Implement token system to fix CSRF vulnerabilities

Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2025-02-03 10:43:03 +01:00 · 2012-06-23 14:40:11 -04:00 · 2012-06-23 14:40:11 -04:00 · 2c93f0a98f
commit 2c93f0a98f
parent bfb25807c4
13 changed files with 82 additions and 46 deletions
--- a/web/template/pkg_comment_form.php
+++ b/web/template/pkg_comment_form.php
@ -1,6 +1,6 @@
 <?php
 # Add a comment to this package
-if (isset($_REQUEST['comment'])) {
+if (isset($_REQUEST['comment']) && check_token()) {

 	# Insert the comment
 	$dbh = db_connect();
@ -53,13 +53,14 @@ if (isset($_REQUEST['comment'])) {
 	<form action='<?php echo $_SERVER['REQUEST_URI'] ?>' method='post'>
 	<div style="padding: 1%">
 <?php
-if (isset($_REQUEST['comment'])) {
+if (isset($_REQUEST['comment']) && check_token()) {
 	echo '<b>' . __('Comment has been added.') . '</b>';
 }
 ?>
 	<input type='hidden' name='ID' value="<?php echo intval($_REQUEST['ID']) ?>" />
 	<?php echo __('Enter your comment below.') ?><br />
 	<textarea name='comment' cols='80' rows='10' style="width: 100%"></textarea><br />
+	<input type='hidden' name='token' value='<?php echo htmlspecialchars($_COOKIE['AURSID']) ?>' />
 	<input type='submit' value="<?php echo __("Submit") ?>" />
 	<input type='reset' value="<?php echo __("Reset") ?>" />
 	</div>