CSRF token, update HTTP Referrer policy to same-origin

https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer
https://github.com/FreshRSS/FreshRSS/issues/570
https://github.com/FreshRSS/FreshRSS/issues/955
https://github.com/FreshRSS/FreshRSS/issues/1198
https://github.com/FreshRSS/FreshRSS/issues/565
https://github.com/FreshRSS/FreshRSS/issues/554

1 files changed, 21 insertions, 0 deletions

diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index d689f7cdb..f0e8db5a2 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -124,6 +124,7 @@ class FreshRSS_Auth {
 		self::$login_ok = false;
 		$conf = Minz_Configuration::get('system');
 		Minz_Session::_param('currentUser', $conf->default_user);
+		Minz_Session::_param('csrf');
 
 		switch ($conf->auth_type) {
 		case 'form':
@@ -156,6 +157,26 @@ class FreshRSS_Auth {
 		$auth_type = $conf->auth_type;
 		return $auth_type === 'form';
 	}
+
+	public static function csrfToken() {
+		$csrf = Minz_Session::param('csrf');
+		if ($csrf == '') {
+			$salt = FreshRSS_Context::$system_conf->salt;
+			$csrf = sha1($salt . uniqid(mt_rand(), true));
+			Minz_Session::_param('csrf', $csrf);
+		}
+		return $csrf;
+	}
+	public static function isCsrfOk($token = null) {
+		$csrf = Minz_Session::param('csrf');
+		if ($csrf == '') {
+			return true;	//Not logged in yet
+		}
+		if ($token === null) {
+			$token = Minz_Request::param('_csrf');
+		}
+		return $token === $csrf;
+	}
 }