From 93de22a0b3d45fb46e47ff7337445fb074179773 Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Sat, 4 Sep 2021 15:31:34 +0200
Subject: [PATCH] Fix for CSRF in FileManager and UploadHandler

---
 web/download/file/index.php         |  5 +++++
 web/file_manager/fm_api.php         |  7 +++++--
 web/js/app.js                       |  2 ++
 web/js/file_manager.js              | 13 ++++++++-----
 web/templates/file_manager/main.php |  4 +++-
 web/upload/UploadHandler.php        |  7 ++++++-
 6 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/web/download/file/index.php b/web/download/file/index.php
index efabb0e151..ee1a998976 100644
--- a/web/download/file/index.php
+++ b/web/download/file/index.php
@@ -1,6 +1,11 @@
 <?php
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    die("Wrong token or missing token");
+}
+
 if ((!isset($_SESSION['FILEMANAGER_KEY'])) || (empty($_SESSION['FILEMANAGER_KEY']))) {
     header("Location: /login/");
     exit;
diff --git a/web/file_manager/fm_api.php b/web/file_manager/fm_api.php
index c593b3f6cf..eb407ba77f 100644
--- a/web/file_manager/fm_api.php
+++ b/web/file_manager/fm_api.php
@@ -3,15 +3,18 @@
 //error_reporting(NULL);
 
 // Preventing CSRF
-prevent_post_csrf(true);
+// prevent_post_csrf(true);
 
 header('Content-Type: application/json');
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 include($_SERVER['DOCUMENT_ROOT']."/file_manager/fm_core.php");
 
+// Check token
+if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
+    die("Wrong token or missing token");
+}
 
-// todo: set in session?
 if (empty($panel)) {
     $command = VESTA_CMD."v-list-user '".$user."' 'json'";
     exec ($command, $output, $return_var);
diff --git a/web/js/app.js b/web/js/app.js
index 58eb60a8d4..9ba909a5f9 100644
--- a/web/js/app.js
+++ b/web/js/app.js
@@ -797,6 +797,8 @@ App.Ajax.request = function(method, data, callback, onError){
     }*/
     //App.Helpers.setAjaxBusy(method, data);
     data = data || {};
+    var token = $('#token').attr('token');
+    data.token = token;
 
     var prgs = $('.progress-container');
 
diff --git a/web/js/file_manager.js b/web/js/file_manager.js
index 749a3a9759..bcbe319ef9 100644
--- a/web/js/file_manager.js
+++ b/web/js/file_manager.js
@@ -533,7 +533,8 @@ FM.downloadFileFromSubcontext = function(elm) {
     var src = $.parseJSON($(elm).find('.source').val());
 
     var path = src.full_path;
-    var win = window.open('/download/file/?path=' + path, '_blank');
+    var token = $('#token').attr('token');
+    var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
     win.focus();
 }
 
@@ -552,20 +553,21 @@ FM.openFile = function(dir, box, elm) {
     };
     
     App.Ajax.request('check_file_type', params, function(reply) {
+        var token = $('#token').attr('token');
         if (reply.result) {
             if (FM.isFileEditable(src, reply.data)) {
-                var myWindow = window.open('/edit/file/?path=' + src.full_path, '_blank');//, src.full_path, "width=900, height=700");
+                var myWindow = window.open('/edit/file/?token='+token+'&path=' + src.full_path, '_blank');//, src.full_path, "width=900, height=700");
             }
             else {
                 var path = src.full_path;
-                var win = window.open('/download/file/?path=' + path, '_blank');
+                var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
                 //win.focus();
             }
         }
         else {
             // force download file
             var path = src.full_path;
-            var win = window.open('/download/file/?path=' + path, '_blank');
+            var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
             //win.focus();
         }
     });
@@ -1994,7 +1996,8 @@ FM.downloadFiles = function() {
     }
 
     var path = src.full_path;
-    var win = window.open('/download/file/?path=' + path, '_blank');
+    var token = $('#token').attr('token');
+    var win = window.open('/download/file/?token='+token+'&path=' + path, '_blank');
     win.focus();
 }
 
diff --git a/web/templates/file_manager/main.php b/web/templates/file_manager/main.php
index 99398d754f..2e82f811c7 100644
--- a/web/templates/file_manager/main.php
+++ b/web/templates/file_manager/main.php
@@ -15,6 +15,7 @@
 <script> GLOBAL = {}; </script>
 </head>
 <body>
+    <div class="hidden" id="token" token="<?=$_SESSION['token']?>"></div>
     <a href="#" class="to-shortcuts">
         <i class="l-icon-shortcuts"></i>
     </a>
@@ -145,6 +146,7 @@
             var acc = $('<div>');
             $(['A', 'B']).each(function(k, letter) {
                 var url = '/upload/';
+                var token = $('#token').attr('token');
                 $('#file_upload_' + letter).fileupload({
                     singleFileUploads: false,
                     add: function (e, data) {
@@ -154,7 +156,7 @@
                         var file_relocation = FM['TAB_'+tab+'_CURRENT_PATH'];
 
 
-                        $('#file_upload_' + letter).fileupload("option", "url", url + '?dir=' + file_relocation);
+                        $('#file_upload_' + letter).fileupload("option", "url", url + '?token='+token+'&dir=' + file_relocation);
                         acc = $('<div>');
                         show_msg = false;
                         data.submit();
diff --git a/web/upload/UploadHandler.php b/web/upload/UploadHandler.php
index 511ec4b3e1..48f40b2374 100755
--- a/web/upload/UploadHandler.php
+++ b/web/upload/UploadHandler.php
@@ -3,10 +3,15 @@
 //session_start();
 
 // Preventing CSRF
-prevent_post_csrf(true);
+// prevent_post_csrf(true);
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
+    die("Wrong token or missing token");
+}
+
 // Check login_as feature
 $user = $_SESSION['user'];
 if (($_SESSION['user'] == 'admin') && (!empty($_SESSION['look']))) {