CSRF Protection for login and new notice. Ticket #503

darcs-hash:20081111022330-462f3-810b2a86e6e209330ade628fc0e97df96151d496.gz

diff --git a/actions/login.php b/actions/login.php
index f183c1cd45c5ab7ff57f84440a0e2f321679fc9d..ccec9cf8a787818e20cb518f64b44bfd31b30336 100644 (file)
--- a/actions/login.php
+++ b/actions/login.php
@@ -37,8 +37,15 @@ class LoginAction extends Action {
        }
 
        function check_login() {
-               # XXX: form token in $_SESSION to prevent XSS
                # XXX: login throttle
+
+               # CSRF protection - token set in common_notice_form()
+               $token = $this->trimmed('token');
+               if (!$token || $token != common_session_token()) {
+                       $this->client_error(_('There was a problem with your session token. Try again, please.'));
+                       return;
+               }
+
                $nickname = common_canonical_nickname($this->trimmed('nickname'));
                $password = $this->arg('password');
                if (common_check_user($nickname, $password)) {
@@ -104,6 +111,7 @@ class LoginAction extends Action {
                                _('Automatically login in the future; ' .
                                   'not for shared computers!'));
                common_submit('submit', _('Login'));
+               common_hidden('token', common_session_token());
                common_element_end('form');
                common_element_start('p');
                common_element('a', array('href' => common_local_url('recoverpassword')),

diff --git a/actions/newnotice.php b/actions/newnotice.php
index b5fc98c37c904d662200da2653931f5199be889e..37cca982d6d882f2e2c950a88f1333efce9a15ad 100644 (file)
--- a/actions/newnotice.php
+++ b/actions/newnotice.php
@@ -20,7 +20,7 @@
 if (!defined('LACONICA')) { exit(1); }
 
 class NewnoticeAction extends Action {
-       
+
        function handle($args) {
                parent::handle($args);
                # XXX: Ajax!
@@ -36,10 +36,17 @@ class NewnoticeAction extends Action {
 
        function save_new_notice() {
 
+               # CSRF protection - token set in common_notice_form()
+               $token = $this->trimmed('token');
+               if (!$token || $token != common_session_token()) {
+                       $this->client_error(_('There was a problem with your session token. Try again, please.'));
+                       return;
+               }
+
                $user = common_current_user();
                assert($user); # XXX: maybe an error instead...
                $content = $this->trimmed('status_textarea');
-               
+
                if (!$content) {
                        $this->show_form(_('No content!'));
                        return;
@@ -51,9 +58,9 @@ class NewnoticeAction extends Action {
                }
 
                $inter = new CommandInterpreter();
-               
+
                $cmd = $inter->handle_command($user, $content);
-               
+
                if ($cmd) {
                        $cmd->execute(new WebChannel());
                        return;
@@ -62,18 +69,18 @@ class NewnoticeAction extends Action {
                $replyto = $this->trimmed('inreplyto');
 
                common_debug("Replyto = $replyto\n");
-               
+
                $notice = Notice::saveNew($user->id, $content, 'web', 1, ($replyto == 'false') ? NULL : $replyto);
-               
+
                if (is_string($notice)) {
                        $this->show_form($notice);
                        return;
                }
-               
+
                common_broadcast_notice($notice);
-               
+
                $returnto = $this->trimmed('returnto');
-               
+
                if ($returnto) {
                        $url = common_local_url($returnto,
                                                                        array('nickname' => $user->nickname));

diff --git a/actions/noticesearch.php b/actions/noticesearch.php
index e6de21ae068be9c818a10c6ff1e7d037fa4c37db..bc052d512f5b1a0f6bea529d3be9ef5a5c94ba35 100644 (file)
--- a/actions/noticesearch.php
+++ b/actions/noticesearch.php
@@ -142,6 +142,8 @@ class NoticesearchAction extends SearchAction {
                                                                   'onclick' => 'doreply("'.$profile->nickname.'"); return false',
                                                                   'title' => _('reply'),
                                                                   'class' => 'replybutton'));
+               common_hidden('posttoken', common_session_token());
+               
                common_raw('→');
                common_element_end('a');
                common_element_end('p');

diff --git a/lib/util.php b/lib/util.php
index 6ec557b2f915f9ba08e1ab8989caea9a5e0e47e8..a5eeab0566f319ac6066535b70df44fc65fa8661 100644 (file)
--- a/lib/util.php
+++ b/lib/util.php
@@ -1353,12 +1353,13 @@ function common_notice_form($action=NULL, $content=NULL) {
        common_element('label', array('for' => 'status_textarea',
                                                                  'id' => 'status_label'),
                                   sprintf(_('What\'s up, %s?'), $user->nickname));
-        common_element('span', array('id' => 'counter', 'class' => 'counter'), '140');
+    common_element('span', array('id' => 'counter', 'class' => 'counter'), '140');
        common_element('textarea', array('id' => 'status_textarea',
                                                                         'cols' => 60,
                                                                         'rows' => 3,
                                                                         'name' => 'status_textarea'),
                                   ($content) ? $content : '');
+       common_hidden('token', common_session_token());
        if ($action) {
                common_hidden('returnto', $action);
        }