From 23bb11fa4f9eeb3d9940c444713374d1ac5622a3 Mon Sep 17 00:00:00 2001 From: Seth Date: Sun, 26 Sep 2021 09:35:34 -0400 Subject: [PATCH] Add CSRF checks to additional endpoints --- .../manage/PawtucketController.php | 8 +++++-- .../manage/sets/SetEditorController.php | 4 ++++ app/helpers/displayHelpers.php | 8 +++---- app/helpers/navigationHelpers.php | 2 +- app/helpers/utilityHelpers.php | 4 ++-- app/lib/BaseEditorController.php | 22 ++++++++++++++++++- .../views/bundles/change_type_html.php | 4 ++-- .../Pawtucket/edit_global_values_html.php | 4 ++-- 8 files changed, 42 insertions(+), 14 deletions(-) diff --git a/app/controllers/manage/PawtucketController.php b/app/controllers/manage/PawtucketController.php index 01a5a2fecf..c35062b28d 100644 --- a/app/controllers/manage/PawtucketController.php +++ b/app/controllers/manage/PawtucketController.php @@ -7,7 +7,7 @@ * ---------------------------------------------------------------------- * * Software by Whirl-i-Gig (http://www.whirl-i-gig.com) - * Copyright 2016 Whirl-i-Gig + * Copyright 2016-2021 Whirl-i-Gig * * For more information visit http://www.CollectiveAccess.org * @@ -124,6 +124,10 @@ public function editGlobalValues() { * */ public function saveGlobalValues() { + if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) { + $this->editGlobalValues(); + return; + } if(!$this->request->getUser()->canDoAction('can_edit_theme_global_values')) { throw new ApplicationException("No access"); } if (caGetGlobalValuesCount() == 0) { throw new ApplicationException("No global values defined"); } @@ -157,4 +161,4 @@ public function Info() { return $this->render('Pawtucket/widget_pawtucket_info_html.php', true); } # ------------------------------------------------------- - } \ No newline at end of file + } diff --git a/app/controllers/manage/sets/SetEditorController.php b/app/controllers/manage/sets/SetEditorController.php index af11b06624..adea669ec2 100644 --- a/app/controllers/manage/sets/SetEditorController.php +++ b/app/controllers/manage/sets/SetEditorController.php @@ -254,6 +254,10 @@ public function getSetMedia() { * */ public function DuplicateItems() { + if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) { + $this->Edit(); + return; + } $t_set = new ca_sets($this->getRequest()->getParameter('set_id', pInteger)); if(!$t_set->getPrimaryKey()) { return; } diff --git a/app/helpers/displayHelpers.php b/app/helpers/displayHelpers.php index f79f982789..fb99260542 100644 --- a/app/helpers/displayHelpers.php +++ b/app/helpers/displayHelpers.php @@ -1145,7 +1145,7 @@ function caEditorInspector($po_view, $pa_options=null) { function caToggleItemWatch() { var url = '".caNavUrl($po_view->request, $po_view->request->getModulePath(), $po_view->request->getController(), 'toggleWatch', array($t_item->primaryKey() => $vn_item_id))."'; - jQuery.getJSON(url, {}, function(data, status) { + jQuery.getJSON(url, {'csrfToken': ".json_encode(caGenerateCSRFToken($po_view->request))."}, function(data, status) { if (data['status'] == 'ok') { jQuery('#caWatchItemButton').html((data['state'] == 'watched') ? '".addslashes(caNavIcon(__CA_NAV_ICON_UNWATCH__, '20px'))."' : '".addslashes(caNavIcon(__CA_NAV_ICON_WATCH__, '20px'))."'); } else { @@ -1204,7 +1204,7 @@ function caToggleItemWatch() { if($po_view->request->user->canDoAction('can_duplicate_'.$vs_table_name) && $t_item->getPrimaryKey()) { $vs_buf .= '
'; - $vs_buf .= caFormTag($po_view->request, 'Edit', 'DuplicateItemForm', $po_view->request->getModulePath().'/'.$po_view->request->getController(), 'post', 'multipart/form-data', '_top', array('noCSRFToken' => true, 'disableUnsavedChangesWarning' => true, 'noTimestamp' => true)); + $vs_buf .= caFormTag($po_view->request, 'Edit', 'DuplicateItemForm', $po_view->request->getModulePath().'/'.$po_view->request->getController(), 'post', 'multipart/form-data', '_top', array('noCSRFToken' => false, 'disableUnsavedChangesWarning' => true, 'noTimestamp' => true)); $vs_buf .= "
".caFormSubmitLink($po_view->request, caNavIcon(__CA_NAV_ICON_DUPLICATE__, '20px'), '', 'DuplicateItemForm')."
"; $vs_buf .= caHTMLHiddenInput($t_item->primaryKey(), array('value' => $t_item->getPrimaryKey())); @@ -1511,7 +1511,7 @@ function caAddObjectToLotForm() { if(!(bool)$po_view->request->config->get('ca_sets_disable_duplication_of_items') && $po_view->request->user->canDoAction('can_duplicate_items_in_sets') && $po_view->request->user->canDoAction('can_duplicate_' . $vs_set_table_name)) { $vs_buf .= '
'; - $vs_buf .= caFormTag($po_view->request, 'DuplicateItems', 'caDupeSetItemsForm', 'manage/sets/SetEditor', 'post', 'multipart/form-data', '_top', array('noCSRFToken' => true, 'disableUnsavedChangesWarning' => true)); + $vs_buf .= caFormTag($po_view->request, 'DuplicateItems', 'caDupeSetItemsForm', 'manage/sets/SetEditor', 'post', 'multipart/form-data', '_top', array('noCSRFToken' => false, 'disableUnsavedChangesWarning' => true)); $vs_buf .= _t("Duplicate items in this set and add to") . " "; $vs_buf .= caHTMLSelect('setForDupes', array( _t('current set') => 'current', @@ -1605,7 +1605,7 @@ function caAddObjectToLotForm() { if ($vs_type_list) { $vs_buf .= '
'; - $vs_buf .= caFormTag($po_view->request, 'Edit', 'NewChildForm', 'administrate/setup/list_item_editor/ListItemEditor', 'post', 'multipart/form-data', '_top', array('noCSRFToken' => true, 'disableUnsavedChangesWarning' => true)); + $vs_buf .= caFormTag($po_view->request, 'Edit', 'NewChildForm', 'administrate/setup/list_item_editor/ListItemEditor', 'post', 'multipart/form-data', '_top', array('noCSRFToken' => false, 'disableUnsavedChangesWarning' => true)); $vs_buf .= _t('Add a %1 to this list', $vs_type_list).caHTMLHiddenInput($t_list_item->primaryKey(), array('value' => '0')).caHTMLHiddenInput('parent_id', array('value' => $t_list_item->getPrimaryKey())); $vs_buf .= caFormSubmitLink($po_view->request, caNavIcon(__CA_NAV_ICON_ADD__, '18px'), '', 'NewChildForm'); $vs_buf .= "
\n"; diff --git a/app/helpers/navigationHelpers.php b/app/helpers/navigationHelpers.php index 2846d95557..d68c3bddbe 100644 --- a/app/helpers/navigationHelpers.php +++ b/app/helpers/navigationHelpers.php @@ -420,7 +420,7 @@ function caFormTag($po_request, $ps_action, $ps_id, $ps_module_and_controller_pa $vs_buf .= caHTMLHiddenInput('form_timestamp', array('value' => time())); } if (!caGetOption('noCSRFToken', $pa_options, false)) { - $vs_buf .= caHTMLHiddenInput('crsfToken', array('value' => caGenerateCSRFToken($po_request))); + $vs_buf .= caHTMLHiddenInput('csrfToken', array('value' => caGenerateCSRFToken($po_request))); } if (!caGetOption('disableUnsavedChangesWarning', $pa_options, false)) { diff --git a/app/helpers/utilityHelpers.php b/app/helpers/utilityHelpers.php index b2aa25c8a1..ddfc135e86 100644 --- a/app/helpers/utilityHelpers.php +++ b/app/helpers/utilityHelpers.php @@ -3611,7 +3611,7 @@ function caGenerateCSRFToken($po_request=null){ * Validate CSRF token using current session * * @param RequestHTTP $po_request Current request - * @param string $ps_token CSRF token to validate. If omitted token in the "crsfToken" parameter is extracted from current request. + * @param string $ps_token CSRF token to validate. If omitted token in the "csrfToken" parameter is extracted from current request. * @param array $pa_options Options include: * remove = remove validated token from active token list. [Default is true] * exceptions = throw exception if token is invalid. [Default is true] @@ -3621,7 +3621,7 @@ function caGenerateCSRFToken($po_request=null){ function caValidateCSRFToken($po_request, $ps_token=null, $pa_options=null){ $session_id = $po_request ? $po_request->getSessionID() : 'none'; - if(!$ps_token) { $ps_token = $po_request->getParameter('crsfToken', pString); } + if(!$ps_token) { $ps_token = $po_request->getParameter('csrfToken', pString); } if (!is_array($va_tokens = PersistentCache::fetch("csrf_tokens_{$session_id}", "csrf_tokens"))) { $va_tokens = []; } if (isset($va_tokens[$ps_token])) { diff --git a/app/lib/BaseEditorController.php b/app/lib/BaseEditorController.php index 33021ede28..1104f3cfb3 100644 --- a/app/lib/BaseEditorController.php +++ b/app/lib/BaseEditorController.php @@ -7,7 +7,7 @@ * ---------------------------------------------------------------------- * * Software by Whirl-i-Gig (http://www.whirl-i-gig.com) - * Copyright 2009-2018 Whirl-i-Gig + * Copyright 2009-2021 Whirl-i-Gig * * For more information visit http://www.CollectiveAccess.org * @@ -91,6 +91,10 @@ public function Edit($pa_values=null, $pa_options=null) { // Are we duplicating? // if (($vs_mode == 'dupe') && $this->request->user->canDoAction('can_duplicate_'.$t_subject->tableName())) { + if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) { + throw new ApplicationException(_t('CSRF check failed')); + return; + } if (!($vs_type_name = $t_subject->getTypeName())) { $vs_type_name = $t_subject->getProperty('NAME_SINGULAR'); } @@ -1027,6 +1031,10 @@ public function Access($pa_options=null) { * @param array $pa_options Array of options passed through to _initView */ public function SetAccess($pa_options=null) { + if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) { + throw new ApplicationException(_t('CSRF check failed')); + return; + } list($vn_subject_id, $t_subject) = $this->_initView($pa_options); @@ -1454,6 +1462,10 @@ public function getResultContext() { * Export data is rendered into the current view inherited from ActionController */ public function exportItem() { + if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) { + throw new ApplicationException(_t('CSRF check failed')); + return; + } list($vn_subject_id, $t_subject) = $this->_initView(); if (!$this->_checkAccess($t_subject)) { return false; } @@ -1474,6 +1486,10 @@ public function exportItem() { * Add item to user's watch list. Intended to be called via ajax, and JSON response is returned in the current view inherited from ActionController */ public function toggleWatch() { + if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) { + throw new ApplicationException(_t('CSRF check failed')); + return; + } list($vn_subject_id, $t_subject) = $this->_initView(); require_once(__CA_MODELS_DIR__.'/ca_watch_list.php'); @@ -2187,6 +2203,10 @@ public function GetAnnotations() { * */ public function SaveAnnotations() { + if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) { + throw new ApplicationException(_t('CSRF check failed')); + return; + } global $g_ui_locale_id; $pn_representation_id = $this->request->getParameter('representation_id', pInteger); $t_rep = new ca_object_representations($pn_representation_id); diff --git a/themes/default/views/bundles/change_type_html.php b/themes/default/views/bundles/change_type_html.php index 1901705354..18696c3714 100644 --- a/themes/default/views/bundles/change_type_html.php +++ b/themes/default/views/bundles/change_type_html.php @@ -7,7 +7,7 @@ * ---------------------------------------------------------------------- * * Software by Whirl-i-Gig (http://www.whirl-i-gig.com) - * Copyright 2012-2019 Whirl-i-Gig + * Copyright 2012-2021 Whirl-i-Gig * * For more information visit http://www.CollectiveAccess.org * @@ -55,7 +55,7 @@
getProperty('NAME_SINGULAR')); ?>
- request, 'ChangeType', 'caChangeTypeForm', null, 'post', 'multipart/form-data', '_top', ['noCSRFToken' => true, 'disableUnsavedChangesWarning' => true]); ?> + request, 'ChangeType', 'caChangeTypeForm', null, 'post', 'multipart/form-data', '_top', ['noCSRFToken' => false, 'disableUnsavedChangesWarning' => true]); ?>

Warning: changing the %1 type will cause information in all fields not applicable to the new type to be discarded. This action cannot be undone.', $t_item->getProperty('NAME_SINGULAR')); ?>

getTypeName()) ? _t('Change type from %1 to %2', $vs_typename, $t_item->getTypeListAsHTMLFormElement('type_id', array('id' => 'caChangeTypeFormTypeID'), array('omitItemsWithID' => array($t_item->getTypeID()), 'childrenOfCurrentTypeOnly' => false, 'directChildrenOnly' => false, 'returnHierarchyLevels' => true, 'access' => __CA_BUNDLE_ACCESS_EDIT__))) diff --git a/themes/default/views/manage/Pawtucket/edit_global_values_html.php b/themes/default/views/manage/Pawtucket/edit_global_values_html.php index 4f947efaa4..fba40c672a 100644 --- a/themes/default/views/manage/Pawtucket/edit_global_values_html.php +++ b/themes/default/views/manage/Pawtucket/edit_global_values_html.php @@ -7,7 +7,7 @@ * ---------------------------------------------------------------------- * * Software by Whirl-i-Gig (http://www.whirl-i-gig.com) - * Copyright 2016 Whirl-i-Gig + * Copyright 2016-2021 Whirl-i-Gig * * For more information visit http://www.CollectiveAccess.org * @@ -49,7 +49,7 @@

request, 'saveGlobalValues', 'globalValuesForm', null, 'post', 'multipart/form-data', '_top', ['noCSRFToken' => true, 'disableUnsavedChangesWarning' => true]); + print caFormTag($this->request, 'saveGlobalValues', 'globalValuesForm', null, 'post', 'multipart/form-data', '_top', ['noCSRFToken' => false, 'disableUnsavedChangesWarning' => true]); if (sizeof($va_form_elements) > 0) { foreach($va_form_elements as $vs_name => $va_info) {