mirror of
https://gitlab.archlinux.org/archlinux/aurweb.git
synced 2025-02-03 10:43:03 +01:00
2c93f0a98f
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
69 lines
2.5 KiB
PHP
69 lines
2.5 KiB
PHP
<?php
|
|
# Add a comment to this package
|
|
if (isset($_REQUEST['comment']) && check_token()) {
|
|
|
|
# Insert the comment
|
|
$dbh = db_connect();
|
|
$q = 'INSERT INTO PackageComments ';
|
|
$q.= '(PackageID, UsersID, Comments, CommentTS) VALUES (';
|
|
$q.= intval($_REQUEST['ID']) . ', ' . uid_from_sid($_COOKIE['AURSID']) . ', ';
|
|
$q.= "'" . db_escape_string($_REQUEST['comment']) . "', ";
|
|
$q.= 'UNIX_TIMESTAMP())';
|
|
db_query($q, $dbh);
|
|
|
|
# Send email notifications
|
|
$q = 'SELECT CommentNotify.*, Users.Email ';
|
|
$q.= 'FROM CommentNotify, Users ';
|
|
$q.= 'WHERE Users.ID = CommentNotify.UserID ';
|
|
$q.= 'AND CommentNotify.UserID != ' . uid_from_sid($_COOKIE['AURSID']) . ' ';
|
|
$q.= 'AND CommentNotify.PkgID = ' . intval($_REQUEST['ID']);
|
|
$result = db_query($q, $dbh);
|
|
$bcc = array();
|
|
|
|
if (mysql_num_rows($result)) {
|
|
while ($row = mysql_fetch_assoc($result)) {
|
|
array_push($bcc, $row['Email']);
|
|
}
|
|
|
|
$q = 'SELECT Packages.* ';
|
|
$q.= 'FROM Packages ';
|
|
$q.= 'WHERE Packages.ID = ' . intval($_REQUEST['ID']);
|
|
$result = db_query($q, $dbh);
|
|
$row = mysql_fetch_assoc($result);
|
|
|
|
# TODO: native language emails for users, based on their prefs
|
|
# Simply making these strings translatable won't work, users would be
|
|
# getting emails in the language that the user who posted the comment was in
|
|
$body =
|
|
'from https://aur.archlinux.org/packages.php?ID='
|
|
. $_REQUEST['ID'] . "\n"
|
|
. username_from_sid($_COOKIE['AURSID']) . " wrote:\n\n"
|
|
. $_POST['comment']
|
|
. "\n\n---\nIf you no longer wish to receive notifications about this package, please go the the above package page and click the UnNotify button.";
|
|
$body = wordwrap($body, 70);
|
|
$bcc = implode(', ', $bcc);
|
|
$headers = "Bcc: $bcc\nReply-to: nobody@archlinux.org\nFrom: aur-notify@archlinux.org\nX-Mailer: AUR\n";
|
|
@mail(' ', "AUR Comment for " . $row['Name'], $body, $headers);
|
|
}
|
|
}
|
|
|
|
# Prompt visitor for comment
|
|
?>
|
|
<div class="pgbox">
|
|
<form action='<?php echo $_SERVER['REQUEST_URI'] ?>' method='post'>
|
|
<div style="padding: 1%">
|
|
<?php
|
|
if (isset($_REQUEST['comment']) && check_token()) {
|
|
echo '<b>' . __('Comment has been added.') . '</b>';
|
|
}
|
|
?>
|
|
<input type='hidden' name='ID' value="<?php echo intval($_REQUEST['ID']) ?>" />
|
|
<?php echo __('Enter your comment below.') ?><br />
|
|
<textarea name='comment' cols='80' rows='10' style="width: 100%"></textarea><br />
|
|
<input type='hidden' name='token' value='<?php echo htmlspecialchars($_COOKIE['AURSID']) ?>' />
|
|
<input type='submit' value="<?php echo __("Submit") ?>" />
|
|
<input type='reset' value="<?php echo __("Reset") ?>" />
|
|
</div>
|
|
</form>
|
|
</div>
|
|
|