Check for CSRF at only one place in the code

common/html.php

@@ -2,11 +2,6 @@
 
 require "init.php";
 
-function antiCSRF() {
-	if (!isset($_SERVER['HTTP_SEC_FETCH_SITE']) OR $_SERVER['HTTP_SEC_FETCH_SITE'] !== "same-origin")
-		userError("Anti-CSRF verification failed ! (Wrong or unset Sec-Fetch-Site HTTP header)");
-}
-
 // Session initialisation (with cookies)
 if (
 		isset($_COOKIE['niver-session-key']) // Resume session
@@ -75,7 +70,7 @@ $cssFileName = Less_Cache::Get($absoluteLessFiles, $options, THEME);
 <!DOCTYPE html>
 <html lang="fr">
 	<head>
-		<meta charset="UTF-8">
+		<meta charset="utf-8">
 		<title><?php
 		if (isset($page['title']) AND $page['title'] != "Accueil")
 			echo $page['title'] . " < ";
@@ -85,26 +80,29 @@ $cssFileName = Less_Cache::Get($absoluteLessFiles, $options, THEME);
 		<link type="text/css" rel="stylesheet" href="<?= CONF['common']['prefix'] ?>/css/<?= $cssFileName ?>">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
 	</head>
-
 	<body>
 		<header>
-
 			<nav>
 				<a href="..">Niver</a><?php
-				if (isset($page['service']))
-					echo ' > <a href=".">' . $page['service'] . '</a>';
-				if (PAGE != "index")
-					echo ' > <a href="' . PAGE . '">' . $page['title'] . "</a>";
-				?>
-			</nav>
-
-			<?php if (isset($page['title'])) { ?>
-				<h1><?= $page['title'] ?></h1>
-			<?php } ?>
+if (isset($page['service']))
+	echo ' > <a href=".">' . $page['service'] . '</a>';
+if (PAGE != "index")
+	echo ' > <a href="' . PAGE . '">' . $page['title'] . "</a>";
+?>
 
+			</nav>
 		</header>
 		<main>
+
 <?php
+
+if (isset($page['title']))
+	echo "<h1>" . $page['title'] . "</h1>";
+
+// Protect against cross-site request forgery if a POST request is received
+if (empty($_POST) === false AND (isset($_SERVER['HTTP_SEC_FETCH_SITE']) !== true OR $_SERVER['HTTP_SEC_FETCH_SITE'] !== "same-origin"))
+	userError("Anti-CSRF verification failed ! (Wrong or unset <code>Sec-Fetch-Site</code> HTTP header)");
+
 function closeHTML() {
 ?>
 		</main>

form.ns.php

@@ -1,59 +1,58 @@
-<label for="action">Action</label>
-<select name="action" id="action">
-	<option value="add">Ajouter</option>
-	<option value="delete">Retirer</option>
-</select>
-<br>
+	<label for="action">Action</label>
+	<select name="action" id="action">
+		<option value="add">Ajouter</option>
+		<option value="delete">Retirer</option>
+	</select>
+	<br>
 
-<fieldset>
-	<legend>Domaine</legend>
-	<div>
-		<label for="subdomain">Sous-domaine</label>
-		<br>
-		<input id="subdomain" size="16" placeholder="www" pattern="^(([a-z0-9_-]{1,63}\.?){1,127})|(@){1}$" name="subdomain" type="text">
-	</div>
-	<div>
-		<label for="zone">Zone</label>
-		<br>
-		<select required="" name="zone" id="zone">
-			<option value="" disabled="" selected="">-</option>
+	<fieldset>
+		<legend>Domaine</legend>
+		<div>
+			<label for="subdomain">Sous-domaine</label>
+			<br>
+			<input id="subdomain" size="16" placeholder="www" pattern="^(([a-z0-9_-]{1,63}\.?){1,127})|(@){1}$" name="subdomain" type="text">
+		</div>
+		<div>
+			<label for="zone">Zone</label>
+			<br>
+			<select required="" name="zone" id="zone">
+				<option value="" disabled="" selected="">-</option>
+				<?php
+				$zones = nsListUserZones($_SESSION['username']);
 
-			<?php
-			$zones = nsListUserZones($_SESSION['username']);
+				if (!empty($zones))
+					foreach ($zones as $zone)
+						echo "<option value='" . $zone . "'>" . $zone . "</option>";
+				?>
 
-			if (!empty($zones)) {
-				foreach ($zones as $zone)
-					echo "<option value='" . $zone . "'>" . $zone . "</option>";
-			}
-			?>
-		</select>
-	</div>
-</fieldset>
+			</select>
+		</div>
+	</fieldset>
 
-<fieldset>
-	<legend><abbr title="Time To Live">TTL</abbr></legend>
-	<div>
-		<label for="ttl-value">Valeur</label>
-		<br>
-		<input required="" id="ttl-value" list="ttls" name="ttl-value" size="6" type="number" min="1" max="432000" value="10800" placeholder="10800">
-		<datalist id="ttls">
-			<option value="900">
-			<option value="1800">
-			<option value="3600">
-			<option value="10800">
-			<option value="21600">
-			<option value="86400">
-			<option value="432000">
-		</datalist>
-	</div>
-	<div>
-		<label for="ttl-multiplier">Unité</label>
-		<br>
-		<select required="" name="ttl-multiplier" id="ttl-multiplier">
-			<option value="1">seconde</option>
-			<option value="60">minute</option>
-			<option value="3600">heure</option>
-			<option value="86400">jour</option>
-		</select>
-	</div>
-</fieldset>
+	<fieldset>
+		<legend><abbr title="Time To Live">TTL</abbr></legend>
+		<div>
+			<label for="ttl-value">Valeur</label>
+			<br>
+			<input required="" id="ttl-value" list="ttls" name="ttl-value" size="6" type="number" min="1" max="432000" value="10800" placeholder="10800">
+			<datalist id="ttls">
+				<option value="900">
+				<option value="1800">
+				<option value="3600">
+				<option value="10800">
+				<option value="21600">
+				<option value="86400">
+				<option value="432000">
+			</datalist>
+		</div>
+		<div>
+			<label for="ttl-multiplier">Unité</label>
+			<br>
+			<select required="" name="ttl-multiplier" id="ttl-multiplier">
+				<option value="1">seconde</option>
+				<option value="60">minute</option>
+				<option value="3600">heure</option>
+				<option value="86400">jour</option>
+			</select>
+		</div>
+	</fieldset>

less/main.less

@@ -9,6 +9,7 @@ html {
 }
 
 h1 {
+	text-align: center;
 	font-size: @fontSize + 25px;
 	line-height: @fontSize + 30px
 }

ns.php

@@ -1,15 +1,12 @@
 <?php
 
 function nsCommonRequirements() {
-	if (isset($_POST['action'])
+	return (isset($_POST['action'])
 		AND isset($_POST['zone'])
 		AND isset($_POST['ttl-value'])
 		AND isset($_POST['ttl-multiplier'])
 		AND isset($_SESSION['username'])
-	) {
-		antiCSRF();
-		return true;
-	}
+	);
 }
 
 function nsParseCommonRequirements() {

public/auth/login.php

@@ -18,8 +18,6 @@ Pas de compte ? <a class="authButton" href="register">En créer un</a>
 
 if (isset($_POST['username']) AND isset($_POST['password'])) {
 
-	antiCSRF();
-
 	checkPasswordFormat($_POST['password']);
 
 	checkUsernameFormat($_POST['username']);

public/auth/password.php

@@ -18,8 +18,6 @@
 
 if (isset($_SESSION['username']) AND isset($_POST['newPassword']) AND isset($_POST['currentPassword'])) {
 
-	antiCSRF();
-
 	checkPasswordFormat($_POST['newPassword']);
 
 	if (checkPassword($_SESSION['username'], $_POST['currentPassword']) !== true)

public/auth/register.php

@@ -4,8 +4,6 @@
 
 if (isset($_POST['username']) AND isset($_POST['password'])) {
 
-	antiCSRF();
-
 	checkPasswordFormat($_POST['password']);
 
 	checkUsernameFormat($_POST['username']);

public/ht/http-onion.php

@@ -30,8 +30,6 @@ if (isset($_SESSION['username'])) {
 
 if (isset($_POST['dir']) AND isset($_SESSION['username'])) {
 
-	antiCSRF();
-
 	if ($dirsStatuses[$_POST['dir']] !== false)
 		userError("Wrong value for <code>dir</code>.");
 

public/ht/https-domain.php

@@ -36,8 +36,6 @@ if (isset($_SESSION['username'])) {
 
 if (isset($_POST['domain']) AND isset($_POST['dir']) AND isset($_SESSION['username'])) {
 
-	antiCSRF();
-
 	checkDomainFormat($_POST['domain']);
 
 	if ($dirsStatuses[$_POST['dir']] !== false)

public/ht/le.php

@@ -22,8 +22,6 @@
 
 if (isset($_POST['domain']) AND isset($_SESSION['username'])) {
 
-	antiCSRF();
-
 	exec(CONF['ht']['sudo_path'] . " " . CONF['ht']['certbot_path'] . " certonly --dry-run --test-cert --webroot --webroot-path /srv/acme --register-unsafely-without-email --agree-tos --domain " . $_POST['domain'], $output, $returnCode);
 
 	// Log Certbot response

public/ns/caa.php

@@ -2,7 +2,7 @@
 
 <form method="post">
 
-	<?php require "../../form.ns.php"; ?>
+<?php require "../../form.ns.php"; ?>
 
 	<br>
 	<label for="flag">Flag</label>

public/ns/dnssec.php

@@ -27,8 +27,6 @@ Afin d'activer DNSSEC, vous devez indiquer un enregistrement DS à la zone paren
 
 if (isset($_POST['zone']) AND isset($_SESSION['username'])) {
 
-	antiCSRF();
-
 	nsCheckZonePossession($_POST['zone']);
 
 	$zoneContent = file_get_contents(CONF['ns']['knot_zones_path'] . "/" . $_POST['zone'] . "zone");

public/ns/ip.php

@@ -6,7 +6,7 @@
 </p>
 
 <form method="post">
-	<?php require "../../form.ns.php"; ?>
+<?php require "../../form.ns.php"; ?>
 	<label for="ip">Adresse IP</label><br>
 	<input required="" pattern="^[a-f0-9:.]+$" id="ip" name="ip" minlength="7" maxlength="39" size="40" type="text" placeholder="<?= CONF['common']['ipv6_example'] ?> ou <?= CONF['common']['ipv4_example'] ?>"><br>
 	<input value="Valider" type="submit">

public/ns/loc.php

@@ -2,7 +2,7 @@
 
 <form method="post">
 
-	<?php require "../../form.ns.php"; ?>
+<?php require "../../form.ns.php"; ?>
 
 	<br>
 	<label for="flag">Flag</label>

public/ns/mx.php

@@ -2,7 +2,7 @@
 
 <form method="post">
 
-	<?php require "../../form.ns.php"; ?>
+<?php require "../../form.ns.php"; ?>
 
 	<br>
 

public/ns/ns.php

@@ -1,7 +1,7 @@
 <?php require "../../common/html.php"; ?>
 
 <form method="post">
-	<?php require "../../form.ns.php"; ?>
+<?php require "../../form.ns.php"; ?>
 	<br>
 	<label for="ns">Serveur de nom</label>
 	<br>

public/ns/srv.php

@@ -2,7 +2,7 @@
 
 <form method="post">
 
-	<?php require "../../form.ns.php"; ?>
+<?php require "../../form.ns.php"; ?>
 
 	<br>
 

public/ns/sshfp.php

@@ -2,7 +2,7 @@
 
 <form method="post">
 
-	<?php require "../../form.ns.php"; ?>
+<?php require "../../form.ns.php"; ?>
 
 	<br>
 

public/ns/tlsa.php

@@ -2,7 +2,7 @@
 
 <form method="post">
 
-	<?php require "../../form.ns.php"; ?>
+<?php require "../../form.ns.php"; ?>
 
 	<br>
 	<label for="use">Utilisation</label>

public/ns/txt.php

@@ -1,7 +1,7 @@
 <?php require "../../common/html.php"; ?>
 
 <form method="post">
-	<?php require "../../form.ns.php"; ?>
+<?php require "../../form.ns.php"; ?>
 	<br>
 	<label for="txt">Texte</label>
 	<br>

public/ns/zone.php

@@ -11,8 +11,6 @@
 
 if (isset($_POST['domain']) AND isset($_SESSION['username'])) {
 
-	antiCSRF();
-
 	checkAbsoluteDomainFormat($_POST['domain']);
 
 	$db = new PDO('sqlite:' . DB_PATH);

public/reg/ds.php

@@ -70,8 +70,6 @@
 
 if (isset($_POST['zone']) AND isset($_POST['keytag']) AND isset($_POST['algo']) AND isset($_POST['key']) AND isset($_SESSION['username'])) {
 
-	antiCSRF();
-
 	if (!($_POST['algo'] === "8")
 			AND !($_POST['algo'] === "13")
 			AND !($_POST['algo'] === "14")

public/reg/glue.php

@@ -43,8 +43,6 @@
 
 if (isset($_POST['action']) AND isset($_POST['subdomain']) AND isset($_POST['suffix']) AND isset($_POST['ip']) AND isset($_SESSION['username'])) {
 
-	antiCSRF();
-
 	if (in_array($_POST['suffix'], $suffixes) !== true)
 		userError("You don't own this domain.");
 

public/reg/ns.php

@@ -36,8 +36,6 @@
 
 if (isset($_POST['domain']) AND isset($_POST['action']) AND isset($_POST['ns']) AND isset($_SESSION['username'])) {
 
-	antiCSRF();
-
 	regCheckDomainPossession($_POST['domain']);
 	checkAbsoluteDomainFormat($_POST['ns']);
 

public/reg/register.php

@@ -17,8 +17,6 @@ Ce domaine doit être composé uniquement d'au moins 4 lettres latines non accen
 
 if (isset($_POST['subdomain']) AND isset($_SESSION['username'])) {
 
-	antiCSRF();
-
 	if (preg_match("/" . CONF['reg']['subdomain_regex'] . "/", $_POST['subdomain']) !== 1)
 		userError("Erreur : Le nom de domaine doit être composé uniquement d'entre 4 et 63 lettres minuscules (a-z)");