From e6fd34bdda5d067a9e74714aaae10c89ed998a46 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 13 Aug 2016 17:49:31 +0200 Subject: CSRF token, update HTTP Referrer policy to same-origin https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer https://github.com/FreshRSS/FreshRSS/issues/570 https://github.com/FreshRSS/FreshRSS/issues/955 https://github.com/FreshRSS/FreshRSS/issues/1198 https://github.com/FreshRSS/FreshRSS/issues/565 https://github.com/FreshRSS/FreshRSS/issues/554 --- app/Models/Auth.php | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'app/Models/Auth.php') diff --git a/app/Models/Auth.php b/app/Models/Auth.php index d689f7cdb..f0e8db5a2 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -124,6 +124,7 @@ class FreshRSS_Auth { self::$login_ok = false; $conf = Minz_Configuration::get('system'); Minz_Session::_param('currentUser', $conf->default_user); + Minz_Session::_param('csrf'); switch ($conf->auth_type) { case 'form': @@ -156,6 +157,26 @@ class FreshRSS_Auth { $auth_type = $conf->auth_type; return $auth_type === 'form'; } + + public static function csrfToken() { + $csrf = Minz_Session::param('csrf'); + if ($csrf == '') { + $salt = FreshRSS_Context::$system_conf->salt; + $csrf = sha1($salt . uniqid(mt_rand(), true)); + Minz_Session::_param('csrf', $csrf); + } + return $csrf; + } + public static function isCsrfOk($token = null) { + $csrf = Minz_Session::param('csrf'); + if ($csrf == '') { + return true; //Not logged in yet + } + if ($token === null) { + $token = Minz_Request::param('_csrf'); + } + return $token === $csrf; + } } -- cgit v1.2.3 From 56ffc115d15bf136bfced74707ccc1f41c7b5e44 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sat, 13 Aug 2016 19:10:32 +0200 Subject: Do not mix POST and GET params Avoid returning CSRF POST token for a GET --- app/Controllers/configureController.php | 4 ++-- app/Models/Auth.php | 2 +- app/views/entry/bookmark.phtml | 19 +++++++++---------- app/views/entry/read.phtml | 19 +++++++++---------- app/views/helpers/logs_pagination.phtml | 2 +- app/views/index/global.phtml | 2 +- 6 files changed, 23 insertions(+), 25 deletions(-) (limited to 'app/Models/Auth.php') diff --git a/app/Controllers/configureController.php b/app/Controllers/configureController.php index d0f0bd68b..147a2fe06 100755 --- a/app/Controllers/configureController.php +++ b/app/Controllers/configureController.php @@ -139,7 +139,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController { */ public function sharingAction() { if (Minz_Request::isPost()) { - $params = Minz_Request::params(); + $params = Minz_Request::fetchGET(); FreshRSS_Context::$user_conf->sharing = $params['share']; FreshRSS_Context::$user_conf->save(); invalidateHttpCache(); @@ -282,7 +282,7 @@ class FreshRSS_configure_Controller extends Minz_ActionController { foreach (FreshRSS_Context::$user_conf->queries as $key => $query) { $queries[$key] = new FreshRSS_UserQuery($query, $feed_dao, $category_dao); } - $params = Minz_Request::params(); + $params = Minz_Request::fetchGET(); $params['url'] = Minz_Url::display(array('params' => $params)); $params['name'] = _t('conf.query.number', count($queries) + 1); $queries[] = new FreshRSS_UserQuery($params, $feed_dao, $category_dao); diff --git a/app/Models/Auth.php b/app/Models/Auth.php index f0e8db5a2..b93942e19 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -173,7 +173,7 @@ class FreshRSS_Auth { return true; //Not logged in yet } if ($token === null) { - $token = Minz_Request::param('_csrf'); + $token = Minz_Request::fetchPOST('_csrf'); } return $token === $csrf; } diff --git a/app/views/entry/bookmark.phtml b/app/views/entry/bookmark.phtml index 6b5a4ed03..d85706669 100755 --- a/app/views/entry/bookmark.phtml +++ b/app/views/entry/bookmark.phtml @@ -1,17 +1,16 @@ Minz_Request::controllerName(), 'a' => Minz_Request::actionName(), - 'params' => Minz_Request::params(), -)); + 'params' => Minz_Request::fetchGET(), +); + +$url['params']['is_favorite'] = Minz_Request::param('is_favorite', true) ? '0' : '1'; FreshRSS::loadStylesAndScripts(); -echo json_encode(array('url' => str_ireplace('&', '&', $url), 'icon' => _i(Minz_Request::param('is_favorite') ? 'non-starred' : 'starred'))); +echo json_encode(array( + 'url' => str_ireplace('&', '&', Minz_Url::display($url)), + 'icon' => _i($url['params']['is_favorite'] === '1' ? 'non-starred' : 'starred') + )); diff --git a/app/views/entry/read.phtml b/app/views/entry/read.phtml index 7d0e3de82..73977d94b 100755 --- a/app/views/entry/read.phtml +++ b/app/views/entry/read.phtml @@ -1,17 +1,16 @@ Minz_Request::controllerName(), 'a' => Minz_Request::actionName(), - 'params' => Minz_Request::params(), -)); + 'params' => Minz_Request::fetchGET(), +); + +$url['params']['is_read'] = Minz_Request::param('is_read', true) ? '0' : '1'; FreshRSS::loadStylesAndScripts(); -echo json_encode(array('url' => str_ireplace('&', '&', $url), 'icon' => _i(Minz_Request::param('is_read') ? 'unread' : 'read'))); +echo json_encode(array( + 'url' => str_ireplace('&', '&', Minz_Url::display($url)), + 'icon' => _i($url['params']['is_read'] === '1' ? 'unread' : 'read') + )); diff --git a/app/views/helpers/logs_pagination.phtml b/app/views/helpers/logs_pagination.phtml index 58b3c68f4..bf9d91f04 100755 --- a/app/views/helpers/logs_pagination.phtml +++ b/app/views/helpers/logs_pagination.phtml @@ -1,7 +1,7 @@ nbPage > 1) { ?> diff --git a/app/views/index/global.phtml b/app/views/index/global.phtml index 0ffa3bc54..1e53e4f8c 100644 --- a/app/views/index/global.phtml +++ b/app/views/index/global.phtml @@ -14,7 +14,7 @@ $url_base = array( 'c' => 'index', 'a' => 'normal', - 'params' => Minz_Request::params() + 'params' => Minz_Request::fetchGET(), ); foreach ($this->categories as $cat) { -- cgit v1.2.3