prevent CSRF for setup and admin site configuration

This commit is contained in:
Ralf Becker 2014-05-01 06:26:09 +00:00
parent 61198e3684
commit 544d57ca46
14 changed files with 125 additions and 5 deletions

View File

@ -21,6 +21,12 @@ class uiconfig
// allowing inline js // allowing inline js
egw_framework::csp_script_src_attrs('unsafe-inline'); egw_framework::csp_script_src_attrs('unsafe-inline');
// for POST requests validate CSRF token (or terminate request)
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
egw_csrf::validate($_POST['csrf_token'], __CLASS__);
}
if (empty($_GET['appname']) && isset($params['appname'])) if (empty($_GET['appname']) && isset($params['appname']))
{ {
$_appname = $params['appname']; $_appname = $params['appname'];
@ -172,7 +178,8 @@ class uiconfig
$t->set_var('th_text', $GLOBALS['egw_info']['theme']['th_text']); $t->set_var('th_text', $GLOBALS['egw_info']['theme']['th_text']);
$t->set_var('row_on', $GLOBALS['egw_info']['theme']['row_on']); $t->set_var('row_on', $GLOBALS['egw_info']['theme']['row_on']);
$t->set_var('row_off', $GLOBALS['egw_info']['theme']['row_off']); $t->set_var('row_off', $GLOBALS['egw_info']['theme']['row_off']);
$t->set_var('hidden_vars','<input type="hidden" name="referer" value="'.$referer.'">'); $t->set_var('hidden_vars', html::input_hidden('referer', $referer).
html::input_hidden('csrf_token', egw_csrf::token(__CLASS__)));
$vars = $t->get_undefined('body'); $vars = $t->get_undefined('body');

View File

@ -0,0 +1,71 @@
<?php
/**
* EGroupware API: CSRF (Cross Site Request Forgery) protection
*
* @link http://www.egroupware.org
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
* @package api
* @author Ralf Becker <rb@stylite.de>
* @copyright (c) 2014 by Ralf Becker <rb@stylite.de>
* @version $Id$
*/
/**
* Class supplying methods to prevent successful CSRF by requesting a random token,
* stored on server and validated when request get posted.
*
* CSRF token generation used openssl_random_pseudo_bytes, if available, otherwise
* mt_rand based auth::randomstring is used.
*
* CSRF tokens are stored (incl. optional purpose) in user session.
*
* If a token does not validate (incl. purpose, if specified in generation)
* the request will be imediatly terminated.
*/
class egw_csrf
{
/**
* Get a CSRF token for an optional $purpose, which can be validated
*
* @param mixed $_purpose=true if given it need to be used in validate too! (It must NOT be NULL)
* @return string CSRF token
*/
public static function token($_purpose=true)
{
if (is_null($_purpose))
{
throw new egw_exception_wrong_parameter(__METHOD__.'(NULL) $_purspose must NOT be NULL!');
}
// generate random token (using oppenssl if available otherwise mt_rand based auth::randomstring)
$token = function_exists('openssl_random_pseudo_bytes') ?
base64_encode(openssl_random_pseudo_bytes(64)) :
auth::randomstring(64);
// store it in session for later validation
egw_cache::setSession(__CLASS__, $token, $_purpose);
return $token;
}
/**
* Validate a CSRF token or teminate the request
*
* @param string $_token CSRF token generated with egw_csfr::token()
* @param string $_purpose=true optional purpose string passed to token method
* @param boolean $_delete_token=true true if token should be deleted after validation, it will validate no second time
*/
public static function validate($_token, $_purpose=true, $_delete_token=true)
{
$stored_purpose = egw_cache::getSession(__CLASS__, $_token);
// if token and purpose dont validate, log and terminate request
if (!isset($stored_purpose) || $stored_purpose !== $_purpose)
{
error_log('CSRF detected from IP '.$_SERVER['REMOTE_ADDR'].' to '.$_SERVER['REQUEST_METHOD'].' '.$_SERVER['REQUEST_URI']);
if ($_POST) error_log(array2string($_POST));
// we are not throwing an exception here, but die, to not allow catching it!
die("CSRF detected, request terminated!");
}
if ($_delete_token) egw_cache::unsetTree (__CLASS__, $_token);
}
}

View File

@ -29,6 +29,13 @@ $setup_tpl->set_file(array(
'T_footer' => 'footer.tpl', 'T_footer' => 'footer.tpl',
'T_alert_msg' => 'msg_alert_msg.tpl' 'T_alert_msg' => 'msg_alert_msg.tpl'
)); ));
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
// check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
{
egw_csrf::validate($_POST['csrf_token'], __FILE__);
}
// determine from where we migrate to what // determine from where we migrate to what
if (!is_object($GLOBALS['egw_setup']->db)) if (!is_object($GLOBALS['egw_setup']->db))

View File

@ -26,6 +26,12 @@ if (strpos($_SERVER['PHP_SELF'],'admin_account.php') !== false)
$error = ''; $error = '';
if ($_POST['submit']) if ($_POST['submit'])
{ {
// for POST (not GET or cli call via setup_cmd_admin) validate CSRF token
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
egw_csrf::validate($_POST['csrf_token'], __FILE__);
}
/* Posted admin data */ /* Posted admin data */
$passwd = get_var('passwd',Array('POST')); $passwd = get_var('passwd',Array('POST'));
$passwd2 = get_var('passwd2',Array('POST')); $passwd2 = get_var('passwd2',Array('POST'));
@ -83,6 +89,8 @@ if(!$_POST['submit'] || $error)
$setup_tpl->set_var('create_demo_accounts',lang('Create demo accounts')); $setup_tpl->set_var('create_demo_accounts',lang('Create demo accounts'));
$setup_tpl->set_var('demo_desc',lang('The username/passwords are: demo/guest, demo2/guest and demo3/guest.')); $setup_tpl->set_var('demo_desc',lang('The username/passwords are: demo/guest, demo2/guest and demo3/guest.'));
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
$setup_tpl->set_var('lang_submit',lang('Save')); $setup_tpl->set_var('lang_submit',lang('Save'));
$setup_tpl->set_var('lang_cancel',lang('Cancel')); $setup_tpl->set_var('lang_cancel',lang('Cancel'));
$setup_tpl->pparse('out','T_admin_account'); $setup_tpl->pparse('out','T_admin_account');

View File

@ -40,6 +40,13 @@ $setup_tpl->set_file(array(
'T_login_stage_header' => 'login_stage_header.tpl', 'T_login_stage_header' => 'login_stage_header.tpl',
'T_setup_main' => 'applications.tpl' 'T_setup_main' => 'applications.tpl'
)); ));
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
// check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
{
egw_csrf::validate($_POST['csrf_token'], __FILE__);
}
$setup_tpl->set_block('T_login_stage_header','B_multi_domain','V_multi_domain'); $setup_tpl->set_block('T_login_stage_header','B_multi_domain','V_multi_domain');
$setup_tpl->set_block('T_login_stage_header','B_single_domain','V_single_domain'); $setup_tpl->set_block('T_login_stage_header','B_single_domain','V_single_domain');

View File

@ -32,6 +32,13 @@ $setup_tpl->set_file(array(
'T_config_pre_script' => 'config_pre_script.tpl', 'T_config_pre_script' => 'config_pre_script.tpl',
'T_config_post_script' => 'config_post_script.tpl' 'T_config_post_script' => 'config_post_script.tpl'
)); ));
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
// check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
{
egw_csrf::validate($_POST['csrf_token'], __FILE__);
}
/* Following to ensure windows file paths are saved correctly */ /* Following to ensure windows file paths are saved correctly */
if (function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime()) if (function_exists('get_magic_quotes_runtime') && get_magic_quotes_runtime())
@ -132,16 +139,14 @@ $setup_tpl->pparse('out','T_config_pre_script');
/* Now parse each of the templates we want to show here */ /* Now parse each of the templates we want to show here */
class phpgw class phpgw
{ {
var $common;
var $accounts; var $accounts;
var $applications; var $applications;
var $db; var $db;
} }
$GLOBALS['egw'] = new phpgw; $GLOBALS['egw'] = new phpgw;
$GLOBALS['egw']->common =& CreateObject('phpgwapi.common');
$GLOBALS['egw']->db =& $GLOBALS['egw_setup']->db; $GLOBALS['egw']->db =& $GLOBALS['egw_setup']->db;
$t = CreateObject('phpgwapi.Template',$GLOBALS['egw']->common->get_tpl_dir('setup')); $t = CreateObject('phpgwapi.Template', common::get_tpl_dir('setup'));
$t->set_unknowns('keep'); $t->set_unknowns('keep');
$t->set_file(array('config' => 'config.tpl')); $t->set_file(array('config' => 'config.tpl'));

View File

@ -49,6 +49,13 @@ $setup_tpl->set_file(array(
'T_footer' => 'footer.tpl', 'T_footer' => 'footer.tpl',
'T_db_backup' => 'db_backup.tpl', 'T_db_backup' => 'db_backup.tpl',
)); ));
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
// check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
{
egw_csrf::validate($_POST['csrf_token'], __FILE__);
}
$setup_tpl->set_block('T_db_backup','schedule_row','schedule_rows'); $setup_tpl->set_block('T_db_backup','schedule_row','schedule_rows');
$setup_tpl->set_block('T_db_backup','set_row','set_rows'); $setup_tpl->set_block('T_db_backup','set_row','set_rows');

View File

@ -268,6 +268,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
$setup_tpl->set_var('V_db_filled_block',$db_filled_block); $setup_tpl->set_var('V_db_filled_block',$db_filled_block);
break; break;
case 5: case 5:
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
$setup_tpl->set_var('are_you_sure',lang('ARE YOU SURE?')); $setup_tpl->set_var('are_you_sure',lang('ARE YOU SURE?'));
$setup_tpl->set_var('really_uninstall_all_applications',lang('REALLY Uninstall all applications')); $setup_tpl->set_var('really_uninstall_all_applications',lang('REALLY Uninstall all applications'));
$setup_tpl->set_var('dropwarn',lang('Your tables will be dropped and you will lose data')); $setup_tpl->set_var('dropwarn',lang('Your tables will be dropped and you will lose data'));
@ -292,6 +293,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
!preg_match('/^[0-9.a-z_]+$/i', $_POST['db_grant_host']) ? 'localhost' : $_POST['db_grant_host']); !preg_match('/^[0-9.a-z_]+$/i', $_POST['db_grant_host']) ? 'localhost' : $_POST['db_grant_host']);
break; break;
case 'drop': case 'drop':
egw_csrf::validate($_POST['csrf_token'], __FILE__);
$setup_info = $GLOBALS['egw_setup']->detection->get_versions($setup_info); $setup_info = $GLOBALS['egw_setup']->detection->get_versions($setup_info);
$setup_info = $GLOBALS['egw_setup']->process->droptables($setup_info); $setup_info = $GLOBALS['egw_setup']->process->droptables($setup_info);
break; break;

View File

@ -1,5 +1,6 @@
<!-- BEGIN header --> <!-- BEGIN header -->
<form action="{action_url}" method="post"> <form action="{action_url}" method="post">
{hidden_vars}
<table border="0" align="center" width="70%"> <table border="0" align="center" width="70%">
<tr bgcolor="#486591"> <tr bgcolor="#486591">
<td colspan="2" align="center"><b><font color="#fefefe">{description}</font></b></td> <td colspan="2" align="center"><b><font color="#fefefe">{description}</font></b></td>

View File

@ -1,5 +1,6 @@
<!-- BEGIN admin_account --> <!-- BEGIN admin_account -->
<form method="post" action="{action_url}"> <form method="post" action="{action_url}">
{hidden_vars}
<table border="0" width="90%" cellspacing="0" cellpadding="2"> <table border="0" width="90%" cellspacing="0" cellpadding="2">
<tr> <tr>
<td> <td>

View File

@ -29,6 +29,7 @@ function check_all(which)
</tr> </tr>
</table> </table>
<form name="apps" method="post" action="{action_url}"> <form name="apps" method="post" action="{action_url}">
{hidden_vars}
<table width="90%" cellspacing="0" cellpadding="2"> <table width="90%" cellspacing="0" cellpadding="2">
<!-- END header --> <!-- END header -->

View File

@ -1,5 +1,6 @@
<!-- begin config_pre_script.tpl --> <!-- begin config_pre_script.tpl -->
<form method="post" action="config.php"> <form method="post" action="config.php">
{hidden_vars}
<table border="0" align="center" cellspacing="0" width="90%"> <table border="0" align="center" cellspacing="0" width="90%">
<!-- end config_pre_script.tpl --> <!-- end config_pre_script.tpl -->

View File

@ -70,6 +70,7 @@ function sort_table(id)
</script> </script>
<form method="post" name="backup_form" action="{self}" enctype="multipart/form-data"> <form method="post" name="backup_form" action="{self}" enctype="multipart/form-data">
{hidden_vars}
<input name="sortedby" id="sortedby" type="hidden" /> <input name="sortedby" id="sortedby" type="hidden" />
<table border="0" align="center" width="98%" cellpadding="5"> <table border="0" align="center" width="98%" cellpadding="5">
<!-- BEGIN setup_header --> <!-- BEGIN setup_header -->

View File

@ -142,6 +142,7 @@
</td> </td>
<td> <td>
<form action="index.php" method="post"> <form action="index.php" method="post">
{hidden_vars}
<input type="hidden" name="oldversion" value="new" /> <input type="hidden" name="oldversion" value="new" />
<input type="hidden" name="action" value="REALLY Uninstall all applications" /> <input type="hidden" name="action" value="REALLY Uninstall all applications" />
<input type="submit" name="label" value="{really_uninstall_all_applications}" /> {dropwarn} <input type="submit" name="label" value="{really_uninstall_all_applications}" /> {dropwarn}