SF.net SVN: postfixadmin:[1842] trunk

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 1842
          http://sourceforge.net/p/postfixadmin/code/1842
Author:   christian_boltz
Date:     2016-05-20 20:42:04 +0000 (Fri, 20 May 2016)
Log Message:
-----------
Add CSRF protection for POST requests

Add the CSRF token to all forms, and validate it when those forms are
submitted.

https://sourceforge.net/p/postfixadmin/bugs/372/

Modified Paths:
--------------
    trunk/broadcast-message.php
    trunk/edit.php
    trunk/sendmail.php
    trunk/templates/broadcast-message.tpl
    trunk/templates/editform.tpl
    trunk/templates/password.tpl
    trunk/templates/sendmail.tpl
    trunk/templates/users_edit-alias.tpl
    trunk/templates/vacation.tpl
    trunk/users/edit-alias.php
    trunk/users/password.php
    trunk/vacation.php

Modified: trunk/broadcast-message.php
===================================================================

--- trunk/broadcast-message.php	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/broadcast-message.php	2016-05-20 20:42:04 UTC (rev 1842)
@@ -38,6 +38,8 @@
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+   if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
    if (empty($_POST['subject']) || empty($_POST['message']) || empty($_POST['name']))
    {
       $error = 1;

Modified: trunk/edit.php
===================================================================
--- trunk/edit.php	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/edit.php	2016-05-20 20:42:04 UTC (rev 1842)
@@ -93,6 +93,7 @@
 
 
 if ($_SERVER['REQUEST_METHOD'] == "POST") {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
     $inp_values = safepost('value', array() );
 
     foreach($form_fields as $key => $field) {

Modified: trunk/sendmail.php
===================================================================
--- trunk/sendmail.php	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/sendmail.php	2016-05-20 20:42:04 UTC (rev 1842)
@@ -39,6 +39,8 @@
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+   if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
    $fTo = safepost('fTo');
    $fFrom = $smtp_from_email;
    $fSubject = safepost('fSubject');

Modified: trunk/templates/broadcast-message.tpl
===================================================================
--- trunk/templates/broadcast-message.tpl	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/templates/broadcast-message.tpl	2016-05-20 20:42:04 UTC (rev 1842)
@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="broadcast-message" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="2">{$PALANG.pBroadcast_title}</th>

Modified: trunk/templates/editform.tpl
===================================================================
--- trunk/templates/editform.tpl	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/templates/editform.tpl	2016-05-20 20:42:04 UTC (rev 1842)
@@ -1,6 +1,7 @@
 <div id="edit_form">
 <form name="edit_{$table}" method="post" action="">
 <input class="flat" type="hidden" name="table" value="{$table}" />
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 
 <table>
 	<tr>

Modified: trunk/templates/password.tpl
===================================================================
--- trunk/templates/password.tpl	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/templates/password.tpl	2016-05-20 20:42:04 UTC (rev 1842)
@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="password" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pPassword_welcome}</th>

Modified: trunk/templates/sendmail.tpl
===================================================================
--- trunk/templates/sendmail.tpl	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/templates/sendmail.tpl	2016-05-20 20:42:04 UTC (rev 1842)
@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="mailbox" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pSendmail_welcome}</th>

Modified: trunk/templates/users_edit-alias.tpl
===================================================================
--- trunk/templates/users_edit-alias.tpl	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/templates/users_edit-alias.tpl	2016-05-20 20:42:04 UTC (rev 1842)
@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="alias" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pEdit_alias_welcome}<br /><em>{$PALANG.pEdit_alias_help}</em></th>

Modified: trunk/templates/vacation.tpl
===================================================================
--- trunk/templates/vacation.tpl	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/templates/vacation.tpl	2016-05-20 20:42:04 UTC (rev 1842)
@@ -3,6 +3,7 @@
 {/literal}
 <div id="edit_form">
 <form name="edit-vacation" method="post" action=''>
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pUsersVacation_welcome}</th>

Modified: trunk/users/edit-alias.php
===================================================================
--- trunk/users/edit-alias.php	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/users/edit-alias.php	2016-05-20 20:42:04 UTC (rev 1842)
@@ -52,6 +52,8 @@
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
     // user clicked on cancel button
     if(isset($_POST['fCancel'])) {
         header("Location: main.php");

Modified: trunk/users/password.php
===================================================================
--- trunk/users/password.php	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/users/password.php	2016-05-20 20:42:04 UTC (rev 1842)
@@ -37,6 +37,8 @@
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
     if(isset($_POST['fCancel'])) {
         header("Location: main.php");
         exit(0);

Modified: trunk/vacation.php
===================================================================
--- trunk/vacation.php	2016-05-20 20:27:29 UTC (rev 1841)
+++ trunk/vacation.php	2016-05-20 20:42:04 UTC (rev 1842)
@@ -103,6 +103,8 @@
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
     if(isset($_POST['fCancel'])) {
         header ("Location: $Return_url");
         exit(0);

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



