mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-07 08:34:42 +01:00
move egw_csrf class to Api\Csrf without a compatibility class
This commit is contained in:
Ralf Becker
parent
0f2131e29a
commit
ed8f6f45c4
@ -9,6 +9,8 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
/**
|
||||
* Site configuration for all apps using an $app/templates/default/config.tpl
|
||||
*/
|
||||
@ -24,7 +26,7 @@ class uiconfig
|
||||
// for POST requests validate CSRF token (or terminate request)
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'POST')
|
||||
{
|
||||
egw_csrf::validate($_POST['csrf_token'], __CLASS__);
|
||||
Api\Csrf::validate($_POST['csrf_token'], __CLASS__);
|
||||
}
|
||||
|
||||
if (empty($_GET['appname']) && isset($params['appname']))
|
||||
@ -44,7 +46,7 @@ class uiconfig
|
||||
// load the translations of the app we show too, so they dont need to be in admin!
|
||||
if ($_appname != 'admin')
|
||||
{
|
||||
translation::add_app($_appname);
|
||||
Api\Translation::add_app($_appname);
|
||||
}
|
||||
|
||||
if(get_magic_quotes_gpc() && is_array($_POST['newsettings']))
|
||||
@ -103,7 +105,7 @@ class uiconfig
|
||||
// fix footer submit buttons to just {submit} {cancel}
|
||||
$t->set_var('footer', preg_replace('/<input[^>]+value="{lang_(submit|cancel)}"[^>]*>/', '{$1}', $t->get_var('footer')));
|
||||
|
||||
$c = new config($config_appname);
|
||||
$c = new Api\Config($config_appname);
|
||||
$c->read_repository();
|
||||
if ($_POST['cancel'] || ($_POST['submit'] || $_POST['save'] || $_POST['apply']) && $GLOBALS['egw']->acl->check('site_config_acce',2,'admin'))
|
||||
{
|
||||
@ -177,7 +179,7 @@ class uiconfig
|
||||
$t->set_var('th_text', $GLOBALS['egw_info']['theme']['th_text']);
|
||||
$t->set_var('row_on', $GLOBALS['egw_info']['theme']['row_on']);
|
||||
$t->set_var('row_off', $GLOBALS['egw_info']['theme']['row_off']);
|
||||
$t->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__CLASS__)));
|
||||
$t->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__CLASS__)));
|
||||
|
||||
$vars = $t->get_undefined('body');
|
||||
|
||||
|
||||
@ -6,10 +6,15 @@
|
||||
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
||||
* @package api
|
||||
* @author Ralf Becker <rb@stylite.de>
|
||||
* @copyright (c) 2014 by Ralf Becker <rb@stylite.de>
|
||||
* @copyright (c) 2014-16 by Ralf Becker <rb@stylite.de>
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api;
|
||||
|
||||
// explicitly reference classes still in phpgwapi
|
||||
use auth;
|
||||
|
||||
/**
|
||||
* Class supplying methods to prevent successful CSRF by requesting a random token,
|
||||
* stored on server and validated when request get posted.
|
||||
@ -22,12 +27,12 @@
|
||||
* If a token does not validate (incl. purpose, if specified in generation)
|
||||
* the request will be imediatly terminated.
|
||||
*/
|
||||
class egw_csrf
|
||||
class Csrf
|
||||
{
|
||||
/**
|
||||
* Get a CSRF token for an optional $purpose, which can be validated
|
||||
*
|
||||
* @param mixed $_purpose=true if given it need to be used in validate too! (It must NOT be NULL)
|
||||
* @param mixed $_purpose =true if given it need to be used in validate too! (It must NOT be NULL)
|
||||
* @return string CSRF token
|
||||
*/
|
||||
public static function token($_purpose=true)
|
||||
@ -42,7 +47,7 @@ class egw_csrf
|
||||
auth::randomstring(64);
|
||||
|
||||
// store it in session for later validation
|
||||
egw_cache::setSession(__CLASS__, $token, $_purpose);
|
||||
Cache::setSession(__CLASS__, $token, $_purpose);
|
||||
|
||||
return $token;
|
||||
}
|
||||
@ -50,13 +55,13 @@ class egw_csrf
|
||||
/**
|
||||
* Validate a CSRF token or teminate the request
|
||||
*
|
||||
* @param string $_token CSRF token generated with egw_csfr::token()
|
||||
* @param string $_purpose=true optional purpose string passed to token method
|
||||
* @param boolean $_delete_token=true true if token should be deleted after validation, it will validate no second time
|
||||
* @param string $_token CSRF token generated with egw_csrf::token()
|
||||
* @param string $_purpose =true optional purpose string passed to token method
|
||||
* @param boolean $_delete_token =true true if token should be deleted after validation, it will validate no second time
|
||||
*/
|
||||
public static function validate($_token, $_purpose=true, $_delete_token=true)
|
||||
{
|
||||
$stored_purpose = egw_cache::getSession(__CLASS__, $_token);
|
||||
$stored_purpose = Cache::getSession(__CLASS__, $_token);
|
||||
|
||||
// if token and purpose dont validate, log and terminate request
|
||||
if (!isset($stored_purpose) || $stored_purpose !== $_purpose)
|
||||
@ -66,6 +71,6 @@ class egw_csrf
|
||||
// we are not throwing an exception here, but die, to not allow catching it!
|
||||
die("CSRF detected, request terminated!");
|
||||
}
|
||||
if ($_delete_token) egw_cache::unsetTree (__CLASS__, $_token);
|
||||
if ($_delete_token) Cache::unsetSession(__CLASS__, $_token);
|
||||
}
|
||||
}
|
||||
@ -11,6 +11,8 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
include('./inc/functions.inc.php');
|
||||
|
||||
// Authorize the user to use setup app and load the database
|
||||
@ -29,12 +31,12 @@ $setup_tpl->set_file(array(
|
||||
'T_footer' => 'footer.tpl',
|
||||
'T_alert_msg' => 'msg_alert_msg.tpl'
|
||||
));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
|
||||
|
||||
// check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
|
||||
{
|
||||
egw_csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
Api\Csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
}
|
||||
|
||||
// determine from where we migrate to what
|
||||
|
||||
@ -10,6 +10,8 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
if (strpos($_SERVER['PHP_SELF'],'admin_account.php') !== false)
|
||||
{
|
||||
include('./inc/functions.inc.php');
|
||||
@ -29,7 +31,7 @@ if ($_POST['submit'])
|
||||
// for POST (not GET or cli call via setup_cmd_admin) validate CSRF token
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'POST')
|
||||
{
|
||||
egw_csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
Api\Csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
}
|
||||
|
||||
/* Posted admin data */
|
||||
@ -52,7 +54,7 @@ if ($_POST['submit'])
|
||||
if(!$_POST['submit'] || $error)
|
||||
{
|
||||
$tpl_root = $GLOBALS['egw_setup']->html->setup_tpl_dir('setup');
|
||||
$setup_tpl = CreateObject('phpgwapi.Template',$tpl_root);
|
||||
$setup_tpl = new Template($tpl_root);
|
||||
$setup_tpl->set_file(array(
|
||||
'T_head' => 'head.tpl',
|
||||
'T_footer' => 'footer.tpl',
|
||||
@ -89,7 +91,7 @@ if(!$_POST['submit'] || $error)
|
||||
$setup_tpl->set_var('create_demo_accounts',lang('Create demo accounts'));
|
||||
$setup_tpl->set_var('demo_desc',lang('The username/passwords are: demo/guest, demo2/guest and demo3/guest.'));
|
||||
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
|
||||
|
||||
$setup_tpl->set_var('lang_submit',lang('Save'));
|
||||
$setup_tpl->set_var('lang_cancel',lang('Cancel'));
|
||||
|
||||
@ -10,6 +10,8 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
$DEBUG = @$_POST['debug'] || @$_GET['debug'];
|
||||
/*
|
||||
TODO: We allow a user to hose their setup here, need to make use
|
||||
@ -31,7 +33,7 @@ if (!$GLOBALS['egw_setup']->auth('Config'))
|
||||
// Does not return unless user is authorized
|
||||
|
||||
$tpl_root = $GLOBALS['egw_setup']->html->setup_tpl_dir('setup');
|
||||
$setup_tpl = CreateObject('phpgwapi.Template',$tpl_root);
|
||||
$setup_tpl = new Template($tpl_root);
|
||||
$setup_tpl->set_file(array(
|
||||
'T_head' => 'head.tpl',
|
||||
'T_footer' => 'footer.tpl',
|
||||
@ -40,12 +42,12 @@ $setup_tpl->set_file(array(
|
||||
'T_login_stage_header' => 'login_stage_header.tpl',
|
||||
'T_setup_main' => 'applications.tpl'
|
||||
));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
|
||||
|
||||
// check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
|
||||
{
|
||||
egw_csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
Api\Csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
}
|
||||
|
||||
$setup_tpl->set_block('T_login_stage_header','B_multi_domain','V_multi_domain');
|
||||
|
||||
@ -10,6 +10,8 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
include('./inc/functions.inc.php');
|
||||
|
||||
/*
|
||||
@ -23,7 +25,7 @@ if(!$GLOBALS['egw_setup']->auth('Config') || @$_POST['cancel'])
|
||||
}
|
||||
|
||||
$tpl_root = $GLOBALS['egw_setup']->html->setup_tpl_dir('setup');
|
||||
$setup_tpl = CreateObject('phpgwapi.Template',$tpl_root);
|
||||
$setup_tpl = new Template($tpl_root);
|
||||
|
||||
$setup_tpl->set_file(array(
|
||||
'T_head' => 'head.tpl',
|
||||
@ -32,12 +34,12 @@ $setup_tpl->set_file(array(
|
||||
'T_config_pre_script' => 'config_pre_script.tpl',
|
||||
'T_config_post_script' => 'config_post_script.tpl'
|
||||
));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
|
||||
|
||||
// check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
|
||||
{
|
||||
egw_csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
Api\Csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
}
|
||||
|
||||
/* Following to ensure windows file paths are saved correctly */
|
||||
@ -78,14 +80,14 @@ if(@get_var('submit',Array('POST')) && @$newsettings)
|
||||
/* Don't erase passwords, since we also do not print them below */
|
||||
if(!empty($value) || !(stristr($setting,'passwd') || stristr($setting,'password') || stristr($setting,'root_pw')))
|
||||
{
|
||||
config::save_value($setting, $value, 'phpgwapi');
|
||||
Api\Config::save_value($setting, $value, 'phpgwapi');
|
||||
}
|
||||
}
|
||||
if(!$GLOBALS['error'])
|
||||
{
|
||||
$GLOBALS['egw_setup']->db->transaction_commit();
|
||||
// unset cached config, as this is the primary source for configuration now
|
||||
egw_cache::unsetInstance('config', 'configs');
|
||||
Api\Cache::unsetInstance('config', 'configs');
|
||||
|
||||
Header('Location: index.php');
|
||||
exit;
|
||||
@ -119,7 +121,7 @@ class phpgw
|
||||
$GLOBALS['egw'] = new phpgw;
|
||||
$GLOBALS['egw']->db =& $GLOBALS['egw_setup']->db;
|
||||
|
||||
$t = CreateObject('phpgwapi.Template', common::get_tpl_dir('setup'));
|
||||
$t = new Template(common::get_tpl_dir('setup'));
|
||||
|
||||
$t->set_unknowns('keep');
|
||||
$t->set_file(array('config' => 'config.tpl'));
|
||||
|
||||
@ -45,18 +45,18 @@ if ($_POST['download'])
|
||||
readfile($file);
|
||||
exit;
|
||||
}
|
||||
$setup_tpl = CreateObject('phpgwapi.Template',$tpl_root);
|
||||
$setup_tpl = new Template($tpl_root);
|
||||
$setup_tpl->set_file(array(
|
||||
'T_head' => 'head.tpl',
|
||||
'T_footer' => 'footer.tpl',
|
||||
'T_db_backup' => 'db_backup.tpl',
|
||||
));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
|
||||
|
||||
// check CSRF token for POST requests with any content (setup uses empty POST to call it's modules!)
|
||||
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
|
||||
{
|
||||
egw_csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
Api\Csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
}
|
||||
$setup_tpl->set_block('T_db_backup','schedule_row','schedule_rows');
|
||||
$setup_tpl->set_block('T_db_backup','set_row','set_rows');
|
||||
@ -107,13 +107,13 @@ if ($_POST['save_backup_settings'])
|
||||
}
|
||||
if ($_POST['mount'])
|
||||
{
|
||||
egw_vfs::$is_root = true;
|
||||
Api\Vfs::$is_root = true;
|
||||
echo '<div align="center">'.
|
||||
(egw_vfs::mount('filesystem://default'.$db_backup->backup_dir.'?group=Admins&mode=070','/backup',false) ?
|
||||
(Api\Vfs::mount('filesystem://default'.$db_backup->backup_dir.'?group=Admins&mode=070','/backup',false) ?
|
||||
lang('Backup directory %1 mounted as %2',$db_backup->backup_dir,'/backup') :
|
||||
lang('Failed to mount Backup directory!')).
|
||||
"</div>\n";
|
||||
egw_vfs::$is_root = false;
|
||||
Api\Vfs::$is_root = false;
|
||||
}
|
||||
// create a backup now
|
||||
if($_POST['backup'])
|
||||
|
||||
@ -10,13 +10,15 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
$GLOBALS['DEBUG'] = False;
|
||||
include('./inc/functions.inc.php');
|
||||
|
||||
@set_time_limit(0);
|
||||
|
||||
$tpl_root = $GLOBALS['egw_setup']->html->setup_tpl_dir('setup');
|
||||
$setup_tpl = CreateObject('phpgwapi.Template',$tpl_root);
|
||||
$setup_tpl = new Template($tpl_root);
|
||||
$setup_tpl->set_file(array
|
||||
(
|
||||
'T_head' => 'head.tpl',
|
||||
@ -251,7 +253,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
|
||||
$setup_tpl->set_var('V_db_filled_block',$db_filled_block);
|
||||
break;
|
||||
case 4:
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
|
||||
$setup_tpl->set_var('oldver',lang('You appear to be running version %1 of eGroupWare',$setup_info['phpgwapi']['currentver']));
|
||||
$setup_tpl->set_var('automatic',lang('We will automatically update your tables/records to %1',$setup_info['phpgwapi']['version']));
|
||||
$setup_tpl->set_var('backupwarn',lang('but we <u>highly recommend backing up</u> your tables in case the script causes damage to your data.<br /><strong>These automated scripts can easily destroy your data.</strong>'));
|
||||
@ -273,7 +275,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
|
||||
$setup_tpl->set_var('V_db_filled_block',$db_filled_block);
|
||||
break;
|
||||
case 5:
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
|
||||
$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', Api\Csrf::token(__FILE__)));
|
||||
$setup_tpl->set_var('are_you_sure',lang('ARE YOU SURE?'));
|
||||
$setup_tpl->set_var('really_uninstall_all_applications',lang('REALLY Uninstall all applications'));
|
||||
$setup_tpl->set_var('dropwarn',lang('Your tables will be dropped and you will lose data'));
|
||||
@ -298,7 +300,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
|
||||
!preg_match('/^[0-9.a-z_]+$/i', $_POST['db_grant_host']) ? 'localhost' : $_POST['db_grant_host']);
|
||||
break;
|
||||
case 'drop':
|
||||
egw_csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
Api\Csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
$setup_info = $GLOBALS['egw_setup']->detection->get_versions($setup_info);
|
||||
$setup_info = $GLOBALS['egw_setup']->process->droptables($setup_info);
|
||||
break;
|
||||
@ -346,11 +348,11 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
|
||||
}
|
||||
break;
|
||||
case 'oldversion':
|
||||
egw_csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
Api\Csrf::validate($_POST['csrf_token'], __FILE__);
|
||||
// create a backup, before upgrading the tables
|
||||
if ($_POST['backup'])
|
||||
{
|
||||
$db_backup =& CreateObject('phpgwapi.db_backup');
|
||||
$db_backup = new Api\Db\Backup();
|
||||
if (is_resource($f = $db_backup->fopen_backup()))
|
||||
{
|
||||
echo '<p align="center">'.lang('backup started, this might take a few minutes ...')."</p>\n".str_repeat(' ',4096);
|
||||
@ -373,7 +375,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
|
||||
break;
|
||||
}
|
||||
}
|
||||
catch (egw_exception_db $e)
|
||||
catch (Api\Db\Exception $e)
|
||||
{
|
||||
echo "<pre>".$e->getMessage()."</pre>\n";
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user