From 0a70acdcfb5fcbc63dbc5750018d608288eba3fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E0=BE=85=E0=BC=BB=20=C7=AC=C9=80=C4=A7=20=E0=BC=84?=
 =?UTF-8?q?=E0=BC=86=E0=BD=89?= <ozh@ozh.org>
Date: Tue, 24 Aug 2021 18:10:08 +0200
Subject: [PATCH] Minor security improvements (#3034)

* Prevent iframe jacking
* Enforce nonce on admin login screen
---
 admin/admin-ajax.php        |  1 +
 includes/functions-auth.php |  6 ++++++
 includes/functions-html.php |  2 ++
 includes/functions.php      | 25 ++++++++++++++++++++++++-
 4 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/admin/admin-ajax.php b/admin/admin-ajax.php
index 8dbc0b27b..77f68ac2b 100644
--- a/admin/admin-ajax.php
+++ b/admin/admin-ajax.php
@@ -7,6 +7,7 @@
 // This file will output a JSON string
 yourls_content_type_header( 'application/json' );
 yourls_no_cache_headers();
+yourls_no_frame_header();
 
 if( !isset( $_REQUEST['action'] ) )
 	die();
diff --git a/includes/functions-auth.php b/includes/functions-auth.php
index 303d39459..d34b3d53e 100644
--- a/includes/functions-auth.php
+++ b/includes/functions-auth.php
@@ -122,6 +122,12 @@ function yourls_is_valid_user() {
  */
 function yourls_check_username_password() {
 	global $yourls_user_passwords;
+
+	// If login form (not API), check for nonce
+    if(!yourls_is_API()) {
+        yourls_verify_nonce('admin_login');
+    }
+
 	if( isset( $yourls_user_passwords[ $_REQUEST['username'] ] ) && yourls_check_password_hash( $_REQUEST['username'], $_REQUEST['password'] ) ) {
 		yourls_set_user( $_REQUEST['username'] );
 		return true;
diff --git a/includes/functions-html.php b/includes/functions-html.php
index 3d68c1d4e..1cb7fa6d9 100644
--- a/includes/functions-html.php
+++ b/includes/functions-html.php
@@ -59,6 +59,7 @@ function yourls_html_head( $context = 'index', $title = '' ) {
 	// Force no cache for all admin pages
 	if( yourls_is_admin() && !headers_sent() ) {
         yourls_no_cache_headers();
+        yourls_no_frame_header();
 		yourls_content_type_header( yourls_apply_filter( 'html_head_content-type', 'text/html' ) );
 		yourls_do_action( 'admin_headers', $context, $title );
 	}
@@ -725,6 +726,7 @@ function yourls_login_screen( $error_msg = '' ) {
 				yourls_do_action( 'login_form_bottom' );
 			?>
 			<p style="text-align: right;">
+			    <?php yourls_nonce_field('admin_login'); ?>
 				<input type="submit" id="submit" name="submit" value="<?php yourls_e( 'Login' ); ?>" class="button" />
 			</p>
 			<?php
diff --git a/includes/functions.php b/includes/functions.php
index 4ee9ce914..3c755c8cb 100644
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -276,7 +276,30 @@ function yourls_no_cache_headers() {
 }
 
 /**
- * Send a filerable content type header
+ * Send header to prevent display within a frame from another site (avoid clickjacking)
+ *
+ * This header makes it impossible for an external site to display YOURLS admin within a frame,
+ * which allows for clickjacking.
+ * See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ * This said, the whole function is shuntable : legit uses of iframes should be still possible.
+ *
+ * @since 1.8.1
+ * @return void|mixed
+ */
+function yourls_no_frame_header() {
+    // Allow plugins to short-circuit the whole function
+    $pre = yourls_apply_filter( 'shunt_no_frame_header', false );
+    if ( false !== $pre ) {
+        return $pre;
+    }
+
+    if( !headers_sent() ) {
+        header( 'X-Frame-Options: SAMEORIGIN' );
+    }
+}
+
+/**
+ * Send a filterable content type header
  *
  * @since 1.7
  * @param string $type content type ('text/html', 'application/json', ...)