external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Implement token system to fix CSRF vulnerabilities

Browse source 
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.

Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This commit is contained in:
canyonknight 2012-06-23 14:40:11 -04:00 committed by Lukas Fleischer
parent bfb25807c4
commit 2c93f0a98f
13 changed files with 82 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

70
web/html/packages.php
View file

@ -36,46 +36,48 @@ if (isset($_POST['IDs'])) {
# Determine what action to do
$output = "";
if (current_action("do_Flag")) {
$output = pkg_flag($atype, $ids, true);
} elseif (current_action("do_UnFlag")) {
$output = pkg_flag($atype, $ids, False);
} elseif (current_action("do_Adopt")) {
$output = pkg_adopt($atype, $ids, true);
} elseif (current_action("do_Disown")) {
$output = pkg_adopt($atype, $ids, False);
} elseif (current_action("do_Vote")) {
$output = pkg_vote($atype, $ids, true);
} elseif (current_action("do_UnVote")) {
$output = pkg_vote($atype, $ids, False);
} elseif (current_action("do_Delete")) {
if (isset($_POST['confirm_Delete'])) {
if (!isset($_POST['merge_Into']) || empty($_POST['merge_Into'])) {
$output = pkg_delete($atype, $ids, NULL);
unset($_GET['ID']);
}
else {
$mergepkgid = pkgid_from_name($_POST['merge_Into']);
if ($mergepkgid) {
$output = pkg_delete($atype, $ids, $mergepkgid);
if (check_token()) {
if (current_action("do_Flag")) {
$output = pkg_flag($atype, $ids, true);
} elseif (current_action("do_UnFlag")) {
$output = pkg_flag($atype, $ids, False);
} elseif (current_action("do_Adopt")) {
$output = pkg_adopt($atype, $ids, true);
} elseif (current_action("do_Disown")) {
$output = pkg_adopt($atype, $ids, False);
} elseif (current_action("do_Vote")) {
$output = pkg_vote($atype, $ids, true);
} elseif (current_action("do_UnVote")) {
$output = pkg_vote($atype, $ids, False);
} elseif (current_action("do_Delete")) {
if (isset($_POST['confirm_Delete'])) {
if (!isset($_POST['merge_Into']) || empty($_POST['merge_Into'])) {
$output = pkg_delete($atype, $ids, NULL);
unset($_GET['ID']);
}
else {
$output = __("Cannot find package to merge votes and comments into.");
$mergepkgid = pkgid_from_name($_POST['merge_Into']);
if ($mergepkgid) {
$output = pkg_delete($atype, $ids, $mergepkgid);
unset($_GET['ID']);
}
else {
$output = __("Cannot find package to merge votes and comments into.");
}
}
}
else {
$output = __("The selected packages have not been deleted, check the confirmation checkbox.");
}
} elseif (current_action("do_Notify")) {
$output = pkg_notify($atype, $ids);
} elseif (current_action("do_UnNotify")) {
$output = pkg_notify($atype, $ids, False);
} elseif (current_action("do_DeleteComment")) {
$output = pkg_delete_comment($atype);
} elseif (current_action("do_ChangeCategory")) {
$output = pkg_change_category($atype);
}
else {
$output = __("The selected packages have not been deleted, check the confirmation checkbox.");
}
} elseif (current_action("do_Notify")) {
$output = pkg_notify($atype, $ids);
} elseif (current_action("do_UnNotify")) {
$output = pkg_notify($atype, $ids, False);
} elseif (current_action("do_DeleteComment")) {
$output = pkg_delete_comment($atype);
} elseif (current_action("do_ChangeCategory")) {
$output = pkg_change_category($atype);
}
html_header($title);