Contacts: Implement CSRF prevention.

author: Thomas Tanghus <thomas@tanghus.net> 2012-06-14 18:00:13 +0200
committer: Thomas Tanghus <thomas@tanghus.net> 2012-06-14 18:00:13 +0200
commit: 5b1a14f9ea93d8e4f9d90111fd1e95026a88c512 (patch)
tree: 8459401f8984586493f7e9ebfddc3ba17e26f782 /apps/contacts
parent: 3e143601fe1ab6df22831114b3e10b317d89cf6c (diff)
download: nextcloud-server-5b1a14f9ea93d8e4f9d90111fd1e95026a88c512.tar.gz
nextcloud-server-5b1a14f9ea93d8e4f9d90111fd1e95026a88c512.zip
17 files changed, 44 insertions, 31 deletions
diff --git a/apps/contacts/ajax/activation.php b/apps/contacts/ajax/activation.php
index 388a3b5438c..74cb738ab8f 100644
--- a/apps/contacts/ajax/activation.php
+++ b/apps/contacts/ajax/activation.php
@@ -10,6 +10,7 @@
  
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $bookid = $_POST['bookid'];
 $book = OC_Contacts_App::getAddressbook($bookid);// is owner access check
diff --git a/apps/contacts/ajax/addcontact.php b/apps/contacts/ajax/addcontact.php
index ee451098f1d..d15ad8c6216 100644
--- a/apps/contacts/ajax/addcontact.php
+++ b/apps/contacts/ajax/addcontact.php
@@ -27,17 +27,11 @@ function bailOut($msg) {
 	OCP\Util::writeLog('contacts','ajax/addcontact.php: '.$msg, OCP\Util::DEBUG);
 	exit();
 }
-function debug($msg) {
-	OCP\Util::writeLog('contacts','ajax/addcontact.php: '.$msg, OCP\Util::DEBUG);
-}
 
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
-
-foreach ($_POST as $key=>$element) {
-	debug('_POST: '.$key.'=>'.$element);
-}
+OCP\JSON::callCheck();
 
 $aid = isset($_POST['aid'])?$_POST['aid']:null;
 if(!$aid) {
diff --git a/apps/contacts/ajax/addproperty.php b/apps/contacts/ajax/addproperty.php
index 97d38397fd1..be9e849be72 100644
--- a/apps/contacts/ajax/addproperty.php
+++ b/apps/contacts/ajax/addproperty.php
@@ -26,6 +26,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));
diff --git a/apps/contacts/ajax/createaddressbook.php b/apps/contacts/ajax/createaddressbook.php
index af7c19eef51..616766bb1a0 100644
--- a/apps/contacts/ajax/createaddressbook.php
+++ b/apps/contacts/ajax/createaddressbook.php
@@ -11,6 +11,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $userid = OCP\USER::getUser();
 $name = trim(strip_tags($_POST['name']));
diff --git a/apps/contacts/ajax/cropphoto.php b/apps/contacts/ajax/cropphoto.php
index 7b286dbdb52..7006c6fc1ff 100644
--- a/apps/contacts/ajax/cropphoto.php
+++ b/apps/contacts/ajax/cropphoto.php
@@ -27,12 +27,14 @@
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
 
-$tmp_path = $_GET['tmp_path'];
+$tmp_path = strip_tags($_GET['tmp_path']);
+$requesttoken = strip_tags($_GET['requesttoken']);
 $id = $_GET['id'];
 OCP\Util::writeLog('contacts','ajax/cropphoto.php: tmp_path: '.$tmp_path.', exists: '.file_exists($tmp_path), OCP\Util::DEBUG);
 $tmpl = new OCP\Template("contacts", "part.cropphoto");
 $tmpl->assign('tmp_path', $tmp_path);
 $tmpl->assign('id', $id);
+$tmpl->assign('requesttoken', $requesttoken);
 $page = $tmpl->fetchPage();
 
 OCP\JSON::success(array('data' => array( 'page' => $page )));
diff --git a/apps/contacts/ajax/deletebook.php b/apps/contacts/ajax/deletebook.php
index bcf6aa44329..4520374a23b 100644
--- a/apps/contacts/ajax/deletebook.php
+++ b/apps/contacts/ajax/deletebook.php
@@ -26,6 +26,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 //$id = $_GET['id'];
 $id = $_POST['id'];
diff --git a/apps/contacts/ajax/deletecard.php b/apps/contacts/ajax/deletecard.php
index 98ff06ebe7a..f998185be41 100644
--- a/apps/contacts/ajax/deletecard.php
+++ b/apps/contacts/ajax/deletecard.php
@@ -31,6 +31,7 @@ function bailOut($msg) {
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $id = isset($_POST['id'])?$_POST['id']:null;
 if(!$id) {
diff --git a/apps/contacts/ajax/deleteproperty.php b/apps/contacts/ajax/deleteproperty.php
index a1372870344..95fd43e0d95 100644
--- a/apps/contacts/ajax/deleteproperty.php
+++ b/apps/contacts/ajax/deleteproperty.php
@@ -26,6 +26,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 $checksum = $_POST['checksum'];
diff --git a/apps/contacts/ajax/oc_photo.php b/apps/contacts/ajax/oc_photo.php
index 184217f2b72..903d2aedfbe 100644
--- a/apps/contacts/ajax/oc_photo.php
+++ b/apps/contacts/ajax/oc_photo.php
@@ -24,6 +24,7 @@
 OCP\JSON::setContentTypeHeader('text/plain');
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));
 	OCP\Util::writeLog('contacts','ajax/oc_photo.php: '.$msg, OCP\Util::ERROR);
diff --git a/apps/contacts/ajax/savecrop.php b/apps/contacts/ajax/savecrop.php
index fe9e5c5b991..263361bafc1 100644
--- a/apps/contacts/ajax/savecrop.php
+++ b/apps/contacts/ajax/savecrop.php
@@ -21,13 +21,26 @@
  * TODO: Translatable strings.
  *       Remember to delete tmp file at some point.
  */
-// Init owncloud
  
-OCP\Util::writeLog('contacts','ajax/savecrop.php: Huzzah!!!', OCP\Util::DEBUG);
+function bailOut($msg) {
+	OCP\JSON::error(array('data' => array('message' => $msg)));
+	OCP\Util::writeLog('contacts','ajax/savecrop.php: '.$msg, OCP\Util::DEBUG);
+	exit();
+}
+function debug($msg) {
+	OCP\Util::writeLog('contacts','ajax/savecrop.php: '.$msg, OCP\Util::DEBUG);
+}
 
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+foreach($_POST as $key=>$value) {
+	debug('POST: '.$key.'=>'.$value);
+}
+foreach($_GET as $key=>$value) {
+	debug('GET: '.$key.'=>'.$value);
+}
+OCP\JSON::callCheck();
 
 // foreach ($_POST as $key=>$element) {
 // 	OCP\Util::writeLog('contacts','ajax/savecrop.php: '.$key.'=>'.$element, OCP\Util::DEBUG);
@@ -36,12 +49,6 @@ OCP\JSON::checkAppEnabled('contacts');
 // Firefox and Konqueror tries to download application/json for me.  --Arthur
 OCP\JSON::setContentTypeHeader('text/plain');
 
-function bailOut($msg) {
-	OCP\JSON::error(array('data' => array('message' => $msg)));
-	OCP\Util::writeLog('contacts','ajax/savecrop.php: '.$msg, OCP\Util::DEBUG);
-	exit();
-}
-
 $image = null;
 
 $x1 = (isset($_POST['x1']) && $_POST['x1']) ? $_POST['x1'] : 0;
diff --git a/apps/contacts/ajax/saveproperty.php b/apps/contacts/ajax/saveproperty.php
index 6509ac21f28..96e082d00e9 100644
--- a/apps/contacts/ajax/saveproperty.php
+++ b/apps/contacts/ajax/saveproperty.php
@@ -26,6 +26,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));
diff --git a/apps/contacts/ajax/updateaddressbook.php b/apps/contacts/ajax/updateaddressbook.php
index 19b5b3bddce..68fe8f81211 100644
--- a/apps/contacts/ajax/updateaddressbook.php
+++ b/apps/contacts/ajax/updateaddressbook.php
@@ -11,6 +11,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $bookid = $_POST['id'];
 OC_Contacts_App::getAddressbook($bookid); // is owner access check
diff --git a/apps/contacts/ajax/uploadimport.php b/apps/contacts/ajax/uploadimport.php
index b11f380fa8a..4c3f5eadf08 100644
--- a/apps/contacts/ajax/uploadimport.php
+++ b/apps/contacts/ajax/uploadimport.php
@@ -23,14 +23,12 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));
 	OCP\Util::writeLog('contacts','ajax/uploadimport.php: '.$msg, OCP\Util::ERROR);
 	exit();
 }
-function debug($msg) {
-	OCP\Util::writeLog('contacts','ajax/uploadimport.php: '.$msg, OCP\Util::DEBUG);
-}
 
 $view = OCP\Files::getStorage('contacts');
 $tmpfile = md5(rand());
@@ -39,7 +37,6 @@ $tmpfile = md5(rand());
 $fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false);
 if($fn) {
 	if($view->file_put_contents('/'.$tmpfile, file_get_contents('php://input'))) {
-		debug($fn.' uploaded');
 		OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile)));
 		exit();
 	} else {
@@ -70,7 +67,6 @@ $file=$_FILES['importfile'];
 $tmpfname = tempnam(get_temp_dir(), "occOrig");
 if(file_exists($file['tmp_name'])) {
 	if($view->file_put_contents('/'.$tmpfile, file_get_contents($file['tmp_name']))) {
-		debug($fn.' uploaded');
 		OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile)));
 	} else {
 		bailOut(OC_Contacts_App::$l10n->t('Error uploading contacts to storage.'));
diff --git a/apps/contacts/ajax/uploadphoto.php b/apps/contacts/ajax/uploadphoto.php
index dca8ede6d60..2dc93362a14 100644
--- a/apps/contacts/ajax/uploadphoto.php
+++ b/apps/contacts/ajax/uploadphoto.php
@@ -19,14 +19,6 @@
  * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
  *
  */
-// Init owncloud
- 
-
-// Check if we are a user
-// Firefox and Konqueror tries to download application/json for me.  --Arthur
-OCP\JSON::setContentTypeHeader('text/plain');
-OCP\JSON::checkLoggedIn();
-OCP\JSON::checkAppEnabled('contacts');
 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));
 	OCP\Util::writeLog('contacts','ajax/uploadphoto.php: '.$msg, OCP\Util::DEBUG);
@@ -35,6 +27,16 @@ function bailOut($msg) {
 function debug($msg) {
 	OCP\Util::writeLog('contacts','ajax/uploadphoto.php: '.$msg, OCP\Util::DEBUG);
 }
+OCP\JSON::setContentTypeHeader('text/plain');
+OCP\JSON::checkLoggedIn();
+OCP\JSON::checkAppEnabled('contacts');
+foreach($_POST as $key=>$value) {
+	debug('POST: '.$key.'=>'.$value);
+}
+foreach($_GET as $key=>$value) {
+	debug('GET: '.$key.'=>'.$value);
+}
+OCP\JSON::callCheck();
 
 // If it is a Drag'n'Drop transfer it's handled here.
 $fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false);
diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js
index 4f8f3743dc4..43659956869 100644
--- a/apps/contacts/js/contacts.js
+++ b/apps/contacts/js/contacts.js
@@ -1150,7 +1150,7 @@ Contacts={
 			},
 			editPhoto:function(id, tmp_path){
 				//alert('editPhoto: ' + tmp_path);
-				$.getJSON(OC.filePath('contacts', 'ajax', 'cropphoto.php'),{'tmp_path':tmp_path,'id':this.id},function(jsondata){
+				$.getJSON(OC.filePath('contacts', 'ajax', 'cropphoto.php'),{'tmp_path':tmp_path,'id':this.id,'requesttoken':requesttoken},function(jsondata){
 					if(jsondata.status == 'success'){
 						//alert(jsondata.data.page);
 						$('#edit_photo_dialog_img').html(jsondata.data.page);
@@ -1637,7 +1637,7 @@ $(document).ready(function(){
 				//}
 			}
 		};
-		xhr.open('POST', OC.filePath('contacts', 'ajax', 'uploadphoto.php')+'?id='+Contacts.UI.Card.id+'&imagefile='+encodeURIComponent(file.name), true);
+		xhr.open('POST', OC.filePath('contacts', 'ajax', 'uploadphoto.php')+'?id='+Contacts.UI.Card.id+'&requesttoken='+requesttoken+'&imagefile='+encodeURIComponent(file.name), true);
 		xhr.setRequestHeader('Cache-Control', 'no-cache');
 		xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
 		xhr.setRequestHeader('X_FILE_NAME', encodeURIComponent(file.name));
diff --git a/apps/contacts/templates/part.contact.php b/apps/contacts/templates/part.contact.php
index 74522be37c4..9a13aafa5e3 100644
--- a/apps/contacts/templates/part.contact.php
+++ b/apps/contacts/templates/part.contact.php
@@ -4,6 +4,7 @@ $id = isset($_['id']) ? $_['id'] : '';
 <div id="card">
 	<form class="float" id="file_upload_form" action="<?php echo OCP\Util::linkTo('contacts', 'ajax/uploadphoto.php'); ?>" method="post" enctype="multipart/form-data" target="file_upload_target">
 		<input type="hidden" name="id" value="<?php echo $_['id'] ?>">
+		<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
 		<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $_['uploadMaxFilesize'] ?>" id="max_upload">
 		<input type="hidden" class="max_human_file_size" value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)">
 		<input id="file_upload_start" type="file" accept="image/*" name="imagefile" />
diff --git a/apps/contacts/templates/part.cropphoto.php b/apps/contacts/templates/part.cropphoto.php
index 599951d9a97..e1072179130 100644
--- a/apps/contacts/templates/part.cropphoto.php
+++ b/apps/contacts/templates/part.cropphoto.php
@@ -1,6 +1,7 @@
 <?php 
 $id = $_['id'];
 $tmp_path = $_['tmp_path'];
+$requesttoken = $_['requesttoken'];
 OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmp_path: '.$tmp_path.', exists: '.file_exists($tmp_path), OCP\Util::DEBUG);
 ?>
 <script language="Javascript">
@@ -47,6 +48,7 @@ OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmp_path: '.$tmp_pa
 	action="<?php echo OCP\Util::linkToAbsolute('contacts', 'ajax/savecrop.php'); ?>">
 
 	<input type="hidden" id="id" name="id" value="<?php echo $id; ?>" />
+	<input type="hidden" id="requesttoken" name="requesttoken" value="<?php echo $requesttoken; ?>" />
 	<input type="hidden" id="tmp_path" name="tmp_path" value="<?php echo $tmp_path; ?>" />
 	<fieldset id="coords">
 	<input type="hidden" id="x1" name="x1" value="" />
author	Thomas Tanghus <thomas@tanghus.net>	2012-06-14 18:00:13 +0200
committer	Thomas Tanghus <thomas@tanghus.net>	2012-06-14 18:00:13 +0200
commit	5b1a14f9ea93d8e4f9d90111fd1e95026a88c512 (patch)
tree	8459401f8984586493f7e9ebfddc3ba17e26f782 /apps/contacts
parent	3e143601fe1ab6df22831114b3e10b317d89cf6c (diff)
download	nextcloud-server-5b1a14f9ea93d8e4f9d90111fd1e95026a88c512.tar.gz nextcloud-server-5b1a14f9ea93d8e4f9d90111fd1e95026a88c512.zip