CSRF token, update HTTP Referrer policy to same-origin

https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer https://github.com/FreshRSS/FreshRSS/issues/570 https://github.com/FreshRSS/FreshRSS/issues/955 https://github.com/FreshRSS/FreshRSS/issues/1198 https://github.com/FreshRSS/FreshRSS/issues/565 https://github.com/FreshRSS/FreshRSS/issues/554
author: Alexandre Alapetite <alexandre@alapetite.fr> 2016-08-13 17:49:31 +0200
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2016-08-13 17:49:31 +0200
commit: e6fd34bdda5d067a9e74714aaae10c89ed998a46 (patch)
tree: 1a82e54e636f856983e8cd94ec00247eb9987b27 /app/views/auth
parent: 97efdcac1e38c568b6be313120694e7201d4c69c (diff)
3 files changed, 30 insertions, 27 deletions
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml
index b0083944f..4bbc8ed55 100644
--- a/app/views/auth/formLogin.phtml
+++ b/app/views/auth/formLogin.phtml
@@ -6,6 +6,7 @@
 	<?php } ?>
 
 	<form id="crypto-form" method="post" action="<?php echo _url('auth', 'login'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<div>
 			<label for="username"><?php echo _t('gen.auth.username'); ?></label>
 			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" />
diff --git a/app/views/auth/index.phtml b/app/views/auth/index.phtml
index 8f81ac856..74e692ec5 100644
--- a/app/views/auth/index.phtml
+++ b/app/views/auth/index.phtml
@@ -4,6 +4,7 @@
 	<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 
 	<form method="post" action="<?php echo _url('auth', 'index'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('admin.auth.type'); ?></legend>
 
 		<div class="form-group">
diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml
index 0c261319a..1f9976391 100644
--- a/app/views/auth/register.phtml
+++ b/app/views/auth/register.phtml
@@ -1,33 +1,34 @@
 <div class="prompt">
-    <h1><?php echo _t('gen.auth.registration'); ?></h1>
+	<h1><?php echo _t('gen.auth.registration'); ?></h1>
 
-    <form method="post" action="<?php echo _url('user', 'create'); ?>">
-        <div>
-            <label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label>
-            <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" />
-        </div>
+	<form method="post" action="<?php echo _url('user', 'create'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
+		<div>
+			<label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label>
+			<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" />
+		</div>
 
-        <div>
-            <label class="group-name" for="new_user_passwordPlain"><?php echo _t('gen.auth.password'), '<br />', _i('help'), ' ', _t('gen.auth.password.format'); ?></label>
-            <div class="stick">
-                <input type="password" id="new_user_passwordPlain" name="new_user_passwordPlain" required="required" autocomplete="off" pattern=".{7,}" />
-                <a class="btn toggle-password" data-toggle="new_user_passwordPlain"><?php echo _i('key'); ?></a>
-            </div>
-            <noscript><b><?php echo _t('gen.js.should_be_activated'); ?></b></noscript>
-        </div>
+		<div>
+			<label class="group-name" for="new_user_passwordPlain"><?php echo _t('gen.auth.password'), '<br />', _i('help'), ' ', _t('gen.auth.password.format'); ?></label>
+			<div class="stick">
+				<input type="password" id="new_user_passwordPlain" name="new_user_passwordPlain" required="required" autocomplete="off" pattern=".{7,}" />
+				<a class="btn toggle-password" data-toggle="new_user_passwordPlain"><?php echo _i('key'); ?></a>
+			</div>
+			<noscript><b><?php echo _t('gen.js.should_be_activated'); ?></b></noscript>
+		</div>
 
-        <div>
-            <?php
-                $redirect_url = urlencode(Minz_Url::display(
-                    array('c' => 'index', 'a' => 'index'),
-                    'php', true
-                ));
-            ?>
-            <input type="hidden" name="r" value="<?php echo $redirect_url; ?>" />
-            <button type="submit" class="btn btn-important"><?php echo _t('gen.action.create'); ?></button>
-            <a class="btn" href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.cancel'); ?></a>
-        </div>
-    </form>
+		<div>
+			<?php
+				$redirect_url = urlencode(Minz_Url::display(
+					array('c' => 'index', 'a' => 'index'),
+					'php', true
+				));
+			?>
+			<input type="hidden" name="r" value="<?php echo $redirect_url; ?>" />
+			<button type="submit" class="btn btn-important"><?php echo _t('gen.action.create'); ?></button>
+			<a class="btn" href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.cancel'); ?></a>
+		</div>
+	</form>
 
-    <p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('gen.freshrss.about'); ?></a></p>
+	<p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('gen.freshrss.about'); ?></a></p>
 </div>
author	Alexandre Alapetite <alexandre@alapetite.fr>	2016-08-13 17:49:31 +0200
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2016-08-13 17:49:31 +0200
commit	e6fd34bdda5d067a9e74714aaae10c89ed998a46 (patch)
tree	1a82e54e636f856983e8cd94ec00247eb9987b27 /app/views/auth
parent	97efdcac1e38c568b6be313120694e7201d4c69c (diff)