Fix for CSRF in FileManager and UploadHandler

myvesta · Sep 4, 2021 · 93de22a · 93de22a
1 parent 63861e4
commit 93de22a
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 9 deletions.
diff --git a/web/download/file/index.php b/web/download/file/index.php
@@ -1,6 +1,11 @@
 <?php
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    die("Wrong token or missing token");
+}
+
 if ((!isset($_SESSION['FILEMANAGER_KEY'])) || (empty($_SESSION['FILEMANAGER_KEY']))) {
     header("Location: /login/");
     exit;

diff --git a/web/file_manager/fm_api.php b/web/file_manager/fm_api.php
@@ -3,15 +3,18 @@
 //error_reporting(NULL);
 
 // Preventing CSRF
-prevent_post_csrf(true);
+// prevent_post_csrf(true);
 
 header('Content-Type: application/json');
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 include($_SERVER['DOCUMENT_ROOT']."/file_manager/fm_core.php");
 
+// Check token
+if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
+    die("Wrong token or missing token");
+}
 
-// todo: set in session?
 if (empty($panel)) {
     $command = VESTA_CMD."v-list-user '".$user."' 'json'";
     exec ($command, $output, $return_var);

diff --git a/web/js/app.js b/web/js/app.js
@@ -797,6 +797,8 @@ App.Ajax.request = function(method, data, callback, onError){
     }*/
     //App.Helpers.setAjaxBusy(method, data);
     data = data || {};
+    var token = $('#token').attr('token');
+    data.token = token;
 
     var prgs = $('.progress-container');
 

diff --git a/web/js/file_manager.js b/web/js/file_manager.js
@@ -533,7 +533,8 @@ FM.downloadFileFromSubcontext = function(elm) {
     var src = $.parseJSON($(elm).find('.source').val());
 
     var path = src.full_path;
-    var win = window.open('/download/file/?path=' + path, '_blank');
+    var token = $('#token').attr('token');
+    var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
     win.focus();
 }
 
@@ -552,20 +553,21 @@ FM.openFile = function(dir, box, elm) {
     };
 
     App.Ajax.request('check_file_type', params, function(reply) {
+        var token = $('#token').attr('token');
         if (reply.result) {
             if (FM.isFileEditable(src, reply.data)) {
-                var myWindow = window.open('/edit/file/?path=' + src.full_path, '_blank');//, src.full_path, "width=900, height=700");
+                var myWindow = window.open('/edit/file/?token='+token+'&path=' + src.full_path, '_blank');//, src.full_path, "width=900, height=700");
             }
             else {
                 var path = src.full_path;
-                var win = window.open('/download/file/?path=' + path, '_blank');
+                var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
                 //win.focus();
             }
         }
         else {
             // force download file
             var path = src.full_path;
-            var win = window.open('/download/file/?path=' + path, '_blank');
+            var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
             //win.focus();
         }
     });
@@ -1994,7 +1996,8 @@ FM.downloadFiles = function() {
     }
 
     var path = src.full_path;
-    var win = window.open('/download/file/?path=' + path, '_blank');
+    var token = $('#token').attr('token');
+    var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
     win.focus();
 }
 

diff --git a/web/templates/file_manager/main.php b/web/templates/file_manager/main.php
@@ -15,6 +15,7 @@
 <script> GLOBAL = {}; </script>
 </head>
 <body>
+    <div class="hidden" id="token" token="<?=$_SESSION['token']?>"></div>
     <a href="#" class="to-shortcuts">
         <i class="l-icon-shortcuts"></i>
     </a>
@@ -145,6 +146,7 @@
             var acc = $('<div>');
             $(['A', 'B']).each(function(k, letter) {
                 var url = '/upload/';
+                var token = $('#token').attr('token');
                 $('#file_upload_' + letter).fileupload({
                     singleFileUploads: false,
                     add: function (e, data) {
@@ -154,7 +156,7 @@
                         var file_relocation = FM['TAB_'+tab+'_CURRENT_PATH'];
 
 
-                        $('#file_upload_' + letter).fileupload("option", "url", url + '?dir=' + file_relocation);
+                        $('#file_upload_' + letter).fileupload("option", "url", url + '?token='+token+'&dir=' + file_relocation);
                         acc = $('<div>');
                         show_msg = false;
                         data.submit();

diff --git a/web/upload/UploadHandler.php b/web/upload/UploadHandler.php
@@ -3,10 +3,15 @@
 //session_start();
 
 // Preventing CSRF
-prevent_post_csrf(true);
+// prevent_post_csrf(true);
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
+    die("Wrong token or missing token");
+}
+
 // Check login_as feature
 $user = $_SESSION['user'];
 if (($_SESSION['user'] == 'admin') && (!empty($_SESSION['look']))) {