FbIN/htmly
1
0
Fork 0
mirror of https://github.com/danpros/htmly.git synced 2026-04-18 11:36:20 +05:30
Code Issues Projects Releases Packages Wiki Activity

added CSRF Token

Browse source
This commit is contained in:
Matthias Vogel 2014-07-12 13:03:49 +02:00
commit e852052790
11 changed files with 88 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

1
system/admin/views/add-page.html.php
View file

@ -13,6 +13,7 @@
<br><br>
<div id="wmd-button-bar" class="wmd-button-bar"></div>
<textarea id="wmd-input" class="wmd-input <?php if (isset($postContent)) { if (empty($postContent)) { echo 'error';}} ?>" name="content" cols="20" rows="10"><?php if (isset($postContent)) { echo $postContent;} ?></textarea><br/>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Publish"/>
</form>
</div>

1
system/admin/views/add-post.html.php
View file

@ -14,6 +14,7 @@
<br><br>
<div id="wmd-button-bar" class="wmd-button-bar"></div>
<textarea id="wmd-input" class="wmd-input <?php if (isset($postContent)) { if (empty($postContent)) { echo 'error';}} ?>" name="content" cols="20" rows="10"><?php if (isset($postContent)) { echo $postContent;} ?></textarea><br/>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Publish"/>
</form>
</div>

1
system/admin/views/delete-page.html.php
View file

@ -27,6 +27,7 @@
<?php echo '<p>Are you sure want to delete <strong>' . $p->title . '</strong>?</p>';?>
<form method="POST">
<input type="hidden" name="file" value="<?php echo $p->file ?>"/><br>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" value="Delete"/>
<span><a href="<?php echo $back ?>">Cancel</a></span>
</form>

1
system/admin/views/delete-post.html.php
View file

@ -34,6 +34,7 @@
<?php echo '<p>Are you sure want to delete <strong>' . $p->title . '</strong>?</p>';?>
<form method="POST">
<input type="hidden" name="file" value="<?php echo $p->file ?>"/><br>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" value="Delete"/>
<span><a href="<?php echo $back ?>">Cancel</a></span>
</form>

1
system/admin/views/edit-page.html.php
View file

@ -45,6 +45,7 @@
<div id="wmd-button-bar" class="wmd-button-bar"></div>
<textarea id="wmd-input" class="wmd-input <?php if (isset($postContent)) { if (empty($postContent)) { echo 'error';}} ?>" name="content" cols="20" rows="10"><?php echo $oldcontent ?></textarea><br>
<input type="hidden" name="oldfile" class="text" value="<?php echo $url ?>"/>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Save"/> <a href="<?php echo $delete?>">Delete</a>
</form>
</div>

1
system/admin/views/edit-post.html.php
View file

@ -60,6 +60,7 @@
<div id="wmd-button-bar" class="wmd-button-bar"></div>
<textarea id="wmd-input" class="wmd-input <?php if (isset($postContent)) { if (empty($postContent)) { echo 'error';}} ?>" name="content" cols="20" rows="10"><?php echo $oldcontent ?></textarea><br>
<input type="hidden" name="oldfile" class="text" value="<?php echo $url ?>"/>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Save"/> <a href="<?php echo $delete?>">Delete</a>
</form>
</div>

1
system/admin/views/edit-profile.html.php
View file

@ -37,6 +37,7 @@
Title <span class="required">*</span> <br><input type="text" name="title" class="text <?php if (isset($postTitle)) { if (empty($postTitle)) { echo 'error';}} ?>" value="<?php echo $oldtitle?>"/><br><br>
<div id="wmd-button-bar" class="wmd-button-bar"></div>
<textarea id="wmd-input" class="wmd-input <?php if (isset($postContent)) { if (empty($postContent)) { echo 'error';}} ?>" name="content" cols="20" rows="10"><?php echo $oldcontent ?></textarea><br>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Save"/>
</form>
</div>

1
system/admin/views/import.html.php
View file

@ -6,5 +6,6 @@
<form method="POST">
Feed Url <span class="required">*</span> <br><input type="url" class="text <?php if (isset($url)) { if (empty($url)) { echo 'error';}} ?>" name="url"/><br><br>
Add source link (optional) <input type="checkbox" class="checkbox" name="credit" value="yes"/><br><br>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Import"/>
</form>

1
system/admin/views/login.html.php
View file

@ -8,6 +8,7 @@
<input type="text" class="<?php if (isset($username)) { if (empty($username)) { echo 'error';}} ?>" name="user"/><br><br>
Password <span class="required">*</span> <br>
<input type="password" class="<?php if (isset($password)) { if (empty($password)) { echo 'error';}} ?>" name="password"/><br><br>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" value="Login"/>
</form>
<?php } else {header('location: admin');} ?>

72
system/htmly.php
View file

@ -58,9 +58,11 @@ get('/index', function () {
// Get submitted login data
post('/login', function() {
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$user = from($_REQUEST, 'user');
$pass = from($_REQUEST, 'password');
if(!empty($user) && !empty($pass)) {
if($proper && !empty($user) && !empty($pass)) {
session($user, $pass, null);
$log = session($user, $pass, null);
@ -85,6 +87,9 @@ post('/login', function() {
if (empty($pass)) {
$message['error'] .= '<li>Password field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
@ -193,6 +198,8 @@ get('/:year/:month/:name/edit', function($year, $month, $name){
// Get edited data for blog post
post('/:year/:month/:name/edit', function() {
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$title = from($_REQUEST, 'title');
$tag = from($_REQUEST, 'tag');
@ -200,7 +207,7 @@ post('/:year/:month/:name/edit', function() {
$content = from($_REQUEST, 'content');
$oldfile = from($_REQUEST, 'oldfile');
$destination = from($_GET, 'destination');
if(!empty($title) && !empty($tag) && !empty($content)) {
if($proper && !empty($title) && !empty($tag) && !empty($content)) {
if(!empty($url)) {
edit_post($title, $tag, $url, $content, $oldfile, $destination);
}
@ -220,6 +227,9 @@ post('/:year/:month/:name/edit', function() {
if (empty($content)) {
$message['error'] .= '<li>Content field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
render('edit-post',array(
@ -280,10 +290,13 @@ get('/:year/:month/:name/delete', function($year, $month, $name){
// Get deleted data for blog post
post('/:year/:month/:name/delete', function() {
$file = from($_REQUEST, 'file');
$destination = from($_GET, 'destination');
delete_post($file, $destination);
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
if($proper)
{
$file = from($_REQUEST, 'file');
$destination = from($_GET, 'destination');
delete_post($file, $destination);
}
});
// The author page
@ -356,11 +369,13 @@ get('/edit/profile', function(){
// Get edited data for static page
post('/edit/profile', function() {
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$user = $_SESSION[config("site.url")]['user'];
$title = from($_REQUEST, 'title');
$content = from($_REQUEST, 'content');
if(!empty($title) && !empty($content)) {
if($proper && !empty($title) && !empty($content)) {
edit_profile($title, $content, $user);
}
else {
@ -371,6 +386,9 @@ post('/edit/profile', function() {
if (empty($content)) {
$message['error'] .= '<li>Content field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
render('edit-profile',array(
@ -627,13 +645,14 @@ get('/:static/edit', function($static){
// Get edited data for static page
post('/:static/edit', function() {
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$title = from($_REQUEST, 'title');
$url = from($_REQUEST, 'url');
$content = from($_REQUEST, 'content');
$oldfile = from($_REQUEST, 'oldfile');
$destination = from($_GET, 'destination');
if(!empty($title) && !empty($content)) {
if($proper && !empty($title) && !empty($content)) {
if(!empty($url)) {
edit_page($title, $url, $content, $oldfile, $destination);
}
@ -650,6 +669,9 @@ post('/:static/edit', function() {
if (empty($content)) {
$message['error'] .= '<li>Content field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
render('edit-page',array(
@ -697,10 +719,13 @@ get('/:static/delete', function($static){
// Get deleted data for static page
post('/:static/delete', function() {
$file = from($_REQUEST, 'file');
$destination = from($_GET, 'destination');
delete_page($file, $destination);
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
if($proper)
{
$file = from($_REQUEST, 'file');
$destination = from($_GET, 'destination');
delete_page($file, $destination);
}
});
// Add blog post
@ -725,12 +750,14 @@ get('/add/post', function(){
// Get submitted blog post data
post('/add/post', function(){
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$title = from($_REQUEST, 'title');
$tag = from($_REQUEST, 'tag');
$url = from($_REQUEST, 'url');
$content = from($_REQUEST, 'content');
$user = $_SESSION[config("site.url")]['user'];
if(!empty($title) && !empty($tag) && !empty($content)) {
if($proper && !empty($title) && !empty($tag) && !empty($content)) {
if(!empty($url)) {
add_post($title, $tag, $url, $content, $user);
}
@ -750,6 +777,9 @@ post('/add/post', function(){
if (empty($content)) {
$message['error'] .= '<li>Content field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
render('add-post',array(
'head_contents' => head_contents('Add post - ' . blog_title(), blog_description(), site_url()),
@ -787,10 +817,12 @@ get('/add/page', function(){
// Get submitted static page data
post('/add/page', function(){
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$title = from($_REQUEST, 'title');
$url = from($_REQUEST, 'url');
$content = from($_REQUEST, 'content');
if(!empty($title) && !empty($content)) {
if($proper && !empty($title) && !empty($content)) {
if(!empty($url)) {
add_page($title, $url, $content);
}
@ -807,6 +839,9 @@ post('/add/page', function(){
if (empty($content)) {
$message['error'] .= '<li>Content field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
render('add-page',array(
'head_contents' => head_contents('Add page - ' . blog_title(), blog_description(), site_url()),
@ -840,6 +875,8 @@ get('/admin/import',function(){
// Get import post
post('/admin/import', function() {
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$url = from($_REQUEST, 'url');
$credit = from($_REQUEST, 'credit');
@ -865,6 +902,9 @@ post('/admin/import', function() {
if(empty($url)) {
$message['error'] .= '<li>You need to specify the feed url.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');

23
system/includes/functions.php
View file

@ -1702,4 +1702,27 @@ function file_cache($request) {
readfile($cachefile);
die;
}
}
function generate_csrf_token()
{
$_SESSION[config("site.url")]['csrf_token'] = sha1(microtime(true).mt_rand(10000,90000));
}
function get_csrf()
{
if(! isset($_SESSION[config("site.url")]['csrf_token']) || empty($_SESSION[config("site.url")]['csrf_token']))
{
generate_csrf_token();
}
return $_SESSION[config("site.url")]['csrf_token'];
}
function is_csrf_proper($csrf_token)
{
if($csrf_token == get_csrf())
{
return true;
}
return false;
}