Initial commit

This commit is contained in:
billz 2023-10-05 09:37:44 +02:00
parent 24ef4b18fa
commit 0ee050c555
26 changed files with 180 additions and 148 deletions

View file

@ -1,6 +1,5 @@
<?php <?php
require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
if (isset($_POST['blocklist_id'])) { if (isset($_POST['blocklist_id'])) {

View file

@ -1,8 +1,7 @@
<?php <?php
require '../../includes/csrf.php'; require_once '../../includes/autoload.php';
require_once '../../includes/csrf.php';
require_once '../../includes/config.php';
$interface = filter_input(INPUT_GET, 'inet', FILTER_SANITIZE_SPECIAL_CHARS); $interface = filter_input(INPUT_GET, 'inet', FILTER_SANITIZE_SPECIAL_CHARS);
if (empty($interface)) { if (empty($interface)) {
@ -82,4 +81,3 @@ for ($i = count($jsonData) - 1; $i >= 0; --$i) {
echo ' ]'; echo ' ]';

View file

@ -1,6 +1,6 @@
<?php <?php
require_once '../../includes/autoload.php';
require '../../includes/csrf.php'; require_once '../../includes/csrf.php';
if (filter_input(INPUT_GET, 'tu') == 'h') { if (filter_input(INPUT_GET, 'tu') == 'h') {

View file

@ -1,35 +1,28 @@
<?php <?php
require_once '../../includes/autoload.php';
require_once '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../includes/session.php';
require_once '../../includes/functions.php';
if (isset($_POST['csrf_token'])) { $return = 0;
if (csrfValidateRequest() && !CSRFValidate()) { $path = "../../config";
handleInvalidCSRFToken(); $configs = array(
} array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG),
$return = 0; array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG),
$path = "../../config"; array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
$configs = array( array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG), );
array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG),
array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
);
foreach ($configs as $config) {
try {
$tmp = file_get_contents($config["src"]);
file_put_contents($config["tmp"], $tmp);
system("sudo cp ".$config["tmp"]. " ".$config["dest"]);
} catch (Exception $e) {
$return = $e->getCode();
}
}
$jsonData = ['return'=>$return];
echo json_encode($jsonData);
} else { foreach ($configs as $config) {
handleInvalidCSRFToken(); try {
$tmp = file_get_contents($config["src"]);
file_put_contents($config["tmp"], $tmp);
system("sudo cp ".$config["tmp"]. " ".$config["dest"]);
} catch (Exception $e) {
$return = $e->getCode();
}
} }
$jsonData = ['return'=>$return];
echo json_encode($jsonData);

View file

@ -1,6 +1,7 @@
<?php <?php
require '../../includes/csrf.php'; require_once '../../includes/autoload.php';
require_once '../../includes/csrf.php';
exec("ls /sys/class/net | grep -v lo", $interfaces); exec("ls /sys/class/net | grep -v lo", $interfaces);
echo json_encode($interfaces); echo json_encode($interfaces);

View file

@ -1,6 +1,5 @@
<?php <?php
require '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
exec('cat '. RASPI_HOSTAPD_CONFIG, $hostapdconfig); exec('cat '. RASPI_HOSTAPD_CONFIG, $hostapdconfig);

View file

@ -1,8 +1,9 @@
<?php <?php
require '../../includes/csrf.php'; //require_once '../../includes/config.php';
require_once '../../includes/config.php';
require_once '../../includes/locale.php'; require_once '../../includes/locale.php';
require_once '../../includes/autoload.php';
require_once '../../includes/csrf.php';
if (isset($_POST['interface'])) { if (isset($_POST['interface'])) {

View file

@ -1,8 +1,7 @@
<?php <?php
require '../../includes/csrf.php'; require_once '../../includes/autoload.php';
require_once '../../includes/csrf.php';
require_once '../../includes/functions.php';
if (isset($_POST['interface'])) { if (isset($_POST['interface'])) {
$int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']); $int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);

View file

@ -1,7 +1,9 @@
<?php <?php
require '../../includes/csrf.php'; require_once '../../includes/autoload.php';
require_once '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../includes/functions.php';
$interface = $_GET['iface']; $interface = $_GET['iface'];

View file

@ -1,9 +1,8 @@
<?php <?php
require '../../includes/csrf.php'; require_once '../../includes/autoload.php';
require_once '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../includes/defaults.php';
require_once '../../includes/functions.php';
require_once '../../includes/wifi_functions.php'; require_once '../../includes/wifi_functions.php';
$networks = []; $networks = [];
@ -20,4 +19,11 @@ $connected = array_filter($networks, function($n) { return $n['connected']; } );
$known = array_filter($networks, function($n) { return !$n['connected'] && $n['configured']; } ); $known = array_filter($networks, function($n) { return !$n['connected'] && $n['configured']; } );
$nearby = array_filter($networks, function($n) { return !$n['configured']; } ); $nearby = array_filter($networks, function($n) { return !$n['configured']; } );
echo renderTemplate('wifi_stations', compact('networks', 'connected', 'known', 'nearby'), true); echo renderTemplate(
"wifi_stations", compact(
"networks",
"connected",
"known",
"nearby"
),
true);

View file

@ -1,8 +1,8 @@
<?php <?php
require '../../includes/csrf.php'; require_once '../../includes/autoload.php';
require_once '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../includes/functions.php';
if (isset($_POST['cfg_id'])) { if (isset($_POST['cfg_id'])) {
$ovpncfg_id = escapeshellcmd($_POST['cfg_id']); $ovpncfg_id = escapeshellcmd($_POST['cfg_id']);

View file

@ -1,8 +1,8 @@
<?php <?php
require '../../includes/csrf.php'; require_once '../../includes/autoload.php';
require_once '../../includes/csrf.php';
require_once '../../includes/config.php'; require_once '../../includes/config.php';
require_once '../../includes/functions.php';
if (isset($_POST['cfg_id'])) { if (isset($_POST['cfg_id'])) {
$ovpncfg_id = escapeshellcmd($_POST['cfg_id']); $ovpncfg_id = escapeshellcmd($_POST['cfg_id']);

View file

@ -1,6 +1,6 @@
<?php <?php
require_once 'config.php'; require_once 'includes/config.php';
/** /**
* Manages ad blocking (dnsmasq) configuration * Manages ad blocking (dnsmasq) configuration

View file

@ -13,7 +13,7 @@ spl_autoload_register(function ($class) {
$prefix = ''; $prefix = '';
// base directory for the namespace prefix // base directory for the namespace prefix
$base_dir = 'src/'; $base_dir = $_SERVER['DOCUMENT_ROOT'] .'/src/';
// normalize the base directory with a trailing separator // normalize the base directory with a trailing separator
$base_dir = rtrim($base_dir, DIRECTORY_SEPARATOR) . '/'; $base_dir = rtrim($base_dir, DIRECTORY_SEPARATOR) . '/';

View file

@ -1,8 +1,10 @@
<?php <?php
require_once 'functions.php'; if ( class_exists('\RaspAP\Tokens\CSRFTokenizer')) {
require_once 'session.php'; $csrfToken = new \RaspAP\Tokens\CSRFTokenizer;
$csrfToken->ensureCSRFSessionToken();
if (csrfValidateRequest() && !CSRFValidate()) { } else {
handleInvalidCSRFToken(); die('class failed to load!');
} }

View file

@ -9,8 +9,10 @@ require_once 'includes/functions.php';
*/ */
function DisplayDashboard(&$extraFooterScripts) function DisplayDashboard(&$extraFooterScripts)
{ {
getWifiInterface();
$status = new \RaspAP\Messages\StatusMessage; $status = new \RaspAP\Messages\StatusMessage;
//$csrfToken = new \RaspAP\Tokens\CSRFTokenizer;
getWifiInterface();
// Need this check interface name for proper shell execution. // Need this check interface name for proper shell execution.
if (!preg_match('/^([a-zA-Z0-9]+)$/', $_SESSION['wifi_client_interface'])) { if (!preg_match('/^([a-zA-Z0-9]+)$/', $_SESSION['wifi_client_interface'])) {
$status->addMessage(_('Interface name invalid.'), 'danger'); $status->addMessage(_('Interface name invalid.'), 'danger');

View file

@ -285,79 +285,6 @@ function filter_comments($var)
return $var[0] != '#'; return $var[0] != '#';
} }
/**
* Saves a CSRF token in the session
*/
function ensureCSRFSessionToken()
{
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
}
/**
* Add CSRF Token to form
*/
function CSRFTokenFieldTag()
{
$token = htmlspecialchars($_SESSION['csrf_token']);
return '<input type="hidden" name="csrf_token" value="' . $token . '">';
}
/**
* Retuns a CSRF meta tag (for use with xhr, for example)
*/
function CSRFMetaTag()
{
$token = htmlspecialchars($_SESSION['csrf_token']);
return '<meta name="csrf_token" content="' . $token . '">';
}
/**
* Validate CSRF Token
*/
function CSRFValidate()
{
if(isset($_POST['csrf_token'])) {
$post_token = $_POST['csrf_token'];
$header_token = $_SERVER['HTTP_X_CSRF_TOKEN'];
if (empty($post_token) && empty($header_token)) {
return false;
}
$request_token = $post_token;
if (empty($post_token)) {
$request_token = $header_token;
}
if (hash_equals($_SESSION['csrf_token'], $request_token)) {
return true;
} else {
error_log('CSRF violation');
return false;
}
}
}
/**
* Should the request be CSRF-validated?
*/
function csrfValidateRequest()
{
$request_method = strtolower($_SERVER['REQUEST_METHOD']);
return in_array($request_method, [ "post", "put", "patch", "delete" ]);
}
/**
* Handle invalid CSRF
*/
function handleInvalidCSRFToken()
{
header('HTTP/1.1 500 Internal Server Error');
header('Content-Type: text/plain');
echo 'Invalid CSRF token';
exit;
}
/** /**
* Test whether array is associative * Test whether array is associative
*/ */

View file

@ -23,11 +23,9 @@
* as you leave these references intact in the header comments of your source files. * as you leave these references intact in the header comments of your source files.
*/ */
require 'includes/csrf.php';
ensureCSRFSessionToken();
require_once 'includes/config.php';
require_once 'includes/autoload.php'; require_once 'includes/autoload.php';
require 'includes/csrf.php';
require_once 'includes/config.php';
require_once 'includes/defaults.php'; require_once 'includes/defaults.php';
require_once 'includes/locale.php'; require_once 'includes/locale.php';
require_once 'includes/functions.php'; require_once 'includes/functions.php';
@ -53,7 +51,7 @@ initializeApp();
<html lang="en"> <html lang="en">
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<?php echo CSRFMetaTag() ?> <?php echo $csrfToken->CSRFMetaTag(); ?>
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content=""> <meta name="description" content="">

View file

@ -0,0 +1,113 @@
<?php
/**
* CSRF tokenizer class
*
* @description CSRF tokenizer class for RaspAP
* @author Bill Zimmerman <billzimmerman@gmail.com>
* @author Martin Glaß <mail@glasz.org>
* @license https://github.com/raspap/raspap-webgui/blob/master/LICENSE
*/
declare(strict_types=1);
namespace RaspAP\Tokens;
class CSRFTokenizer
{
// Constructor
public function __construct()
{
$this->ensureSession();
if ($this->csrfValidateRequest() && !$this->CSRFValidate()) {
$this->handleInvalidCSRFToken();
}
}
/**
* Saves a CSRF token in the session
*/
public function ensureCSRFSessionToken()
{
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
}
/**
* Add CSRF Token to form
*/
public function CSRFTokenFieldTag()
{
$token = htmlspecialchars($_SESSION['csrf_token']);
return '<input type="hidden" name="csrf_token" value="' . $token . '">';
}
/**
* Retuns a CSRF meta tag (for use with xhr, for example)
*/
public function CSRFMetaTag()
{
$token = htmlspecialchars($_SESSION['csrf_token']);
return '<meta name="csrf_token" content="' . $token . '">';
}
/**
* Validates a CSRF Token
*/
public function CSRFValidate()
{
if(isset($_POST['csrf_token'])) {
$post_token = $_POST['csrf_token'];
$header_token = $_SERVER['HTTP_X_CSRF_TOKEN'];
if (empty($post_token) && empty($header_token)) {
return false;
}
$request_token = $post_token;
if (empty($post_token)) {
$request_token = $header_token;
}
if (hash_equals($_SESSION['csrf_token'], $request_token)) {
return true;
} else {
error_log('CSRF violation');
return false;
}
}
}
/**
* Should the request be CSRF-validated?
*/
public function csrfValidateRequest()
{
$request_method = strtolower($_SERVER['REQUEST_METHOD']);
return in_array($request_method, [ "post", "put", "patch", "delete" ]);
}
/**
* Handle invalid CSRF
*/
public function handleInvalidCSRFToken()
{
if (function_exists('http_response_code')) {
http_response_code(500);
echo 'Invalid CSRF token';
} else {
header('HTTP/1.1 500 Internal Server Error');
header('Content-Type: text/plain');
echo 'Invalid CSRF token';
}
exit;
}
protected function ensureSession()
{
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
}
}

View file

@ -28,7 +28,6 @@
<div class="card-body"> <div class="card-body">
<?php $status->showMessages(); ?> <?php $status->showMessages(); ?>
<form role="form" action="adblock_conf" enctype="multipart/form-data" method="POST"> <form role="form" action="adblock_conf" enctype="multipart/form-data" method="POST">
<?php echo CSRFTokenFieldTag() ?>
<!-- Nav tabs --> <!-- Nav tabs -->
<ul class="nav nav-tabs"> <ul class="nav nav-tabs">
<li class="nav-item"><a class="nav-link active" id="blocklisttab" href="#adblocklistsettings" data-toggle="tab"><?php echo _("Blocklist settings"); ?></a></li> <li class="nav-item"><a class="nav-link active" id="blocklisttab" href="#adblocklistsettings" data-toggle="tab"><?php echo _("Blocklist settings"); ?></a></li>
@ -50,5 +49,5 @@
<div class="card-footer"><?php echo _("Information provided by adblock"); ?></div> <div class="card-footer"><?php echo _("Information provided by adblock"); ?></div>
</div><!-- /.card --> </div><!-- /.card -->
</div><!-- /.col-lg-12 --> </div><!-- /.col-lg-12 -->
</div><!-- /.row --> </div><!-- /.row - $csrfToken->

View file

@ -27,7 +27,6 @@
<div class="row"> <div class="row">
<div class="col"> <div class="col">
<form method="POST" action="wpa_conf" name="wpa_conf_form"> <form method="POST" action="wpa_conf" name="wpa_conf_form">
<?php echo CSRFTokenFieldTag() ?>
<input type="hidden" name="client_settings" ?> <input type="hidden" name="client_settings" ?>
<div class="js-wifi-stations loading-spinner"></div> <div class="js-wifi-stations loading-spinner"></div>
</form> </form>

View file

@ -123,14 +123,13 @@
<div class="col-lg-12 mt-3"> <div class="col-lg-12 mt-3">
<div class="row"> <div class="row">
<form action="wlan0_info" method="POST"> <form action="wlan0_info" method="POST">
<?php echo CSRFTokenFieldTag() ?>
<?php if (!RASPI_MONITOR_ENABLED) : ?> <?php if (!RASPI_MONITOR_ENABLED) : ?>
<?php if (!$wlan0up) : ?> <?php if (!$wlan0up) : ?>
<input type="submit" class="btn btn-success" value="<?php echo _("Start").' '.$clientInterface ?>" name="ifup_wlan0" /> <input type="submit" class="btn btn-success" value="<?php echo _("Start").' '.$clientInterface ?>" name="ifup_wlan0" />
<?php else : ?> <?php else : ?>
<input type="submit" class="btn btn-warning" value="<?php echo _("Stop").' '.$clientInterface ?>" name="ifdown_wlan0" /> <input type="submit" class="btn btn-warning" value="<?php echo _("Stop").' '.$clientInterface ?>" name="ifdown_wlan0" />
<?php endif ?> <?php endif; ?>
<?php endif ?> <?php endif; ?>
<button type="button" onClick="window.location.reload();" class="btn btn-outline btn-primary"><i class="fas fa-sync-alt"></i> <?php echo _("Refresh") ?></a> <button type="button" onClick="window.location.reload();" class="btn btn-outline btn-primary"><i class="fas fa-sync-alt"></i> <?php echo _("Refresh") ?></a>
</form> </form>
</div> </div>

View file

@ -30,7 +30,6 @@
<div class="card-body"> <div class="card-body">
<?php $status->showMessages(); ?> <?php $status->showMessages(); ?>
<form method="POST" action="dhcpd_conf" class="js-dhcp-settings-form"> <form method="POST" action="dhcpd_conf" class="js-dhcp-settings-form">
<?php echo CSRFTokenFieldTag() ?>
<!-- Nav tabs --> <!-- Nav tabs -->
<ul class="nav nav-tabs mb-3"> <ul class="nav nav-tabs mb-3">

View file

@ -50,8 +50,6 @@
<div class="card-body"> <div class="card-body">
<?php $status->showMessages(); ?> <?php $status->showMessages(); ?>
<form role="form" action="hostapd_conf" method="POST"> <form role="form" action="hostapd_conf" method="POST">
<?php echo CSRFTokenFieldTag() ?>
<!-- Nav tabs --> <!-- Nav tabs -->
<ul class="nav nav-tabs"> <ul class="nav nav-tabs">
<li class="nav-item"><a class="nav-link active" id="basictab" href="#basic" aria-controls="basic" data-toggle="tab"><?php echo _("Basic"); ?></a></li> <li class="nav-item"><a class="nav-link active" id="basictab" href="#basic" aria-controls="basic" data-toggle="tab"><?php echo _("Basic"); ?></a></li>

View file

@ -29,7 +29,6 @@
<div class="card-body"> <div class="card-body">
<?php $status->showMessages(); ?> <?php $status->showMessages(); ?>
<form role="form" action="openvpn_conf" enctype="multipart/form-data" method="POST"> <form role="form" action="openvpn_conf" enctype="multipart/form-data" method="POST">
<?php echo CSRFTokenFieldTag() ?>
<!-- Nav tabs --> <!-- Nav tabs -->
<ul class="nav nav-tabs"> <ul class="nav nav-tabs">
<li class="nav-item"><a class="nav-link active" id="clienttab" href="#openvpnclient" data-toggle="tab"><?php echo _("Client settings"); ?></a></li> <li class="nav-item"><a class="nav-link active" id="clienttab" href="#openvpnclient" data-toggle="tab"><?php echo _("Client settings"); ?></a></li>

View file

@ -11,7 +11,6 @@
<div class="card-body"> <div class="card-body">
<?php $status->showMessages(); ?> <?php $status->showMessages(); ?>
<form role="form" action="system_info" method="POST"> <form role="form" action="system_info" method="POST">
<?php echo CSRFTokenFieldTag() ?>
<ul class="nav nav-tabs" role="tablist"> <ul class="nav nav-tabs" role="tablist">
<li role="presentation" class="nav-item"><a class="nav-link active" id="basictab" href="#basic" aria-controls="basic" role="tab" data-toggle="tab"><?php echo _("Basic"); ?></a></li> <li role="presentation" class="nav-item"><a class="nav-link active" id="basictab" href="#basic" aria-controls="basic" role="tab" data-toggle="tab"><?php echo _("Basic"); ?></a></li>
<li role="presentation" class="nav-item"><a class="nav-link" id="languagetab" href="#language" aria-controls="language" role="tab" data-toggle="tab"><?php echo _("Language"); ?></a></li> <li role="presentation" class="nav-item"><a class="nav-link" id="languagetab" href="#language" aria-controls="language" role="tab" data-toggle="tab"><?php echo _("Language"); ?></a></li>