From 671016e6859fee3ae4e9bff81312b5e0d43e2cce Mon Sep 17 00:00:00 2001 From: Joe Haig Date: Fri, 5 Aug 2016 15:50:05 +0100 Subject: [PATCH] Add CSRF to hostapd config And tidy things up a bit --- includes/functions.php | 29 ++++ includes/hostapd.php | 321 +++++++++++++++++++---------------------- 2 files changed, 180 insertions(+), 170 deletions(-) diff --git a/includes/functions.php b/includes/functions.php index 20944244..20a44d2f 100755 --- a/includes/functions.php +++ b/includes/functions.php @@ -20,6 +20,35 @@ function CSRFValidate() { return hash_equals($_POST['csrf_token'], $_SESSION['csrf_token']); } +/** +* Test whether array is associative +*/ +function isAssoc($arr) { + return array_keys($arr) !== range(0, count($arr) - 1); +} + +/** +* +* Display a selector field for a form. Arguments are: +* $name: Field name +* $options: Array of options +* $selected: Selected option (optional) +* If $options is an associative array this should be the key +* +*/ +function SelectorOptions($name, $options, $selected = null) { + echo ""; +} + /** * * @param string $input diff --git a/includes/hostapd.php b/includes/hostapd.php index 1d7e1408..1eb4aa6b 100755 --- a/includes/hostapd.php +++ b/includes/hostapd.php @@ -1,19 +1,73 @@ /tmp/hostapddata", $return ); + system( "sudo cp /tmp/hostapddata " . RASPI_HOSTAPD_CONFIG, $return ); + + if( $return == 0 ) { + $status->addMessage('Wifi Hotspot settings saved', 'success'); + } else { + $status->addMessage('Wifi Hotspot settings failed to be saved', 'danger'); + } + } else { + error_log('CSRF violation'); + } + } elseif( isset($_POST['StartHotspot']) ) { + if (CSRFValidate()) { + $status->addMessage('Attempting to start hotspot', 'info'); + exec( 'sudo /etc/init.d/hostapd start', $return ); + foreach( $return as $line ) { + $status->addMessage($line, 'info'); + } + } else { + error_log('CSRF violation'); + } + } elseif( isset($_POST['StopHotspot']) ) { + if (CSRFValidate()) { + $status->addMessage('Attempting to stop hotspot', 'info'); + exec( 'sudo /etc/init.d/hostapd stop', $return ); + foreach( $return as $line ) { + $status->addMessage($line, 'info'); + } + } else { + error_log('CSRF violation'); + } + } + exec( 'cat '. RASPI_HOSTAPD_CONFIG, $return ); exec( 'pidof hostapd | wc -l', $hostapdstatus); if( $hostapdstatus[0] == 0 ) { - $status = '
HostAPD is not running -
'; + $status->addMessage('HostAPD is not running', 'warning'); } else { - $status = '
HostAPD is running -
'; + $status->addMessage('HostAPD is running', 'success'); } $arrConfig = array(); @@ -29,148 +83,111 @@ function DisplayHostAPDConfig(){ }; ?>
-
+
-
Configure hotspot -
+
Configure hotspot
- +
+ -
-

+
+

showMessages(); ?>

- +

Basic settings

- -
-
- - -
-
-
-
- - -
-
-
-
- - -
-
-
-
- - -
-
-
-
+ +
+
+ + +
+
+
+
+ + +
+
+
+
+ + +
+
+
+
+ + +
+
+
+

Security settings

-
- - -
-
-
-
- - -
-
-
-
- - -
-
+
+ + +
+
+
+
+ + 'TKIP+CCMP' but I am not yet sure what + * exactly is correct. + * At I read it, 'TKIP CCMP' would get written to the + * hostapd.conf file when it is saved but the correct option + * would only be selected if it reads 'TKIP+CCMP'. This is + * clearly broken. + * Now it is consistent, albeit possibly still broken. + */ + ?> + +
+
+
+
+ + +
+
-
-

Advanced settings

-
-
- - -
-
-
+
+

Advanced settings

+
+
+ + +
+
+
- - '; - } else { - echo ''; - }; - ?> - -
-
+ + '; + } else { + echo ''; + }; + ?> + +
-
+
/tmp/hostapddata", $return ); - system( "sudo cp /tmp/hostapddata " . RASPI_HOSTAPD_CONFIG, $return ); - - if( $return == 0 ) { - echo "Wifi Hotspot settings saved"; - } else { - echo "Wifi Hotspot settings failed to be saved"; - } - } elseif( isset($_POST['SaveOpenVPNSettings']) ) { + if( isset($_POST['SaveOpenVPNSettings']) ) { // TODO } elseif( isset($_POST['SaveTORProxySettings']) ) { // TODO - } elseif( isset($_POST['StartHotspot']) ) { - echo "Attempting to start hotspot"; - exec( 'sudo /etc/init.d/hostapd start', $return ); - foreach( $return as $line ) { - echo $line."
"; - } - } elseif( isset($_POST['StopHotspot']) ) { - echo "Attempting to stop hotspot"; - exec( 'sudo /etc/init.d/hostapd stop', $return ); - foreach( $return as $line ) { - echo $line."
"; - } } elseif( isset($_POST['StartOpenVPN']) ) { echo "Attempting to start openvpn"; exec( 'sudo /etc/init.d/openvpn start', $return );