From a5602bca2566f1be370631c3ab2d40feedd4b3ad Mon Sep 17 00:00:00 2001
From: Johan Cwiklinski <johan@x-tnd.be>
Date: Mon, 8 Nov 2021 23:36:58 +0100
Subject: [PATCH] Add CSRF Middleware

Add csrf inputs on all forms
Use an exception rather than default blank page
Add CSRF check on ajax post requests
Make CSRF token persistent to ease with ajax calls
---
 galette/composer.json                         |   3 +-
 galette/composer.lock                         | 106 +++++++++++++++++-
 galette/includes/dependencies.php             |  25 +++++
 galette/includes/main.inc.php                 |   2 +
 galette/lib/Galette/Middleware/SmartyCsrf.php |  96 ++++++++++++++++
 galette/templates/default/admintools.tpl      |   3 +-
 galette/templates/default/advanced_search.tpl |   1 +
 .../default/ajouter_contribution.tpl          |   1 +
 .../templates/default/ajouter_transaction.tpl |   1 +
 .../default/attendance_sheet_details.tpl      |   1 +
 galette/templates/default/change_passwd.tpl   |   1 +
 galette/templates/default/common_scripts.tpl  |  18 +++
 galette/templates/default/config_fields.tpl   |   1 +
 galette/templates/default/config_lists.tpl    |   1 +
 galette/templates/default/confirm_removal.tpl |   1 +
 galette/templates/default/directlink.tpl      |   1 +
 .../templates/default/edit_paymenttype.tpl    |   1 +
 galette/templates/default/edit_title.tpl      |   1 +
 galette/templates/default/editer_champ.tpl    |   1 +
 galette/templates/default/editer_intitule.tpl |   1 +
 galette/templates/default/export.tpl          |   1 +
 .../templates/default/forms_types/csrf.tpl    |   2 +
 .../templates/default/gestion_adherents.tpl   |   4 +-
 .../default/gestion_contributions.tpl         |   2 +
 .../templates/default/gestion_intitules.tpl   |   1 +
 .../templates/default/gestion_mailings.tpl    |   1 +
 .../default/gestion_paymentstypes.tpl         |   1 +
 .../templates/default/gestion_pdf_content.tpl |   1 +
 galette/templates/default/gestion_textes.tpl  |   2 +
 galette/templates/default/gestion_titres.tpl  |   1 +
 .../default/gestion_transactions.tpl          |   1 +
 galette/templates/default/group.tpl           |   1 +
 galette/templates/default/history.tpl         |   1 +
 galette/templates/default/import.tpl          |   2 +
 galette/templates/default/import_model.tpl    |   1 +
 galette/templates/default/index.tpl           |   1 +
 galette/templates/default/liste_membres.tpl   |   1 +
 galette/templates/default/lostpasswd.tpl      |   1 +
 .../templates/default/mailing_adherents.tpl   |   2 +-
 .../default/mass_add_contribution.tpl         |   1 +
 .../templates/default/mass_change_members.tpl |   1 +
 .../templates/default/mass_choose_type.tpl    |   1 +
 galette/templates/default/member.tpl          |   2 +-
 galette/templates/default/plugin_initdb.tpl   |   1 +
 galette/templates/default/preferences.tpl     |   1 +
 galette/templates/default/reminder.tpl        |   1 +
 galette/templates/default/saved_searches.tpl  |   1 +
 .../templates/default/traduire_libelles.tpl   |   2 +
 galette/templates/default/trombinoscope.tpl   |   1 +
 49 files changed, 299 insertions(+), 6 deletions(-)
 create mode 100644 galette/lib/Galette/Middleware/SmartyCsrf.php
 create mode 100644 galette/templates/default/forms_types/csrf.tpl

diff --git a/galette/composer.json b/galette/composer.json
index f33d8d0058..b9d7244760 100644
--- a/galette/composer.json
+++ b/galette/composer.json
@@ -50,7 +50,8 @@
         "doctrine/annotations": "^1.8",
         "laminas/laminas-servicemanager": "3.7",
         "symfony/polyfill-php80": "^1.23",
-        "ezyang/htmlpurifier": "^4.13"
+        "ezyang/htmlpurifier": "^4.13",
+        "slim/csrf": "0.8.3"
     },
     "require-dev": {
         "atoum/atoum": "dev-master",
diff --git a/galette/composer.lock b/galette/composer.lock
index 79e9819a4e..511eb07ece 100644
--- a/galette/composer.lock
+++ b/galette/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "47d56d47701d9038105bd93cf3b44a02",
+    "content-hash": "be12f467246cd29921b64f8f84dc17a8",
     "packages": [
         {
             "name": "akrabat/rka-slim-session-middleware",
@@ -2213,6 +2213,56 @@
             },
             "time": "2021-04-09T13:42:10+00:00"
         },
+        {
+            "name": "paragonie/random_compat",
+            "version": "v9.99.100",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/paragonie/random_compat.git",
+                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a",
+                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">= 7"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "4.*|5.*",
+                "vimeo/psalm": "^1"
+            },
+            "suggest": {
+                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
+            },
+            "type": "library",
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Paragon Initiative Enterprises",
+                    "email": "security@paragonie.com",
+                    "homepage": "https://paragonie.com"
+                }
+            ],
+            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
+            "keywords": [
+                "csprng",
+                "polyfill",
+                "pseudorandom",
+                "random"
+            ],
+            "support": {
+                "email": "info@paragonie.com",
+                "issues": "https://github.com/paragonie/random_compat/issues",
+                "source": "https://github.com/paragonie/random_compat"
+            },
+            "time": "2020-10-15T08:29:30+00:00"
+        },
         {
             "name": "php-di/invoker",
             "version": "2.3.2",
@@ -2808,6 +2858,60 @@
             },
             "time": "2017-10-23T01:57:42+00:00"
         },
+        {
+            "name": "slim/csrf",
+            "version": "0.8.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/slimphp/Slim-Csrf.git",
+                "reference": "5f2bcf5d89adf86dc0455a32bea84d912ab466a7"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/slimphp/Slim-Csrf/zipball/5f2bcf5d89adf86dc0455a32bea84d912ab466a7",
+                "reference": "5f2bcf5d89adf86dc0455a32bea84d912ab466a7",
+                "shasum": ""
+            },
+            "require": {
+                "paragonie/random_compat": "^1.1|^2.0|^9.99",
+                "php": ">=5.5.0",
+                "psr/http-message": "^1.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^4.0",
+                "slim/slim": "~3.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Slim\\Csrf\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Josh Lockhart",
+                    "email": "hello@joshlockhart.com",
+                    "homepage": "http://joshlockhart.com"
+                }
+            ],
+            "description": "Slim Framework 3 CSRF protection middleware",
+            "homepage": "http://slimframework.com",
+            "keywords": [
+                "csrf",
+                "framework",
+                "middleware",
+                "slim"
+            ],
+            "support": {
+                "issues": "https://github.com/slimphp/Slim-Csrf/issues",
+                "source": "https://github.com/slimphp/Slim-Csrf/tree/master"
+            },
+            "time": "2018-08-22T16:12:18+00:00"
+        },
         {
             "name": "slim/flash",
             "version": "0.4.0",
diff --git a/galette/includes/dependencies.php b/galette/includes/dependencies.php
index 8cf6b47d92..c1e86bebb0 100644
--- a/galette/includes/dependencies.php
+++ b/galette/includes/dependencies.php
@@ -432,6 +432,31 @@
         )
 );
 
+$container->set(
+    'csrf',
+    function (ContainerInterface $c) {
+        $storage = null;
+        $guard = new \Slim\Csrf\Guard(
+            'csrf',
+            $storage,
+            null,
+            200,
+            16,
+            true
+        );
+
+        $guard->setFailureCallable(function ($request, $response, $next) {
+            Analog::log(
+                'CSRF check has failed',
+                Analog::CRITICAL
+            );
+            throw new \RuntimeException(_T('Failed CSRF check!'));
+        });
+
+        return $guard;
+    }
+);
+
 //For bad existing globals can be used...
 global $translator, $i18n;
 if (
diff --git a/galette/includes/main.inc.php b/galette/includes/main.inc.php
index 7c1f190fcb..013bbbc5c9 100644
--- a/galette/includes/main.inc.php
+++ b/galette/includes/main.inc.php
@@ -92,6 +92,8 @@
 
 // Set up dependencies
 require GALETTE_ROOT . '/includes/dependencies.php';
+$app->add(new \Galette\Middleware\SmartyCsrf($app->getContainer()));
+$app->add($app->getContainer()->get('csrf'));
 
 if ($needs_update) {
     $app->add(
diff --git a/galette/lib/Galette/Middleware/SmartyCsrf.php b/galette/lib/Galette/Middleware/SmartyCsrf.php
new file mode 100644
index 0000000000..2305f5028b
--- /dev/null
+++ b/galette/lib/Galette/Middleware/SmartyCsrf.php
@@ -0,0 +1,96 @@
+<?php
+
+/* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
+
+/**
+ * Galette CSRF middleware
+ *
+ * PHP version 5
+ *
+ * Copyright © 2021 The Galette Team
+ *
+ * This file is part of Galette (http://galette.tuxfamily.org).
+ *
+ * Galette is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Galette is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Galette. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * @category  Core
+ * @package   Galette
+ *
+ * @author    Johan Cwiklinski <johan@x-tnd.be>
+ * @copyright 2021 The Galette Team
+ * @license   http://www.gnu.org/licenses/gpl-3.0.html GPL License 3.0 or (at your option) any later version
+ * @link      http://galette.tuxfamily.org
+ * @since     Available since 0.9.6dev - 2021-11-08
+ */
+
+namespace Galette\Middleware;
+
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Message\ResponseInterface as Response;
+use Analog\Analog;
+use DI\Container;
+
+/**
+ * Galette CSRF middleware
+ *
+ * @category  Middleware
+ * @name      SmartyCsrf
+ * @package   Galette
+ * @author    Johan Cwiklinski <johan@x-tnd.be>
+ * @copyright 2020 The Galette Team
+ * @license   http://www.gnu.org/licenses/gpl-3.0.html GPL License 3.0 or (at your option) any later version
+ * @link      http://galette.tuxfamily.org
+ * @since     Available since 0.9.4dev - 2020-05-06
+ */
+class SmartyCsrf
+{
+    private $smarty;
+    private $csrf;
+
+    /**
+     * Constructor
+     *
+     * @param Container $container Container instance
+     */
+    public function __construct(Container $container)
+    {
+        $view = $container->get('Slim\Views\Smarty');
+        $this->smarty = $view->getSmarty();
+        $this->csrf = $container->get('csrf');
+    }
+
+    /**
+     * Middleware invokable class
+     *
+     * @param  \Psr\Http\Message\ServerRequestInterface $request  PSR7 request
+     * @param  \Psr\Http\Message\ResponseInterface      $response PSR7 response
+     * @param  callable                                 $next     Next middleware
+     *
+     * @return \Psr\Http\Message\ResponseInterface
+     */
+    public function __invoke(Request $request, Response $response, $next): Response
+    {
+        $nameKey = $this->csrf->getTokenNameKey();
+        $valueKey = $this->csrf->getTokenValueKey();
+        $name = $request->getAttribute($nameKey);
+        $value = $request->getAttribute($valueKey);
+
+        $this->smarty->assign('csrf_name_key', $nameKey);
+        $this->smarty->assign('csrf_value_key', $valueKey);
+        $this->smarty->assign('csrf_name', $name);
+        $this->smarty->assign('csrf_value', $value);
+
+        return $next($request, $response);
+    }
+}
diff --git a/galette/templates/default/admintools.tpl b/galette/templates/default/admintools.tpl
index b1a9028d60..e72ac324bd 100644
--- a/galette/templates/default/admintools.tpl
+++ b/galette/templates/default/admintools.tpl
@@ -31,10 +31,11 @@
             </p>
         </fieldset>
         <div class="button-container">
-            <button ype="submit" class="action">
+            <button type="submit" class="action">
                 <i class="fas fa-database" aria-hidden="true"></i>
                 {_T string="Go"}
             </button>
+            {include file="forms_types/csrf.tpl"}
         </div>
     </form>
 {/block}
diff --git a/galette/templates/default/advanced_search.tpl b/galette/templates/default/advanced_search.tpl
index 4c8767959b..1aa267893b 100644
--- a/galette/templates/default/advanced_search.tpl
+++ b/galette/templates/default/advanced_search.tpl
@@ -312,6 +312,7 @@
                 <input type="hidden" name="advanced_filtering" value="true" />
                 <input type="submit" class="inline" value="{_T string="Filter"}"/>
                 <input type="submit" name="clear_adv_filter" class="inline" value="{_T string="Clear filter"}"/>
+                {include file="forms_types/csrf.tpl"}
             </div>
         </form>
 {/block}
diff --git a/galette/templates/default/ajouter_contribution.tpl b/galette/templates/default/ajouter_contribution.tpl
index 69cb889be1..42ee6c91fd 100644
--- a/galette/templates/default/ajouter_contribution.tpl
+++ b/galette/templates/default/ajouter_contribution.tpl
@@ -184,6 +184,7 @@
             <input type="hidden" name="trans_id" value="{if $contribution->transaction neq NULL}{$contribution->transaction->id}{/if}"/>
         </div>
     {/if}
+            {include file="forms_types/csrf.tpl"}
         </form>
 {else} {* No members *}
     <div class="center" id="warningbox">
diff --git a/galette/templates/default/ajouter_transaction.tpl b/galette/templates/default/ajouter_transaction.tpl
index 18a3ddde14..2f34546e46 100644
--- a/galette/templates/default/ajouter_transaction.tpl
+++ b/galette/templates/default/ajouter_transaction.tpl
@@ -46,6 +46,7 @@
             </button>
             <input type="hidden" name="trans_id" value="{$transaction->id}"/>
             <input type="hidden" name="valid" value="1"/>
+            {include file="forms_types/csrf.tpl"}
         </div>
         <p>{_T string="NB : The mandatory fields are in"} <span class="required">{_T string="red"}</span></p>
         </form>
diff --git a/galette/templates/default/attendance_sheet_details.tpl b/galette/templates/default/attendance_sheet_details.tpl
index a52d37ffb0..bd9c2254e3 100644
--- a/galette/templates/default/attendance_sheet_details.tpl
+++ b/galette/templates/default/attendance_sheet_details.tpl
@@ -31,6 +31,7 @@
 {foreach $selection as $member}
                 <input type="hidden" name="selection[]" value="{$member}"/>
 {/foreach}
+                {include file="forms_types/csrf.tpl"}
             </p>
         </fieldset>
 {if not $ajax}
diff --git a/galette/templates/default/change_passwd.tpl b/galette/templates/default/change_passwd.tpl
index c793ad2cb5..187200b217 100644
--- a/galette/templates/default/change_passwd.tpl
+++ b/galette/templates/default/change_passwd.tpl
@@ -16,5 +16,6 @@
                 </table>
                 <input type="submit" name="change_passwd" value="{_T string="Change my password"}"/>
                 <input type="hidden" name="hash" value="{$hash}"/>
+                {include file="forms_types/csrf.tpl"}
         </form>
 {/block}
diff --git a/galette/templates/default/common_scripts.tpl b/galette/templates/default/common_scripts.tpl
index f4e1dc719d..499a7e8099 100644
--- a/galette/templates/default/common_scripts.tpl
+++ b/galette/templates/default/common_scripts.tpl
@@ -1,5 +1,23 @@
         <script type="text/javascript">
+            function csrfSafeMethod(method) {
+                // these HTTP methods do not require CSRF protection
+                return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
+            }
+
             $(function(){
+                $.ajaxPrefilter(function(options, originalOptions, jqXHR){
+                    if (options.type.toLowerCase() === "post") {
+                        // initialize `data` to empty string if it does not exist
+                        options.data = options.data || "";
+
+                        // add leading ampersand if `data` is non-empty
+                        options.data += options.data?"&":"";
+
+                        // add csrf
+                        options.data += encodeURIComponent("{$csrf_name_key}") + "=" + encodeURIComponent("{$csrf_name}") + "&" + encodeURIComponent("{$csrf_value_key}") + "=" + encodeURIComponent("{$csrf_value}")
+                    }
+                });
+
                 $.datepicker.setDefaults($.datepicker.regional['{$galette_lang}']);
     {if $galette_lang eq 'en'}
                 $.datepicker.setDefaults({
diff --git a/galette/templates/default/config_fields.tpl b/galette/templates/default/config_fields.tpl
index 12849db7aa..dd51a0a38f 100644
--- a/galette/templates/default/config_fields.tpl
+++ b/galette/templates/default/config_fields.tpl
@@ -55,6 +55,7 @@
             <button type="submit" class="action">
                 <i class="fas fa-save fa-fw"></i> {_T string="Save"}
             </button>
+            {include file="forms_types/csrf.tpl"}
         </div>
     </form>
 {/block}
diff --git a/galette/templates/default/config_lists.tpl b/galette/templates/default/config_lists.tpl
index c36e0716ed..0968a6a6b4 100644
--- a/galette/templates/default/config_lists.tpl
+++ b/galette/templates/default/config_lists.tpl
@@ -57,6 +57,7 @@
                 <i class="fas fa-save fa-fw"></i> {_T string="Save"}
             </button>
         </div>
+        {include file="forms_types/csrf.tpl"}
     </form>
 {/block}
 
diff --git a/galette/templates/default/confirm_removal.tpl b/galette/templates/default/confirm_removal.tpl
index fc2157b3ec..1fff7ebe94 100644
--- a/galette/templates/default/confirm_removal.tpl
+++ b/galette/templates/default/confirm_removal.tpl
@@ -30,6 +30,7 @@
                 <input type="hidden" name="{$key}" value="{$value}"/>
                 {/if}
             {/foreach}
+            {include file="forms_types/csrf.tpl"}
         </div>
     </form>
     </div>
diff --git a/galette/templates/default/directlink.tpl b/galette/templates/default/directlink.tpl
index de22d55c36..d4efc92bf6 100644
--- a/galette/templates/default/directlink.tpl
+++ b/galette/templates/default/directlink.tpl
@@ -9,6 +9,7 @@
                     <input type="submit" name="directlink" value="{_T string="Get my document"}" />
                     <input type="hidden" name="valid" value="1"/>
                     <input type="hidden" name="hash" value="{$hash}"/>
+                    {include file="forms_types/csrf.tpl"}
                 </section>
             </form>
 {/block}
diff --git a/galette/templates/default/edit_paymenttype.tpl b/galette/templates/default/edit_paymenttype.tpl
index ec40599ae9..bc6dccf2c8 100644
--- a/galette/templates/default/edit_paymenttype.tpl
+++ b/galette/templates/default/edit_paymenttype.tpl
@@ -16,6 +16,7 @@
             </button>
             <input type="submit" name="cancel" value="{_T string="Cancel"}"/>
             <input type="hidden" name="id" id="id" value="{$ptype->id}"/>
+            {include file="forms_types/csrf.tpl"}
         </div>
      </form>
 {/block}
diff --git a/galette/templates/default/edit_title.tpl b/galette/templates/default/edit_title.tpl
index 157d8a7ebd..178b05c066 100644
--- a/galette/templates/default/edit_title.tpl
+++ b/galette/templates/default/edit_title.tpl
@@ -20,6 +20,7 @@
                 </button>
                 <input type="submit" name="cancel" value="{_T string="Cancel"}"/>
                 <input type="hidden" name="id" id="id" value="{$title->id}"/>
+                {include file="forms_types/csrf.tpl"}
             </div>
      </form>
 {/block}
diff --git a/galette/templates/default/editer_champ.tpl b/galette/templates/default/editer_champ.tpl
index 29e7a029fb..41fbeb54b0 100644
--- a/galette/templates/default/editer_champ.tpl
+++ b/galette/templates/default/editer_champ.tpl
@@ -71,6 +71,7 @@
                 <button type="submit" class="action">
                     <i class="fas fa-save fa-fw"></i> {_T string="Save"}
                 </button>
+                {include file="forms_types/csrf.tpl"}
             </div>
 
      </form>
diff --git a/galette/templates/default/editer_intitule.tpl b/galette/templates/default/editer_intitule.tpl
index 18a4ad1e2c..ef23748cfc 100644
--- a/galette/templates/default/editer_intitule.tpl
+++ b/galette/templates/default/editer_intitule.tpl
@@ -39,6 +39,7 @@
             <i class="fas fa-save"></i>
             {_T string="Save"}
         </button>
+        {include file="forms_types/csrf.tpl"}
     </div>
     </div>
 </form>
diff --git a/galette/templates/default/export.tpl b/galette/templates/default/export.tpl
index 43719b7aef..5d9e14fed6 100644
--- a/galette/templates/default/export.tpl
+++ b/galette/templates/default/export.tpl
@@ -124,6 +124,7 @@
                 </fieldset>
             <div class="button-container">
                 <input type="submit" name="valid" value="{_T string="Continue"}"/>
+                {include file="forms_types/csrf.tpl"}
             </div>
         </form>
 {/block}
diff --git a/galette/templates/default/forms_types/csrf.tpl b/galette/templates/default/forms_types/csrf.tpl
new file mode 100644
index 0000000000..c9744bdcd5
--- /dev/null
+++ b/galette/templates/default/forms_types/csrf.tpl
@@ -0,0 +1,2 @@
+<input type="hidden" name="{$csrf_name_key}" value="{$csrf_name}"/>
+<input type="hidden" name="{$csrf_value_key}" value="{$csrf_value}"/>
\ No newline at end of file
diff --git a/galette/templates/default/gestion_adherents.tpl b/galette/templates/default/gestion_adherents.tpl
index fc8ae326b8..7d67ccc136 100644
--- a/galette/templates/default/gestion_adherents.tpl
+++ b/galette/templates/default/gestion_adherents.tpl
@@ -104,6 +104,7 @@ We have to use a template file, so Smarty will do its work (like replacing varia
             </p>
             <pre id="sql_qry" class="hidden">{$filters->query}</pre>
 {/if}
+            {include file="forms_types/csrf.tpl"}
         </div>
         <div class="infoline">
             {_T string="%count member" plural="%count members" count=$nb_members pattern="/%count/" replace=$nb_members}
@@ -354,7 +355,7 @@ We have to use a template file, so Smarty will do its work (like replacing varia
     {/if}
         </ul>
 {/if}
-
+            {include file="forms_types/csrf.tpl"}
         </form>
 {if $nb_members != 0}
         <div id="legende" title="{_T string="Legend"}">
@@ -511,6 +512,7 @@ We have to use a template file, so Smarty will do its work (like replacing varia
                     }
 
                     if (this.id == 'masscontributions') {
+                        event.preventDefault();
                         $.ajax({
                             url: '{path_for name="batch-memberslist"}',
                             type: "POST",
diff --git a/galette/templates/default/gestion_contributions.tpl b/galette/templates/default/gestion_contributions.tpl
index 8e34f2a968..0064f29fb6 100644
--- a/galette/templates/default/gestion_contributions.tpl
+++ b/galette/templates/default/gestion_contributions.tpl
@@ -61,6 +61,7 @@
                 </select>
                 <noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
             </div>
+            {include file="forms_types/csrf.tpl"}
         </div>
         </form>
         <form action="{path_for name="batch-contributionslist" data=["type" => "contributions"]}" method="post" id="listform">
@@ -307,6 +308,7 @@
                 <button type="submit" id="csv" name="csv">
                     <i class="fas fa-file-csv fa-fw"></i> {_T string="Export as CSV"}
                 </button>
+                {include file="forms_types/csrf.tpl"}
             </li>
         </ul>
     {/if}
diff --git a/galette/templates/default/gestion_intitules.tpl b/galette/templates/default/gestion_intitules.tpl
index 4b99a78853..17be135f71 100644
--- a/galette/templates/default/gestion_intitules.tpl
+++ b/galette/templates/default/gestion_intitules.tpl
@@ -4,6 +4,7 @@
 <form action="{path_for name="doAddEntitled" data=["class" => $url_class]}" method="post" class="tabbed">
 <div id="intitules_tabs">
     {include file="gestion_intitule_content.tpl"}
+    {include file="forms_types/csrf.tpl"}
 </div>
 </form>
 {/block}
diff --git a/galette/templates/default/gestion_mailings.tpl b/galette/templates/default/gestion_mailings.tpl
index 74ac867ec8..0ea3812603 100644
--- a/galette/templates/default/gestion_mailings.tpl
+++ b/galette/templates/default/gestion_mailings.tpl
@@ -45,6 +45,7 @@
                         {html_options options=$nbshow_options selected=$numrows}
                     </select>
                     <noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+                    {include file="forms_types/csrf.tpl"}
                 </td>
             </tr>
         </table>
diff --git a/galette/templates/default/gestion_paymentstypes.tpl b/galette/templates/default/gestion_paymentstypes.tpl
index 3c88216960..cbab043a35 100644
--- a/galette/templates/default/gestion_paymentstypes.tpl
+++ b/galette/templates/default/gestion_paymentstypes.tpl
@@ -77,6 +77,7 @@
             {/foreach}
                     </tbody>
                 </table>
+            {include file="forms_types/csrf.tpl"}
         </form>
 {/block}
 
diff --git a/galette/templates/default/gestion_pdf_content.tpl b/galette/templates/default/gestion_pdf_content.tpl
index d8956fcc9d..f13b6bed77 100644
--- a/galette/templates/default/gestion_pdf_content.tpl
+++ b/galette/templates/default/gestion_pdf_content.tpl
@@ -50,6 +50,7 @@
                 <button type="submit" class="action">
                     <i class="fas fa-save fa-fw"></i> {_T string="Save"}
                 </button>
+                {include file="forms_types/csrf.tpl"}
             </div>
         </form>
         {include file="replacements_legend.tpl" legends=$model->getLegend() cur_ref=$model->id}
\ No newline at end of file
diff --git a/galette/templates/default/gestion_textes.tpl b/galette/templates/default/gestion_textes.tpl
index 1fdde520cb..b1a8ea8d81 100644
--- a/galette/templates/default/gestion_textes.tpl
+++ b/galette/templates/default/gestion_textes.tpl
@@ -18,6 +18,7 @@
                     {/foreach}
                 </select>
                 <noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+            {include file="forms_types/csrf.tpl"}
         </form>
         </div>
 
@@ -42,6 +43,7 @@
             <button type="submit" class="action">
                 <i class="fas fa-save fa-fw"></i> {_T string="Save"}
             </button>
+            {include file="forms_types/csrf.tpl"}
         </div>
         </form>
         {include file="replacements_legend.tpl" legends=$texts->getLegend() cur_ref=$cur_ref}
diff --git a/galette/templates/default/gestion_titres.tpl b/galette/templates/default/gestion_titres.tpl
index 762e32dea2..dca09bf6af 100644
--- a/galette/templates/default/gestion_titres.tpl
+++ b/galette/templates/default/gestion_titres.tpl
@@ -74,6 +74,7 @@
             {/foreach}
                     </tbody>
                 </table>
+            {include file="forms_types/csrf.tpl"}
         </form>
 {/block}
 
diff --git a/galette/templates/default/gestion_transactions.tpl b/galette/templates/default/gestion_transactions.tpl
index 69273777eb..f4e046f8ce 100644
--- a/galette/templates/default/gestion_transactions.tpl
+++ b/galette/templates/default/gestion_transactions.tpl
@@ -37,6 +37,7 @@
                         {html_options options=$nbshow_options selected=$numrows}
                     </select>
                     <noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+                    {include file="forms_types/csrf.tpl"}
                 </td>
             </tr>
         </table>
diff --git a/galette/templates/default/group.tpl b/galette/templates/default/group.tpl
index a918089ca0..522692f50b 100644
--- a/galette/templates/default/group.tpl
+++ b/galette/templates/default/group.tpl
@@ -86,6 +86,7 @@
                 {_T string="Group PDF"}
             </a>
             <input type="hidden" name="id_group" id="id_group" value="{$group->getId()}"/>
+            {include file="forms_types/csrf.tpl"}
         </div>
         <p>{_T string="NB : The mandatory fields are in"} <span class="required">{_T string="red"}</span></p>
         </form>
diff --git a/galette/templates/default/history.tpl b/galette/templates/default/history.tpl
index f97961dc78..9fcc75c2bc 100644
--- a/galette/templates/default/history.tpl
+++ b/galette/templates/default/history.tpl
@@ -50,6 +50,7 @@
                     {html_options options=$nbshow_options selected=$numrows}
                 </select>
                 <noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+                {include file="forms_types/csrf.tpl"}
             </div>
         </div>
     </form>
diff --git a/galette/templates/default/import.tpl b/galette/templates/default/import.tpl
index 3f9f3d3514..7d473e6983 100644
--- a/galette/templates/default/import.tpl
+++ b/galette/templates/default/import.tpl
@@ -61,6 +61,7 @@
                             <i class="fas fa-file-import"></i>
                             {_T string="Import"}
                         </button>
+                        {include file="forms_types/csrf.tpl"}
                     </div>
 {else}
                     <p>{_T string="No import file actually exists."}<br/>{_T string="Use upload form below to send a new file on server, or copy it directly in the imports directory."}</p>
@@ -81,6 +82,7 @@
                             <i class="fas fa-upload" aria-hidd="true"></i>
                             {_T string="Upload file"}
                         </button>
+                        {include file="forms_types/csrf.tpl"}
                     </div>
                 </div>
             </fieldset>
diff --git a/galette/templates/default/import_model.tpl b/galette/templates/default/import_model.tpl
index 29313db488..f0b23358d9 100644
--- a/galette/templates/default/import_model.tpl
+++ b/galette/templates/default/import_model.tpl
@@ -75,6 +75,7 @@
                 <i class="fas fa-save" aria-hidden="true"></i>
                 {_T string="Store new model"}
             </button>
+            {include file="forms_types/csrf.tpl"}
         </div>
         </form>
     </div>
diff --git a/galette/templates/default/index.tpl b/galette/templates/default/index.tpl
index c032dfe89d..710a8d9869 100644
--- a/galette/templates/default/index.tpl
+++ b/galette/templates/default/index.tpl
@@ -17,6 +17,7 @@
                     </table>
                     <input type="submit" value="{_T string="Login"}" />
                     <input type="hidden" name="ident" value="1" />
+                    {include file="forms_types/csrf.tpl"}
                 </section>
                 </form>
 {/block}
diff --git a/galette/templates/default/liste_membres.tpl b/galette/templates/default/liste_membres.tpl
index e70c4cbdf4..d8d9cf4ccd 100644
--- a/galette/templates/default/liste_membres.tpl
+++ b/galette/templates/default/liste_membres.tpl
@@ -12,6 +12,7 @@
                         {html_options options=$nbshow_options selected=$numrows}
                     </select>
                     <noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+                    {include file="forms_types/csrf.tpl"}
                 </td>
             </tr>
         </table>
diff --git a/galette/templates/default/lostpasswd.tpl b/galette/templates/default/lostpasswd.tpl
index ccb455fb3d..e137d23fe1 100644
--- a/galette/templates/default/lostpasswd.tpl
+++ b/galette/templates/default/lostpasswd.tpl
@@ -8,6 +8,7 @@
                     </p>
                     <input type="submit" name="lostpasswd" value="{_T string="Recover password"}" />
                     <input type="hidden" name="valid" value="1"/>
+                    {include file="forms_types/csrf.tpl"}
                 </section>
                 </form>
 {/block}
diff --git a/galette/templates/default/mailing_adherents.tpl b/galette/templates/default/mailing_adherents.tpl
index d787c9a722..e460566492 100644
--- a/galette/templates/default/mailing_adherents.tpl
+++ b/galette/templates/default/mailing_adherents.tpl
@@ -144,7 +144,7 @@
                     </p>
                 </div>
         {/if}
-
+            {include file="forms_types/csrf.tpl"}
             </section>
         </div>
         </form>
diff --git a/galette/templates/default/mass_add_contribution.tpl b/galette/templates/default/mass_add_contribution.tpl
index 6e053518b0..88c6be4712 100644
--- a/galette/templates/default/mass_add_contribution.tpl
+++ b/galette/templates/default/mass_add_contribution.tpl
@@ -18,6 +18,7 @@
                 <input type="hidden" name="{$key}" value="{$value}"/>
                 {/if}
             {/foreach}
+            {include file="forms_types/csrf.tpl"}
         </div>
     </form>
     </div>
diff --git a/galette/templates/default/mass_change_members.tpl b/galette/templates/default/mass_change_members.tpl
index e4edf532fd..ebde247bbc 100644
--- a/galette/templates/default/mass_change_members.tpl
+++ b/galette/templates/default/mass_change_members.tpl
@@ -59,6 +59,7 @@
                 <input type="hidden" name="{$key}" value="{$value}"/>
                 {/if}
             {/foreach}
+            {include file="forms_types/csrf.tpl"}
         </div>
     </form>
     </div>
diff --git a/galette/templates/default/mass_choose_type.tpl b/galette/templates/default/mass_choose_type.tpl
index 89b131e86b..3404103cc3 100644
--- a/galette/templates/default/mass_choose_type.tpl
+++ b/galette/templates/default/mass_choose_type.tpl
@@ -27,6 +27,7 @@
                 <input type="hidden" name="{$key}" value="{$value}"/>
                 {/if}
             {/foreach}
+            {include file="forms_types/csrf.tpl"}
         </div>
     </form>
     </div>
diff --git a/galette/templates/default/member.tpl b/galette/templates/default/member.tpl
index ed5e078835..f65ab1499e 100644
--- a/galette/templates/default/member.tpl
+++ b/galette/templates/default/member.tpl
@@ -128,7 +128,7 @@
                     {/if}
                 {/if}
             {/foreach}
-
+            {include file="forms_types/csrf.tpl"}
             <a href="#" id="back2top">{_T string="Back to top"}</a>
         </div>
         </form>
diff --git a/galette/templates/default/plugin_initdb.tpl b/galette/templates/default/plugin_initdb.tpl
index c09d3cd838..f4e9803162 100644
--- a/galette/templates/default/plugin_initdb.tpl
+++ b/galette/templates/default/plugin_initdb.tpl
@@ -122,6 +122,7 @@
             <a href="{path_for name="plugins"}" class="button" id="btnback"><i class="fas fa-backward"></i> {_T string="Back to plugins managment page"}</a>
     {/if}
 {/if}
+            {include file="forms_types/csrf.tpl"}
         </p>
     </form>
     </div>
diff --git a/galette/templates/default/preferences.tpl b/galette/templates/default/preferences.tpl
index 2d7da82d5e..aea003fd84 100644
--- a/galette/templates/default/preferences.tpl
+++ b/galette/templates/default/preferences.tpl
@@ -589,6 +589,7 @@
             </button>
         </div>
         <p>{_T string="NB : The mandatory fields are in"} <span class="required">{_T string="red"}</span></p>
+        {include file="forms_types/csrf.tpl"}
         </form>
 
         {include file="telemetry.tpl" part="dialog"}
diff --git a/galette/templates/default/reminder.tpl b/galette/templates/default/reminder.tpl
index 11eeae377b..f6237ecaa3 100644
--- a/galette/templates/default/reminder.tpl
+++ b/galette/templates/default/reminder.tpl
@@ -32,6 +32,7 @@
                     <i class="fas fa-rocket" aria-hidden="true"></i>
                     {_T string="Send"}
                 </button>
+                {include file="forms_types/csrf.tpl"}
             </div>
         </form>
 {foreach from=$previews key=key item=preview}
diff --git a/galette/templates/default/saved_searches.tpl b/galette/templates/default/saved_searches.tpl
index eb0cc32a6b..97389f0175 100644
--- a/galette/templates/default/saved_searches.tpl
+++ b/galette/templates/default/saved_searches.tpl
@@ -57,6 +57,7 @@
 {/foreach}
                     </tbody>
                 </table>
+            {include file="forms_types/csrf.tpl"}
         </form>
 {/block}
 
diff --git a/galette/templates/default/traduire_libelles.tpl b/galette/templates/default/traduire_libelles.tpl
index 02833973e9..ee8e89dfc6 100644
--- a/galette/templates/default/traduire_libelles.tpl
+++ b/galette/templates/default/traduire_libelles.tpl
@@ -11,6 +11,7 @@
                             {html_options values=$orig output=$orig selected=$text_orig}
                         </select>
                         <noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+                        {include file="forms_types/csrf.tpl"}
                     </p>
                 </form>
     {/if}
@@ -37,6 +38,7 @@
                 <button type="submit" name="trans" class="action">
                     <i class="fas fa-save fa-fw"></i> {_T string="Save"}
                 </button>
+                {include file="forms_types/csrf.tpl"}
             </div>
         </form>
 {else}
diff --git a/galette/templates/default/trombinoscope.tpl b/galette/templates/default/trombinoscope.tpl
index 1b8043cf73..adac06c5f5 100644
--- a/galette/templates/default/trombinoscope.tpl
+++ b/galette/templates/default/trombinoscope.tpl
@@ -12,6 +12,7 @@
                     {html_options options=$nbshow_options selected=$numrows}
                 </select>
                 <noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+                {include file="forms_types/csrf.tpl"}
             </td>
         </tr>
     </table>