Merge branch 'master' into movable_apps_2

4 files changed, 21 insertions, 7 deletions

diff --git a/core/templates/login.php b/core/templates/login.php
index 4ba92221a7d..4035dfe8a5a 100644
--- a/core/templates/login.php
+++ b/core/templates/login.php
@@ -12,6 +12,7 @@
 		<p class="infield">
 			<label for="password" class="infield"><?php echo $l->t( 'Password' ); ?></label>
 			<input type="password" name="password" id="password" value="" required <?php echo !empty($_POST['user'])?'autofocus':''; ?> />
+			<input type="hidden" name="sectoken" id="sectoken" value="<?php echo($_['sectoken']); ?>"  />
 		</p>
 		<input type="checkbox" name="remember_login" value="1" id="remember_login" /><label for="remember_login"><?php echo $l->t('remember'); ?></label>
 		<input type="submit" id="submit" class="login" value="<?php echo $l->t( 'Log in' ); ?>" />
diff --git a/index.php b/index.php
index 787485555fb..fe8f7f15038 100644
--- a/index.php
+++ b/index.php
@@ -63,10 +63,9 @@ elseif(OC_User::isLoggedIn()) {
 		}
 		
 	}
-}
 
 // For all others cases, we display the guest page :
-else {
+} else {
 	OC_App::loadApps();
 	$error = false;
 
@@ -84,10 +83,9 @@ else {
 		else {
 			OC_User::unsetMagicInCookie();
 		}
-	}
 
 	// Someone wants to log in :
-	elseif(isset($_POST["user"]) && isset($_POST['password'])) {
+	} elseif(isset($_POST["user"]) and isset($_POST['password']) and isset($_SESSION['sectoken']) and isset($_POST['sectoken']) and ($_SESSION['sectoken']==$_POST['sectoken']) ) {
 		if(OC_User::login($_POST["user"], $_POST["password"])) {
 			if(!empty($_POST["remember_login"])){
 				if(defined("DEBUG") && DEBUG) {
@@ -104,9 +102,9 @@ else {
 		} else {
 			$error = true;
 		}
-	}
+	
 	// The user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP
-	elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){
+	} elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){
 		if (OC_User::login($_SERVER["PHP_AUTH_USER"],$_SERVER["PHP_AUTH_PW"]))	{
 			//OC_Log::write('core',"Logged in with HTTP Authentication",OC_Log::DEBUG);
 			OC_User::unsetMagicInCookie();
@@ -115,5 +113,7 @@ else {
 			$error = true;
 		}
 	}
-	OC_Template::printGuestPage('', 'login', array('error' => $error, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' ));
+	$sectoken=rand(1000000,9999999);
+	$_SESSION['sectoken']=$sectoken;
+	OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' ));
 }
diff --git a/lib/base.php b/lib/base.php
index 5118f647134..1e28ea1ccfd 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -363,6 +363,16 @@ class OC{
 		self::checkInstalled();
 		self::checkSSL();
 
+                // CSRF protection
+                if(isset($_SERVER['HTTP_REFERER'])) $referer=$_SERVER['HTTP_REFERER']; else $referer='';
+                if(isset($_SERVER['HTTPS']) and $_SERVER['HTTPS']<>'') $protocol='https://'; else $protocol='http://';
+                $server=$protocol.$_SERVER['SERVER_NAME'];
+                if(($_SERVER['REQUEST_METHOD']=='POST') and (substr($referer,0,strlen($server))<>$server)) {
+                        $url = $protocol.$_SERVER['SERVER_NAME'].OC::$WEBROOT.'/index.php';
+                        header("Location: $url");
+                        exit();
+                } 
+
 		self::initSession();
 		self::initTemplateEngine();
 		self::checkUpgrade();
diff --git a/lib/util.php b/lib/util.php
index 0b8ea1ec907..b30b9dfd481 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -253,6 +253,9 @@ class OC_Util {
 		} else {
 			$parameters["username"] = '';
 		}
+		$sectoken=rand(1000000,9999999);
+		$_SESSION['sectoken']=$sectoken;
+		$parameters["sectoken"] = $sectoken;
 		OC_Template::printGuestPage("", "login", $parameters);
 	}