From f45953e26ffdbc37735239da20a9bf43c6bdc6c3 Mon Sep 17 00:00:00 2001 From: Ahmad Gneady Date: Mon, 13 Sep 2021 17:03:08 +0200 Subject: [PATCH] Protect DML operations against CSRF --- .gitignore | 1 + app/common.js | 2 +- app/datalist.php | 9 +++++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 64d15ac..a33d44e 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ app/images *.cache *.zip test*.php +app/admin/backups diff --git a/app/common.js b/app/common.js index 4dccf21..29a402d 100644 --- a/app/common.js +++ b/app/common.js @@ -643,7 +643,7 @@ function mass_delete(t, ids) { if(!continue_delete) return; jQuery.ajax(t + '_view.php', { type: 'POST', - data: { delete_x: 1, SelectedID: ids[itrn] }, + data: { delete_x: 1, SelectedID: ids[itrn], csrf_token: $j('#csrf_token').val() }, success: function(resp) { if(resp != 'OK') { jQuery('
  • ' + resp + '
    • ').appendTo('.well.details_list ol'); diff --git a/app/datalist.php b/app/datalist.php index feb1fcb..7497ea7 100644 --- a/app/datalist.php +++ b/app/datalist.php @@ -240,6 +240,9 @@ function Render() { } elseif($insert_x != '') { + // insert only if either a csrf or jwt token is provided + if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']); + $error_message = ''; $SelectedID = call_user_func_array( $this->TableName . '_insert', @@ -290,6 +293,9 @@ function Render() { } elseif($delete_x != '') { + // delete only if either a csrf or jwt token is provided + if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']); + $delete_res = call_user_func_array($this->TableName.'_delete', array($SelectedID, $this->AllowDeleteOfParents, $SkipChecks)); // handle ajax delete requests if(is_ajax()) { @@ -314,6 +320,9 @@ function Render() { } elseif($update_x != '') { + // update only if either a csrf or jwt token is provided + if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']); + $error_message = ''; $updated = call_user_func_array( $this->TableName . '_update',