Protect DML operations against CSRF

bigprof-software · Sep 13, 2021 · f45953e · f45953e
1 parent 2bca559
commit f45953e
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,4 @@ app/images
 *.cache
 *.zip
 test*.php
+app/admin/backups
diff --git a/app/common.js b/app/common.js
@@ -643,7 +643,7 @@ function mass_delete(t, ids) {
 						if(!continue_delete) return;
 						jQuery.ajax(t + '_view.php', {
 							type: 'POST',
-							data: { delete_x: 1, SelectedID: ids[itrn] },
+							data: { delete_x: 1, SelectedID: ids[itrn], csrf_token: $j('#csrf_token').val() },
 							success: function(resp) {
 								if(resp != 'OK') {
 									jQuery('<li class="text-danger">' + resp + '</li>').appendTo('.well.details_list ol');

diff --git a/app/datalist.php b/app/datalist.php
@@ -240,6 +240,9 @@ function Render() {
 		}
 
 		elseif($insert_x != '') {
+			// insert only if either a csrf or jwt token is provided
+			if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);
+
 			$error_message = '';
 			$SelectedID = call_user_func_array(
 				$this->TableName . '_insert', 
@@ -290,6 +293,9 @@ function Render() {
 		}
 
 		elseif($delete_x != '') {
+			// delete only if either a csrf or jwt token is provided
+			if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);
+
 			$delete_res = call_user_func_array($this->TableName.'_delete', array($SelectedID, $this->AllowDeleteOfParents, $SkipChecks));
 			// handle ajax delete requests
 			if(is_ajax()) {
@@ -314,6 +320,9 @@ function Render() {
 		}
 
 		elseif($update_x != '') {
+			// update only if either a csrf or jwt token is provided
+			if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);
+
 			$error_message = '';
 			$updated = call_user_func_array(
 				$this->TableName . '_update',