prevent CSRF for admin create, edit or delete user

2025-02-12 16:30:22 +01:00 · 2014-05-01 07:00:28 +00:00 · 2014-05-01 07:00:28 +00:00 · c4ea0ce0e1
commit c4ea0ce0e1
parent 430d534ba6
3 changed files with 27 additions and 13 deletions
--- a/admin/inc/class.uiaccounts.inc.php
+++ b/admin/inc/class.uiaccounts.inc.php
@ -639,6 +639,11 @@

 		function delete_user()
 		{
+			// for POST (not GET or cli call via setup_cmd_admin) validate CSRF token
+			if ($_SERVER['REQUEST_METHOD'] == 'POST')
+			{
+				egw_csrf::validate($_POST['csrf_token'], __METHOD__);
+			}
 			if ($GLOBALS['egw']->acl->check('account_access',32,'admin') || $GLOBALS['egw_info']['user']['account_id'] == $_GET['account_id'] ||
 				$_POST['cancel'])
 			{
@ -662,7 +667,8 @@
 			);
 			$var = Array(
 				'form_action' => $GLOBALS['egw']->link('/index.php','menuaction=admin.uiaccounts.delete_user'),
-				'account_id'  => $_GET['account_id']
+				'account_id'  => $_GET['account_id'],
+				'hidden_vars'       => html::input_hidden('csrf_token', egw_csrf::token(__METHOD__)),
 			);

 			// the account can have special chars/white spaces, if it is a ldap dn
@ -797,6 +803,11 @@

 		function edit_user($cd='',$account_id='', $required_account_access=16)
 		{
+			// for POST (not GET or cli call via setup_cmd_admin) validate CSRF token
+			if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST)
+			{
+				egw_csrf::validate($_POST['csrf_token'], __METHOD__);
+			}
 			if($GLOBALS['egw']->acl->check('account_access',$required_account_access,'admin') || isset($_POST['cancel']))
 			{
 				$this->list_users();
@ -1456,7 +1467,8 @@
 				'account_passwd'    => $userData['account_passwd'],
 				'account_passwd_2'  => $userData['account_passwd_2'],
 				'account_file_space' => $account_file_space,
-				'account_id'        => (int) $userData['account_id']
+				'account_id'        => (int) $userData['account_id'],
+				'hidden_vars'       => html::input_hidden('csrf_token', egw_csrf::token(__CLASS__.'::edit_user')),
 			);
            if (isset($userData['account_created'])) $var['account_status'].= '<br>'.lang('Created').': '.common::show_date($userData['account_created']);
            if (isset($userData['account_modified'])) $var['account_status'].= '<br>'.lang('Modified').': '.common::show_date($userData['account_modified']);
--- a/admin/templates/default/account_form.tpl
+++ b/admin/templates/default/account_form.tpl
@ -8,7 +8,7 @@ function check_account_email(id)
 	firstname = document.getElementById('firstname').value;
 	lastname  = document.getElementById('lastname').value;
 	email     = document.getElementById('email').value;
-	
+
 	if (!email || email_set || id == 'account')
 	{
 		xajax_doXMLHTTP('admin.uiaccounts.ajax_check_account_email',firstname,lastname,account,{account_id},email_set ? '' : email,id);
@ -19,7 +19,7 @@ function check_password(id)
 {
 	password  = document.getElementById('password').value;
 	password2 = document.getElementById('password2').value;
-	
+
 	if (password && (password2 || id == 'password2') && password != password2)
 	{
 		alert('{lang_passwds_unequal}');
@ -32,6 +32,7 @@ function check_password(id)
 }
 </script>
 <form method="POST" action="{form_action}">
+	{hidden_vars}
 	<div align="center">
 	<table border="0" width="95%">
 		<tr>
@ -44,22 +45,22 @@ function check_password(id)
 			    <tr class="th">
 			      <td colspan="4"><b>{lang_action}</b></td>
 			    </tr>
-				
+
 			    <tr class="row_on">
 			     <td width="25%">{lang_loginid}</td>
 			     <td width="25%">{account_lid}&nbsp;</td>
-				
+
 			     <td width="25%">{lang_account_active}:</td>
 			     <td width="25%">{account_status}</td>
 			    </tr>
-				
+
 			    <tr class="row_off">
 			     <td>{lang_firstname}</td>
 			     <td>{account_firstname}&nbsp;</td>
 			     <td>{lang_lastname}</td>
 			     <td>{account_lastname}&nbsp;</td>
 			    </tr>
-			
+
 			    {password_fields}
 <!-- BEGIN ldap_extra -->
 			    <tr class="row_off">
@ -75,7 +76,7 @@ function check_password(id)
 					<td></td>
 					<td></td>
 				</tr>
-			 
+
 			    <tr class="row_off">
 			     <td>{lang_changepassword}</td>
 			     <td>{changepassword}</td>
@ -89,14 +90,14 @@ function check_password(id)
 			     <td>{lang_email}</td>
 			     <td>{account_email}</td>
 			    </tr>
-	
+
 			    <tr class="row_off">
 			     <td>{lang_groups}</td>
 			     <td>{groups_select}&nbsp;</td>
 			     <td>{lang_primary_group}</td>
 			     <td>{primary_group_select}&nbsp;</td>
 			    </tr>
-			    
+
 			    <tr class="th">
 			     <td>{lang_app}</td>
 			     <td>{lang_acl}</td>
@ -105,9 +106,9 @@ function check_password(id)
 			    </tr>

 			    {permissions_list}
-			
+
 				 {form_buttons}
-			
+
 			   </table>
   			</td>
   		</tr>
--- a/admin/templates/default/delete_account.tpl
+++ b/admin/templates/default/delete_account.tpl
@ -1,5 +1,6 @@
 <!-- BEGIN form -->
 <form method="POST" action="{form_action}">
+ {hidden_vars}
 <input type="hidden" name="account_id" value="{account_id}">
 <center>
  <table border="0" width="85%">