Commit e787e770 authored by Côme Chilliet's avatar Côme Chilliet
Browse files

Merge branch 'cherry-pick-5edd2e32' into '1.4-dev'

Merge branch '5840-security-vulnerability-cross-site-request-forgery' into '1.4-dev'

See merge request fusiondirectory/fd!296
parents 76528734 62ffce88
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2003-2010 Cajus Pollmeier
Copyright (C) 2011-2016 FusionDirectory
Copyright (C) 2011-2018 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -54,6 +53,8 @@ if (!session::global_is_set('connected')) {
exit;
}
CSRFProtection::check();
$ui = session::global_get('ui');
$config = session::global_get('config');
......@@ -318,7 +319,8 @@ if (session::is_set('errors') && session::get('errors') != "") {
$focus = '<script type="text/javascript">';
$focus .= 'next_msg_dialog();';
$focus .= '</script>';
$smarty->assign("focus", $focus);
$smarty->assign('focus', $focus);
$smarty->assign('CSRFtoken', CSRFProtection::getToken());
/* Set channel if needed */
//TODO: * move all global session calls to global_
......
......@@ -49,6 +49,8 @@ session::start();
session::global_set('DEBUGLEVEL', 0);
session::set('errorsAlreadyPosted', array());
CSRFProtection::check();
/* Attribute initialization, reset errors */
reset_errors();
......@@ -123,6 +125,7 @@ $smarty->assign("navigation", $setup->get_navigation_html());
$smarty->assign("headline_image", $setup->get_header_image());
$smarty->assign("headline", $setup->get_header_text());
$smarty->assign("focus", $focus);
$smarty->assign('CSRFtoken', CSRFProtection::getToken());
$smarty->assign("msg_dialogs", msg_dialog::get_dialogs());
if ($error_collector != "") {
......
......@@ -55,6 +55,7 @@
{$errors}
{$focus}
<input type="hidden" name="php_c_check" value="1"/>
<input type="hidden" name="CSRFtoken" value="{$CSRFtoken}"/>
</form>
......
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2017-2018 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*/
class CSRFProtection
{
public static function check()
{
if (empty($_POST)) {
return;
}
if (empty($_POST['CSRFtoken'])) {
throw new FusionDirectoryException('CSRF protection token missing');
}
static::checkHeaders();
if ($_POST['CSRFtoken'] !== static::getToken()) {
throw new FusionDirectoryException('CSRF protection token invalid');
}
}
public static function getToken()
{
if (!session::is_set('CSRFtoken')) {
session::set('CSRFtoken', standAlonePage::generateRandomHash());
}
return session::get('CSRFtoken');
}
public static function checkHeaders()
{
$origin = FALSE;
if (!empty($_SERVER['HTTP_ORIGIN'])) {
$origin = $_SERVER['HTTP_ORIGIN'];
} elseif (!empty($_SERVER['HTTP_REFERER'])) {
$origin = $_SERVER['HTTP_REFERER'];
}
if ($origin) {
$origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin);
$target = FALSE;
if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$target = $_SERVER['HTTP_X_FORWARDED_HOST'];
} else
if (!empty($_SERVER['HTTP_HOST'])) {
$target = $_SERVER['HTTP_HOST'];
}
if ($target && !hash_equals($origin, $target)) {
throw new FusionDirectoryException('CSRF detected: origin and target are not matching ('.$origin.' != '.$target.')');
}
}
}
}
......@@ -39,6 +39,7 @@
{$errors}
{$focus}
<input type="hidden" name="setup_goto_step" value=""/>
<input type="hidden" name="CSRFtoken" value="{$CSRFtoken}"/>
</form>
</body>
......
  • SonarQube analysis indicates that quality gate is failed.

    • Security Rating on New Code is passed: Actual value 1
    • Reliability Rating on New Code is passed: Actual value 1
    • Maintainability Rating on New Code is passed: Actual value 1
    • Duplicated Lines on New Code (%) is failed: Actual value 8.354114713216958 > 5

    SonarQube analysis reported no issues.

Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment