We use cookies to ensure you get the best experience on our website
Página Principal Explorar Ajuda
Registe-se Iniciar Sessão
0ct0pu5
/
servnest
1
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ver Fonte

Add antiCSRF() in every form

Miraty há 4 anos atrás
pai
66f472f678
commit
6449402763
16 ficheiros alterados com 35 adições e 2 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 2 0
      auth/login.php
  2. 2 0
      auth/password.php
  3. 2 0
      auth/register.php
  4. 2 0
      ht/gemini-domain.php
  5. 2 0
      ht/gemini-onion.php
  6. 2 0
      ht/http-onion.php
  7. 2 0
      ht/https-domain.php
  8. 3 1
      ht/le.php
  9. 3 0
      ht/sftp.php
  10. 1 0
      inc/ns.inc.php
  11. 2 0
      ns/dnssec.php
  12. 2 0
      ns/zone.php
  13. 2 0
      reg/ds.php
  14. 3 1
      reg/glue.php
  15. 2 0
      reg/ns.php
  16. 3 0
      reg/register.php

+ 2 - 0
auth/login.php
Ver Ficheiro 

@@ -18,6 +18,8 @@ Pas de compte ? <a class="authButton" href="register">En créer un</a>
 
 
 if (isset($_POST['username']) AND isset($_POST['password'])) {
 
 
+  antiCSRF();
 
+
 
   if (!checkPasswordFormat($_POST['password']))
 
     exit("Le format du mot de passe n'est pas valide !");

+ 2 - 0
auth/password.php
Ver Ficheiro 

@@ -18,6 +18,8 @@
 
 
 if (isset($_SESSION['username']) AND isset($_POST['newPassword']) AND isset($_POST['currentPassword'])) {
 
 
+  antiCSRF();
 
+
 
   if (checkPassword($_SESSION['username'], $_POST['currentPassword'])) {
 
 
     if (!checkPasswordFormat($_POST['newPassword']))

+ 2 - 0
auth/register.php
Ver Ficheiro 

@@ -4,6 +4,8 @@
 
 
 if (isset($_POST['username']) AND isset($_POST['password'])) {
 
 
+  antiCSRF();
 
+
 
   if (!checkPasswordFormat($_POST['password']))
 
     exit("Le format du mot de passe n'est pas valide !");

+ 2 - 0
ht/gemini-domain.php
Ver Ficheiro 

@@ -55,6 +55,8 @@
 
 
 if (isset($_POST['domain']) AND isset($_POST['dir']) AND isset($_SESSION['username'])) {
 
 
+  antiCSRF();
 
+
 
   checkDomainFormat($_POST['domain']);
 
 
   if (!in_array($_POST['dir'], $notYetEnabledDirs))

+ 2 - 0
ht/gemini-onion.php
Ver Ficheiro 

@@ -49,6 +49,8 @@
 
 
 if (isset($_POST['dir']) AND isset($_SESSION['username'])) {
 
 
+  antiCSRF();
 
+
 
   if (!in_array($_POST['dir'], $notYetEnabledDirs))
 
     exit("ERROR : Wrong value for dir");

+ 2 - 0
ht/http-onion.php
Ver Ficheiro 

@@ -49,6 +49,8 @@
 
 
 if (isset($_POST['dir']) AND isset($_SESSION['username'])) {
 
 
+  antiCSRF();
 
+
 
   if (!in_array($_POST['dir'], $notYetEnabledDirs))
 
     exit("ERROR : Wrong value for dir");

+ 2 - 0
ht/https-domain.php
Ver Ficheiro 

@@ -56,6 +56,8 @@
 
 
 if (isset($_POST['domain']) AND isset($_POST['dir']) AND isset($_SESSION['username'])) {
 
 
+  antiCSRF();
 
+
 
   checkDomainFormat($_POST['domain']);
 
 
   if (!in_array($_POST['dir'], $notYetEnabledDirs))

+ 3 - 1
ht/le.php
Ver Ficheiro 

@@ -12,7 +12,9 @@
 
 
 <?php
 
 
-if (isset($_POST['domain'])) {
 
+if (isset($_POST['domaine']) AND isset($_SESSION['username'])) {
 
+
 
+  antiCSRF();
 
 
   exec(SUDO_PATH . " " . MANIVER_PATH . " le-install " . $_POST['domain'], $output);
 
   addNiverLog($_SESSION['username'] . " installed a Let's Encrypt certificate on their site", $output);

+ 3 - 0
ht/sftp.php
Ver Ficheiro 

@@ -18,6 +18,9 @@ if ($_SESSION['sftp_enabled'] == false) { ?>
 
 <?php
 
 
   if (isset($_SESSION['username']) AND isset($_POST['password'])) {
 
+
 
+    antiCSRF();
 
+
 
     // Setup SFTP access
 
     exec(SUDO_PATH . " " . MANIVER_PATH . " setup-user " . $_SESSION['username'] . " " . $_POST['password'], $output);
 
     addNiverLog($_SESSION['username'] . " enabled SFTP on their account", $output);

+ 1 - 0
inc/ns.inc.php
Ver Ficheiro 

@@ -9,6 +9,7 @@ function nsCommonRequirements() {
 
     AND isset($_POST['ttl-multiplier'])
 
     AND isset($_SESSION['username'])
 
   ) {
 
+    antiCSRF();
 
     return true;
 
   }
 
 }

+ 2 - 0
ns/dnssec.php
Ver Ficheiro 

@@ -25,6 +25,8 @@ Afin d'activer DNSSEC, vous devez indiquer un enregistrement DS à la zone paren
 
 
 if (isset($_POST['zone']) AND isset($_SESSION['username'])) {
 
 
+  antiCSRF();
 
+
 
   nsCheckZonePossession($_POST['zone']);
 
 
   exec(KEYMGR_PATH . " " . $_POST['zone'] . " ds", $output);

+ 2 - 0
ns/zone.php
Ver Ficheiro 

@@ -11,6 +11,8 @@
 
 
 if (isset($_POST['domain']) AND isset($_SESSION['username'])) {
 
 
+  antiCSRF();
 
+
 
   checkAbsoluteDomainFormat($_POST['domain']);
 
 
   $db = new PDO('sqlite:' . DB_PATH);

+ 2 - 0
reg/ds.php
Ver Ficheiro 

@@ -64,6 +64,8 @@
 
 
 if (isset($_POST['zone']) AND isset($_POST['keytag']) AND isset($_POST['algo']) AND isset($_POST['key']) AND isset($_SESSION['username'])) {
 
 
+  antiCSRF();
 
+
 
   if (!($_POST['algo'] === "8")
 
       AND !($_POST['algo'] === "13")
 
       AND !($_POST['algo'] === "14")

+ 3 - 1
reg/glue.php
Ver Ficheiro 

@@ -41,7 +41,9 @@
 
 
 <?php
 
 
-if (isset($_POST['action']) AND isset($_POST['subdomain']) AND isset($_POST['suffix']) AND isset($_POST['ip'])) {
 
+if (isset($_POST['action']) AND isset($_POST['subdomain']) AND isset($_POST['suffix']) AND isset($_POST['ip']) AND isset($_SESSION['username'])) {
 
+
 
+  antiCSRF();
 
 
   if (!$suffixes)
 
     exit("ERROR : You don't own any domain");

+ 2 - 0
reg/ns.php
Ver Ficheiro 

@@ -36,6 +36,8 @@
 
 
 if (isset($_POST['domain']) AND isset($_POST['action']) AND isset($_POST['ns']) AND isset($_SESSION['username'])) {
 
 
+  antiCSRF();
 
+
 
   regCheckDomainPossession($_POST['domain']);
 
   checkAbsoluteDomainFormat($_POST['ns']);

+ 3 - 0
reg/register.php
Ver Ficheiro 

@@ -139,6 +139,9 @@ Ce domaine doit être composé uniquement d'au moins 4 lettres latines non accen
 
 <?php
 
 
 if (isset($_POST['subdomain']) AND isset($_POST['suffix']) AND isset($_SESSION['username'])) {
 
+
 
+  antiCSRF();
 
+
 
   if (preg_match("/" . SUBDOMAIN_REGEX . "/", $_POST['subdomain'])) {
 
 
     if (!in_array($_POST['suffix'], SUFFIXES))

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5