external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Implement token system to fix CSRF vulnerabilities

Browse source 
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.

Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This commit is contained in:
canyonknight 2012-06-23 14:40:11 -04:00 committed by Lukas Fleischer
parent bfb25807c4
commit 2c93f0a98f
13 changed files with 82 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

7
web/html/addvote.php
View file

@ -16,7 +16,11 @@ if (isset($_COOKIE["AURSID"])) {
if ($atype == "Trusted User" OR $atype == "Developer") {
$dbh = db_connect();
if (!empty($_POST['addVote'])) {
if (!empty($_POST['addVote']) && !check_token()) {
$error = __("Invalid token for user action.");
}
if (!empty($_POST['addVote']) && check_token()) {
$error = "";
if (!empty($_POST['user'])) {
@ -99,6 +103,7 @@ if ($atype == "Trusted User" OR $atype == "Developer") {
<b><?php print __('Proposal') ?></b><br />
<textarea name='agenda' rows='25' cols='80'><?php if (!empty($_POST['agenda'])) { print htmlentities($_POST['agenda']); } ?></textarea><br />
<input type='hidden' name='addVote' value='1' />
<input type='hidden' name='token' value='<?php print htmlspecialchars($_COOKIE['AURSID']) ?>' />
<input type='submit' class='button' value='<?php print __('Submit'); ?>' />
</p>
</form>