Fix fox CSRF in /dowload/web-log/

myvesta · Sep 4, 2021 · 63861e4 · 63861e4
1 parent 329c37a
commit 63861e4
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/web/download/web-log/index.php b/web/download/web-log/index.php
@@ -3,6 +3,13 @@
 error_reporting(NULL);
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
+
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('Location: /login/');
+    exit();
+}
+
 $v_domain = $_GET['domain'];
 $v_domain = escapeshellarg($_GET['domain']);
 if ($_GET['type'] == 'access') $type = 'access';

diff --git a/web/templates/admin/list_weblog.html b/web/templates/admin/list_weblog.html
@@ -23,8 +23,8 @@
       <div class="l-menu clearfix">
         <div class="l-menu__item <?php if($_GET['type'] == 'access') echo 'l-menu__item--active' ?>"><a href="/list/web-log/?domain=<?=htmlentities($_GET['domain'])?>&type=access"><?=__('AccessLog')?></a></div>
         <div class="l-menu__item <?php if($_GET['type'] == 'error') echo 'l-menu__item--active' ?>"><a href="/list/web-log/?domain=<?=htmlentities($_GET['domain'])?>&type=error"><?=__('ErrorLog')?></a></div>
-        <div class="l-menu__item"><a href="/download/web-log/?domain=<?=htmlentities($_GET['domain'])?>&type=access"><?=__('Download AccessLog')?></a></div>
-        <div class="l-menu__item"><a href="/download/web-log/?domain=<?=htmlentities($_GET['domain'])?>&type=error"><?=__('Download ErrorLog')?></a></div>
+        <div class="l-menu__item"><a href="/download/web-log/?domain=<?=htmlentities($_GET['domain'])?>&type=access&token=<?=$_SESSION['token']?>"><?=__('Download AccessLog')?></a></div>
+        <div class="l-menu__item"><a href="/download/web-log/?domain=<?=htmlentities($_GET['domain'])?>&type=error&token=<?=$_SESSION['token']?>"><?=__('Download ErrorLog')?></a></div>
       </div>
       <!-- /.l-menu -->
       <div class="l-profile">