CSRF tokens

LiveHelperChat · Jan 17, 2022 · c2fa19a · c2fa19a
1 parent 78413af
commit c2fa19a
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 1 deletion.
diff --git a/lhc_web/design/defaulttheme/tpl/lhchat/cannedmsgedit.tpl.php b/lhc_web/design/defaulttheme/tpl/lhchat/cannedmsgedit.tpl.php
@@ -12,6 +12,8 @@
 
 <form action="<?php echo erLhcoreClassDesign::baseurl('chat/cannedmsgedit')?>/<?php echo $canned_message->id?>" method="post" onsubmit="return confirmSave()">
 
+    <?php include(erLhcoreClassDesign::designtpl('lhkernel/csfr_token.tpl.php'));?>
+
     <?php include(erLhcoreClassDesign::designtpl('lhchat/cannedmsgform.tpl.php'));?>
 
     <div class="btn-group" role="group" aria-label="...">

diff --git a/lhc_web/design/defaulttheme/tpl/lhchat/newcannedmsg.tpl.php b/lhc_web/design/defaulttheme/tpl/lhchat/newcannedmsg.tpl.php
@@ -5,7 +5,9 @@
 <?php endif; ?>
 
 <form action="<?php echo erLhcoreClassDesign::baseurl('chat/newcannedmsg')?>" method="post">
-
+
+    <?php include(erLhcoreClassDesign::designtpl('lhkernel/csfr_token.tpl.php'));?>
+
     <?php include(erLhcoreClassDesign::designtpl('lhchat/cannedmsgform.tpl.php'));?>
 
 	<div class="btn-group" role="group" aria-label="...">

diff --git a/lhc_web/modules/lhchat/cannedmsgedit.php b/lhc_web/modules/lhchat/cannedmsgedit.php
@@ -29,6 +29,11 @@
 
 if (isset($_POST['Update_action']) || isset($_POST['Save_action'])  )
 {
+    if (!isset($_POST['csfr_token']) || !$currentUser->validateCSFRToken($_POST['csfr_token'])) {
+        erLhcoreClassModule::redirect('chat/cannedmsg');
+        exit;
+    }
+
    $previousState = $Msg->getState();
 
    $Errors = erLhcoreClassAdminChatValidatorHelper::validateCannedMessage($Msg, $userDepartments);

diff --git a/lhc_web/modules/lhchat/newcannedmsg.php b/lhc_web/modules/lhchat/newcannedmsg.php
@@ -17,6 +17,11 @@
 
 if (isset($_POST['Save_action']))
 {
+    if (!isset($_POST['csfr_token']) || !$currentUser->validateCSFRToken($_POST['csfr_token'])) {
+        erLhcoreClassModule::redirect('chat/cannedmsg');
+        exit;
+    }
+
     $Errors = erLhcoreClassAdminChatValidatorHelper::validateCannedMessage($CannedMessage, $userDepartments);
 
     erLhcoreClassChatEventDispatcher::getInstance()->dispatch('chat.before_newcannedmsg', array('departments' => $userDepartments, 'scope' => 'global', 'errors' => & $Errors, 'msg' => & $CannedMessage));

diff --git a/lhc_web/modules/lhgroupchat/options.php b/lhc_web/modules/lhgroupchat/options.php
@@ -8,6 +8,11 @@
 
 if ( isset($_POST['StoreOptions']) ) {
 
+    if (!isset($_POST['csfr_token']) || !$currentUser->validateCSFRToken($_POST['csfr_token'])) {
+        erLhcoreClassModule::redirect('groupchat/options');
+        exit;
+    }
+
     $definition = array(
         'supervisor' => new ezcInputFormDefinitionElement(
             ezcInputFormDefinitionElement::OPTIONAL, 'int'

diff --git a/lhc_web/modules/lhnotifications/settings.php b/lhc_web/modules/lhnotifications/settings.php
@@ -7,6 +7,11 @@
 
 if ( isset($_POST['StoreOptions']) ) {
 
+    if (!isset($_POST['csfr_token']) || !$currentUser->validateCSFRToken($_POST['csfr_token'])) {
+        erLhcoreClassModule::redirect('notifications/index');
+        exit;
+    }
+
     $definition = array(
         'enabled' => new ezcInputFormDefinitionElement(
             ezcInputFormDefinitionElement::OPTIONAL, 'boolean'