diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2012-06-13 17:35:42 +0200 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2012-06-13 17:35:42 +0200 |
| commit | bc1e8cb0a2ef634949ae520c6aedab435eaf5b80 (patch) | |
| tree | ae72b2dc4296127d9f332aa6f6929ea74f9c0820 | |
| parent | 89464721c7aa4464419cbcbedc658843f6c4696d (diff) | |
| download | nextcloud-server-bc1e8cb0a2ef634949ae520c6aedab435eaf5b80.tar.gz nextcloud-server-bc1e8cb0a2ef634949ae520c6aedab435eaf5b80.zip | |
Contacts: implemented CSRF prevention.
| -rw-r--r-- | apps/contacts/ajax/activation.php | 1 | ||||
| -rw-r--r-- | apps/contacts/ajax/addcontact.php | 1 | ||||
| -rw-r--r-- | apps/contacts/ajax/addproperty.php | 10 | ||||
| -rw-r--r-- | apps/contacts/ajax/createaddressbook.php | 1 | ||||
| -rw-r--r-- | apps/contacts/ajax/cropphoto.php | 2 | ||||
| -rw-r--r-- | apps/contacts/ajax/deletebook.php | 1 | ||||
| -rw-r--r-- | apps/contacts/ajax/deletecard.php | 11 | ||||
| -rw-r--r-- | apps/contacts/ajax/deleteproperty.php | 1 | ||||
| -rw-r--r-- | apps/contacts/ajax/savecrop.php | 1 | ||||
| -rw-r--r-- | apps/contacts/ajax/saveproperty.php | 19 | ||||
| -rw-r--r-- | apps/contacts/ajax/uploadphoto.php | 2 | ||||
| -rw-r--r-- | apps/contacts/js/contacts.js | 4 | ||||
| -rw-r--r-- | apps/contacts/templates/part.contact.php | 2 | ||||
| -rw-r--r-- | apps/contacts/templates/part.cropphoto.php | 2 |
14 files changed, 52 insertions, 6 deletions
diff --git a/apps/contacts/ajax/activation.php b/apps/contacts/ajax/activation.php index 388a3b5438c..74cb738ab8f 100644 --- a/apps/contacts/ajax/activation.php +++ b/apps/contacts/ajax/activation.php @@ -10,6 +10,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $bookid = $_POST['bookid']; $book = OC_Contacts_App::getAddressbook($bookid);// is owner access check diff --git a/apps/contacts/ajax/addcontact.php b/apps/contacts/ajax/addcontact.php index af9b2bbcc0e..e45072c9542 100644 --- a/apps/contacts/ajax/addcontact.php +++ b/apps/contacts/ajax/addcontact.php @@ -23,6 +23,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $aid = isset($_POST['aid'])?$_POST['aid']:null; if(!$aid) { diff --git a/apps/contacts/ajax/addproperty.php b/apps/contacts/ajax/addproperty.php index 94e09bac190..c1fca9abea8 100644 --- a/apps/contacts/ajax/addproperty.php +++ b/apps/contacts/ajax/addproperty.php @@ -23,6 +23,16 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +foreach($_SERVER as $key=>$value) { + OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG); +} +foreach($_POST as $key=>$value) { + OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG); +} +foreach($_GET as $key=>$value) { + OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG); +} +OCP\JSON::callCheck(); function bailOut($msg) { OCP\JSON::error(array('data' => array('message' => $msg))); diff --git a/apps/contacts/ajax/createaddressbook.php b/apps/contacts/ajax/createaddressbook.php index af7c19eef51..616766bb1a0 100644 --- a/apps/contacts/ajax/createaddressbook.php +++ b/apps/contacts/ajax/createaddressbook.php @@ -11,6 +11,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $userid = OCP\USER::getUser(); $name = trim(strip_tags($_POST['name'])); diff --git a/apps/contacts/ajax/cropphoto.php b/apps/contacts/ajax/cropphoto.php index caba7c8c4ef..eb9f1fcdb5d 100644 --- a/apps/contacts/ajax/cropphoto.php +++ b/apps/contacts/ajax/cropphoto.php @@ -25,10 +25,12 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); $tmpkey = $_GET['tmpkey']; +$requesttoken = $_GET['requesttoken']; $id = $_GET['id']; $tmpl = new OCP\Template("contacts", "part.cropphoto"); $tmpl->assign('tmpkey', $tmpkey); $tmpl->assign('id', $id); +$tmpl->assign('requesttoken', $requesttoken); $page = $tmpl->fetchPage(); OCP\JSON::success(array('data' => array( 'page' => $page ))); diff --git a/apps/contacts/ajax/deletebook.php b/apps/contacts/ajax/deletebook.php index fe582daa00f..1b86ecf223e 100644 --- a/apps/contacts/ajax/deletebook.php +++ b/apps/contacts/ajax/deletebook.php @@ -23,6 +23,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); //$id = $_GET['id']; $id = $_POST['id']; diff --git a/apps/contacts/ajax/deletecard.php b/apps/contacts/ajax/deletecard.php index e6d0405a240..2a6bd277d19 100644 --- a/apps/contacts/ajax/deletecard.php +++ b/apps/contacts/ajax/deletecard.php @@ -28,6 +28,17 @@ function bailOut($msg) { // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); + +// foreach($_SERVER as $key=>$value) { +// OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.$value, OCP\Util::DEBUG); +// } +foreach($_POST as $key=>$value) { + OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG); +} +foreach($_GET as $key=>$value) { + OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG); +} $id = isset($_POST['id'])?$_POST['id']:null; if(!$id) { diff --git a/apps/contacts/ajax/deleteproperty.php b/apps/contacts/ajax/deleteproperty.php index e6c2bd9f803..55f7e323083 100644 --- a/apps/contacts/ajax/deleteproperty.php +++ b/apps/contacts/ajax/deleteproperty.php @@ -23,6 +23,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $id = $_POST['id']; $checksum = $_POST['checksum']; diff --git a/apps/contacts/ajax/savecrop.php b/apps/contacts/ajax/savecrop.php index b3aab6a8810..6faf6a173d5 100644 --- a/apps/contacts/ajax/savecrop.php +++ b/apps/contacts/ajax/savecrop.php @@ -22,6 +22,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); // Firefox and Konqueror tries to download application/json for me. --Arthur OCP\JSON::setContentTypeHeader('text/plain'); diff --git a/apps/contacts/ajax/saveproperty.php b/apps/contacts/ajax/saveproperty.php index d8400734710..c779c496116 100644 --- a/apps/contacts/ajax/saveproperty.php +++ b/apps/contacts/ajax/saveproperty.php @@ -20,10 +20,6 @@ * */ -// Check if we are a user -OCP\JSON::checkLoggedIn(); -OCP\JSON::checkAppEnabled('contacts'); - function bailOut($msg) { OCP\JSON::error(array('data' => array('message' => $msg))); OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG); @@ -33,6 +29,21 @@ function debug($msg) { OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG); } +// Check if we are a user +OCP\JSON::checkLoggedIn(); +OCP\JSON::checkAppEnabled('contacts'); + +foreach($_SERVER as $key=>$value) { + debug('_SERVER: '.$key.'=>'.print_r($value, true)); +} +foreach($_POST as $key=>$value) { + debug('_POST: '.$key.'=>'.print_r($value, true)); +} +foreach($_GET as $key=>$value) { + debug('_GET: '.$key.'=>'.print_r($value, true)); +} +OCP\JSON::callCheck(); + $id = isset($_POST['id'])?$_POST['id']:null; $name = isset($_POST['name'])?$_POST['name']:null; $value = isset($_POST['value'])?$_POST['value']:null; diff --git a/apps/contacts/ajax/uploadphoto.php b/apps/contacts/ajax/uploadphoto.php index 32abc6c2859..889de6a1f8b 100644 --- a/apps/contacts/ajax/uploadphoto.php +++ b/apps/contacts/ajax/uploadphoto.php @@ -23,6 +23,8 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); + // Firefox and Konqueror tries to download application/json for me. --Arthur OCP\JSON::setContentTypeHeader('text/plain'); function bailOut($msg) { diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js index 6b83504c9c4..45509a7f9db 100644 --- a/apps/contacts/js/contacts.js +++ b/apps/contacts/js/contacts.js @@ -622,7 +622,7 @@ Contacts={ q = q + '&id=' + this.id + '&name=' + name; if(checksum != undefined && checksum != '') { // save q = q + '&checksum=' + checksum; - //console.log('Saving: ' + q); + console.log('Saving: ' + q); $(obj).attr('disabled', 'disabled'); $.post(OC.filePath('contacts', 'ajax', 'saveproperty.php'),q,function(jsondata){ if(jsondata.status == 'success'){ @@ -640,7 +640,7 @@ Contacts={ } },'json'); } else { // add - //console.log('Adding: ' + q); + console.log('Adding: ' + q); $(obj).attr('disabled', 'disabled'); $.post(OC.filePath('contacts', 'ajax', 'addproperty.php'),q,function(jsondata){ if(jsondata.status == 'success'){ diff --git a/apps/contacts/templates/part.contact.php b/apps/contacts/templates/part.contact.php index c1ba1ccdc21..ca682baaf80 100644 --- a/apps/contacts/templates/part.contact.php +++ b/apps/contacts/templates/part.contact.php @@ -3,6 +3,7 @@ $id = isset($_['id']) ? $_['id'] : ''; ?> <div id="card"> <form class="float" id="file_upload_form" action="<?php echo OCP\Util::linkTo('contacts', 'ajax/uploadphoto.php'); ?>" method="post" enctype="multipart/form-data" target="file_upload_target"> + <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>"> <input type="hidden" name="id" value="<?php echo $_['id'] ?>"> <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $_['uploadMaxFilesize'] ?>" id="max_upload"> <input type="hidden" class="max_human_file_size" value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)"> @@ -23,6 +24,7 @@ $id = isset($_['id']) ? $_['id'] : ''; <div id="contact_identity" class="contactsection"> <form method="post"> <input type="hidden" name="id" value="<?php echo $_['id'] ?>"> + <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>"> <fieldset id="ident" class="contactpart"> <span class="propertycontainer" data-element="N"><input type="hidden" id="n" class="contacts_property" name="value" value="" /></span> <span id="name" class="propertycontainer" data-element="FN"> diff --git a/apps/contacts/templates/part.cropphoto.php b/apps/contacts/templates/part.cropphoto.php index d7f0efc57d7..1e025ef4e0c 100644 --- a/apps/contacts/templates/part.cropphoto.php +++ b/apps/contacts/templates/part.cropphoto.php @@ -1,6 +1,7 @@ <?php $id = $_['id']; $tmpkey = $_['tmpkey']; +$csrf_token = $_GET['csrf_token']; OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey, OCP\Util::DEBUG); ?> <script language="Javascript"> @@ -48,6 +49,7 @@ OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey, action="<?php echo OCP\Util::linkToAbsolute('contacts', 'ajax/savecrop.php'); ?>"> <input type="hidden" id="id" name="id" value="<?php echo $id; ?>" /> + <input type="hidden" name="requesttoken" value="<?php echo $csrf_token; ?>"> <input type="hidden" id="tmpkey" name="tmpkey" value="<?php echo $tmpkey; ?>" /> <fieldset id="coords"> <input type="hidden" id="x1" name="x1" value="" /> |