Basic protection against XSRF using Referer

https://github.com/marienfressinaud/FreshRSS/issues/554
Also edited the error controler to use the log message passed in
Minz_Error::error().

3 files changed, 44 insertions, 32 deletions

diff --git a/app/Controllers/errorController.php b/app/Controllers/errorController.php
index dc9a2ee25..922650b3d 100644
--- a/app/Controllers/errorController.php
+++ b/app/Controllers/errorController.php
@@ -1,26 +1,38 @@
 <?php
 
 class FreshRSS_error_Controller extends Minz_ActionController {
-	public function indexAction () {
-		switch (Minz_Request::param ('code')) {
-		case 403:
-			$this->view->code = 'Error 403 - Forbidden';
-			break;
-		case 404:
-			$this->view->code = 'Error 404 - Not found';
-			break;
-		case 500:
-			$this->view->code = 'Error 500 - Internal Server Error';
-			break;
-		case 503:
-			$this->view->code = 'Error 503 - Service Unavailable';
-			break;
-		default:
-			$this->view->code = 'Error 404 - Not found';
+	public function indexAction() {
+		switch (Minz_Request::param('code')) {
+			case 403:
+				$this->view->code = 'Error 403 - Forbidden';
+				break;
+			case 404:
+				$this->view->code = 'Error 404 - Not found';
+				break;
+			case 500:
+				$this->view->code = 'Error 500 - Internal Server Error';
+				break;
+			case 503:
+				$this->view->code = 'Error 503 - Service Unavailable';
+				break;
+			default:
+				$this->view->code = 'Error 404 - Not found';
 		}
-		
-		$this->view->logs = Minz_Request::param ('logs');
-		
-		Minz_View::prependTitle ($this->view->code . ' · ');
+
+		$errors = Minz_Request::param('logs', array());
+		$this->view->errorMessage = trim(implode($errors));
+		if ($this->view->errorMessage == '') {
+			switch(Minz_Request::param('code')) {
+				case 403:
+					$this->view->errorMessage = Minz_Translate::t('forbidden_access');
+					break;
+				case 404:
+				default:
+					$this->view->errorMessage = Minz_Translate::t('page_not_found');
+					break;
+			}
+		}
+
+		Minz_View::prependTitle($this->view->code . ' · ');
 	}
 }
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 84cf3429b..cd6048f75 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -6,6 +6,16 @@ class FreshRSS extends Minz_FrontController {
 		}
 		$loginOk = $this->accessControl(Minz_Session::param('currentUser', ''));
 		$this->loadParamsView();
+		if (Minz_Request::isPost() && !empty($_SERVER['HTTP_REFERER']) &&
+			Minz_Request::getDomainName() !== parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)) {
+			$loginOk = false;	//Basic protection against XSRF attacks
+			Minz_Error::error(
+				403,
+				array('error' => array(Minz_Translate::t('access_denied') . ' [HTTP_REFERER=' .
+					htmlspecialchars(empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER']) . ']'))
+			);
+		}
+		Minz_View::_param('loginOk', $loginOk);
 		$this->loadStylesAndScripts($loginOk);	//TODO: Do not load that when not needed, e.g. some Ajax requests
 		$this->loadNotifications();
 	}
@@ -95,7 +105,6 @@ class FreshRSS extends Minz_FrontController {
 					break;
 			}
 		}
-		Minz_View::_param ('loginOk', $loginOk);
 		return $loginOk;
 	}
 
diff --git a/app/views/error/index.phtml b/app/views/error/index.phtml
index 6a09c3aa2..ef4fbd39d 100644
--- a/app/views/error/index.phtml
+++ b/app/views/error/index.phtml
@@ -1,18 +1,9 @@
 <div class="post">
 	<div class="alert alert-error">
 		<h1 class="alert-head"><?php echo $this->code; ?></h1>
-
 		<p>
-			<?php
-			switch(Minz_Request::param ('code')) {
-			case 403:
-				echo Minz_Translate::t ('forbidden_access');
-				break;
-			case 404:
-			default:
-				echo Minz_Translate::t ('page_not_found');
-			} ?><br />
-			<a href="<?php echo _url ('index', 'index'); ?>"><?php echo Minz_Translate::t ('back_to_rss_feeds'); ?></a>
+			<?php echo $this->errorMessage; ?><br />
+			<a href="<?php echo _url('index', 'index'); ?>"><?php echo Minz_Translate::t('back_to_rss_feeds'); ?></a>
 		</p>
 	</div>
 </div>