external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Re-add CRSF tokens to most package actions

Browse source 
We fixed all known CRSF vulnerabilities in commit 2c93f0a (Implement
token system to fix CSRF vulnerabilities, 2012-06-23). c349cb2 (Add
virtual path support for package actions, 2012-07-17) partly reverted
this by injecting a valid CRSF token when virtual paths are in use.

This patch allows for keeping the virtual path feature, while
reintroducing POST forms and CRSF tokens. Actions like package flagging,
votes and notifications are no longer prone to CRSF (see FS#35437 for
details).

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This commit is contained in:
Lukas Fleischer 2013-08-27 02:18:59 +02:00
parent 3bc951e3d8
commit 69b98efa35
2 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
web/html/index.php
View file

@ -59,10 +59,6 @@ if (!empty($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) {
return; return;
} }
if (isset($_COOKIE['AURSID'])) {
$_POST['token'] = $_COOKIE['AURSID'];
}
$_POST['IDs'] = array(pkgid_from_name($tokens[2]) => '1'); $_POST['IDs'] = array(pkgid_from_name($tokens[2]) => '1');
} }
} }

6
web/template/pkg_details.php
View file

@ -41,6 +41,7 @@ $sources = package_sources($row["ID"]);
<?php if ($row["OutOfDateTS"] === NULL): ?> <?php if ($row["OutOfDateTS"] === NULL): ?>
<li> <li>
<form action="<?= get_pkg_uri($row['Name']) . 'flag/'; ?>" method="post"> <form action="<?= get_pkg_uri($row['Name']) . 'flag/'; ?>" method="post">
<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
<input type="submit" class="button text-button" name="do_Flag" value="<?= __('Flag package out-of-date') ?>" /> <input type="submit" class="button text-button" name="do_Flag" value="<?= __('Flag package out-of-date') ?>" />
</form> </form>
</li> </li>
@ -48,6 +49,7 @@ $sources = package_sources($row["ID"]);
($uid == $row["MaintainerUID"] || $atype == "Trusted User" || $atype == "Developer")): ?> ($uid == $row["MaintainerUID"] || $atype == "Trusted User" || $atype == "Developer")): ?>
<li> <li>
<form action="<?= get_pkg_uri($row['Name']) . 'unflag/'; ?>" method="post"> <form action="<?= get_pkg_uri($row['Name']) . 'unflag/'; ?>" method="post">
<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
<input type="submit" class="button text-button" name="do_UnFlag" value="<?= __('Unflag package') ?>" /> <input type="submit" class="button text-button" name="do_UnFlag" value="<?= __('Unflag package') ?>" />
</form> </form>
</li> </li>
@ -55,12 +57,14 @@ $sources = package_sources($row["ID"]);
<?php if (user_voted($uid, $row['ID'])): ?> <?php if (user_voted($uid, $row['ID'])): ?>
<li> <li>
<form action="<?= get_pkg_uri($row['Name']) . 'unvote/'; ?>" method="post"> <form action="<?= get_pkg_uri($row['Name']) . 'unvote/'; ?>" method="post">
<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
<input type="submit" class="button text-button" name="do_UnVote" value="<?= __('Remove vote') ?>" /> <input type="submit" class="button text-button" name="do_UnVote" value="<?= __('Remove vote') ?>" />
</form> </form>
</li> </li>
<?php else: ?> <?php else: ?>
<li> <li>
<form action="<?= get_pkg_uri($row['Name']) . 'vote/'; ?>" method="post"> <form action="<?= get_pkg_uri($row['Name']) . 'vote/'; ?>" method="post">
<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
<input type="submit" class="button text-button" name="do_Vote" value="<?= __('Vote for this package') ?>" /> <input type="submit" class="button text-button" name="do_Vote" value="<?= __('Vote for this package') ?>" />
</form> </form>
</li> </li>
@ -68,12 +72,14 @@ $sources = package_sources($row["ID"]);
<?php if (user_notify($uid, $row['ID'])): ?> <?php if (user_notify($uid, $row['ID'])): ?>
<li> <li>
<form action="<?= get_pkg_uri($row['Name']) . 'unnotify/'; ?>" method="post"> <form action="<?= get_pkg_uri($row['Name']) . 'unnotify/'; ?>" method="post">
<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
<input type="submit" class="button text-button" name="do_UnNotify" value="<?= __('Disable notifications') ?>" /> <input type="submit" class="button text-button" name="do_UnNotify" value="<?= __('Disable notifications') ?>" />
</form> </form>
</li> </li>
<?php else: ?> <?php else: ?>
<li> <li>
<form action="<?= get_pkg_uri($row['Name']) . 'notify/'; ?>" method="post"> <form action="<?= get_pkg_uri($row['Name']) . 'notify/'; ?>" method="post">
<input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" />
<input type="submit" class="button text-button" name="do_Notify" value="<?= __('Notify of new comments') ?>" /> <input type="submit" class="button text-button" name="do_Notify" value="<?= __('Notify of new comments') ?>" />
</form> </form>
</li> </li>