/templates/part.contact.php
@ -3,6 +3,7 @@ $id = isset($_['id']) ? $_['id'] : '';
 ?>
 <div id="card">
 	<form class="float" id="file_upload_form" action="<?php echo OCP\Util::linkTo('contacts', 'ajax/uploadphoto.php'); ?>" method="post" enctype="multipart/form-data" target="file_upload_target">
+		<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
 		<input type="hidden" name="id" value="<?php echo $_['id'] ?>">
 		<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $_['uploadMaxFilesize'] ?>" id="max_upload">
 		<input type="hidden" class="max_human_file_size" value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)">
@ -23,6 +24,7 @@ $id = isset($_['id']) ? $_['id'] : '';
 	<div id="contact_identity" class="contactsection">
 	<form method="post">
 	<input type="hidden" name="id" value="<?php echo $_['id'] ?>">
+	<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
 	<fieldset id="ident" class="contactpart">
 	<span class="propertycontainer" data-element="N"><input type="hidden" id="n" class="contacts_property" name="value" value="" /></span>
 	<span id="name" class="propertycontainer" data-element="FN">
--- a/templates/part.cropphoto.php
+++ b/templates/part.cropphoto.php
@ -1,6 +1,7 @@
 <?php 
 $id = $_['id'];
 $tmpkey = $_['tmpkey'];
+$csrf_token = $_GET['csrf_token'];
 OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey, OCP\Util::DEBUG);
 ?>
 <script language="Javascript">
@ -48,6 +49,7 @@ OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey,
 	action="<?php echo OCP\Util::linkToAbsolute('contacts', 'ajax/savecrop.php'); ?>">

 	<input type="hidden" id="id" name="id" value="<?php echo $id; ?>" />
+	<input type="hidden" name="requesttoken" value="<?php echo $csrf_token; ?>">
 	<input type="hidden" id="tmpkey" name="tmpkey" value="<?php echo $tmpkey; ?>" />
 	<fieldset id="coords">
 	<input type="hidden" id="x1" name="x1" value="" />