Check for CSRF at only one place in the code

This commit is contained in:
Miraty 2022-05-22 17:47:00 +02:00
parent deb219d758
commit b7e69d8b41
25 changed files with 82 additions and 111 deletions

View file

@ -2,11 +2,6 @@
require "init.php";
function antiCSRF() {
if (!isset($_SERVER['HTTP_SEC_FETCH_SITE']) OR $_SERVER['HTTP_SEC_FETCH_SITE'] !== "same-origin")
userError("Anti-CSRF verification failed ! (Wrong or unset Sec-Fetch-Site HTTP header)");
}
// Session initialisation (with cookies)
if (
isset($_COOKIE['niver-session-key']) // Resume session
@ -75,7 +70,7 @@ $cssFileName = Less_Cache::Get($absoluteLessFiles, $options, THEME);
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="UTF-8">
<meta charset="utf-8">
<title><?php
if (isset($page['title']) AND $page['title'] != "Accueil")
echo $page['title'] . " < ";
@ -85,10 +80,8 @@ $cssFileName = Less_Cache::Get($absoluteLessFiles, $options, THEME);
<link type="text/css" rel="stylesheet" href="<?= CONF['common']['prefix'] ?>/css/<?= $cssFileName ?>">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<header>
<nav>
<a href="..">Niver</a><?php
if (isset($page['service']))
@ -96,15 +89,20 @@ $cssFileName = Less_Cache::Get($absoluteLessFiles, $options, THEME);
if (PAGE != "index")
echo ' > <a href="' . PAGE . '">' . $page['title'] . "</a>";
?>
</nav>
<?php if (isset($page['title'])) { ?>
<h1><?= $page['title'] ?></h1>
<?php } ?>
</header>
<main>
<?php
if (isset($page['title']))
echo "<h1>" . $page['title'] . "</h1>";
// Protect against cross-site request forgery if a POST request is received
if (empty($_POST) === false AND (isset($_SERVER['HTTP_SEC_FETCH_SITE']) !== true OR $_SERVER['HTTP_SEC_FETCH_SITE'] !== "same-origin"))
userError("Anti-CSRF verification failed ! (Wrong or unset <code>Sec-Fetch-Site</code> HTTP header)");
function closeHTML() {
?>
</main>

View file

@ -17,15 +17,14 @@
<br>
<select required="" name="zone" id="zone">
<option value="" disabled="" selected="">-</option>
<?php
$zones = nsListUserZones($_SESSION['username']);
if (!empty($zones)) {
if (!empty($zones))
foreach ($zones as $zone)
echo "<option value='" . $zone . "'>" . $zone . "</option>";
}
?>
</select>
</div>
</fieldset>

View file

@ -9,6 +9,7 @@ html {
}
h1 {
text-align: center;
font-size: @fontSize + 25px;
line-height: @fontSize + 30px
}

7
ns.php
View file

@ -1,15 +1,12 @@
<?php
function nsCommonRequirements() {
if (isset($_POST['action'])
return (isset($_POST['action'])
AND isset($_POST['zone'])
AND isset($_POST['ttl-value'])
AND isset($_POST['ttl-multiplier'])
AND isset($_SESSION['username'])
) {
antiCSRF();
return true;
}
);
}
function nsParseCommonRequirements() {

View file

@ -18,8 +18,6 @@ Pas de compte ? <a class="authButton" href="register">En créer un</a>
if (isset($_POST['username']) AND isset($_POST['password'])) {
antiCSRF();
checkPasswordFormat($_POST['password']);
checkUsernameFormat($_POST['username']);

View file

@ -18,8 +18,6 @@
if (isset($_SESSION['username']) AND isset($_POST['newPassword']) AND isset($_POST['currentPassword'])) {
antiCSRF();
checkPasswordFormat($_POST['newPassword']);
if (checkPassword($_SESSION['username'], $_POST['currentPassword']) !== true)

View file

@ -4,8 +4,6 @@
if (isset($_POST['username']) AND isset($_POST['password'])) {
antiCSRF();
checkPasswordFormat($_POST['password']);
checkUsernameFormat($_POST['username']);

View file

@ -30,8 +30,6 @@ if (isset($_SESSION['username'])) {
if (isset($_POST['dir']) AND isset($_SESSION['username'])) {
antiCSRF();
if ($dirsStatuses[$_POST['dir']] !== false)
userError("Wrong value for <code>dir</code>.");

View file

@ -36,8 +36,6 @@ if (isset($_SESSION['username'])) {
if (isset($_POST['domain']) AND isset($_POST['dir']) AND isset($_SESSION['username'])) {
antiCSRF();
checkDomainFormat($_POST['domain']);
if ($dirsStatuses[$_POST['dir']] !== false)

View file

@ -22,8 +22,6 @@
if (isset($_POST['domain']) AND isset($_SESSION['username'])) {
antiCSRF();
exec(CONF['ht']['sudo_path'] . " " . CONF['ht']['certbot_path'] . " certonly --dry-run --test-cert --webroot --webroot-path /srv/acme --register-unsafely-without-email --agree-tos --domain " . $_POST['domain'], $output, $returnCode);
// Log Certbot response

View file

@ -27,8 +27,6 @@ Afin d'activer DNSSEC, vous devez indiquer un enregistrement DS à la zone paren
if (isset($_POST['zone']) AND isset($_SESSION['username'])) {
antiCSRF();
nsCheckZonePossession($_POST['zone']);
$zoneContent = file_get_contents(CONF['ns']['knot_zones_path'] . "/" . $_POST['zone'] . "zone");

View file

@ -11,8 +11,6 @@
if (isset($_POST['domain']) AND isset($_SESSION['username'])) {
antiCSRF();
checkAbsoluteDomainFormat($_POST['domain']);
$db = new PDO('sqlite:' . DB_PATH);

View file

@ -70,8 +70,6 @@
if (isset($_POST['zone']) AND isset($_POST['keytag']) AND isset($_POST['algo']) AND isset($_POST['key']) AND isset($_SESSION['username'])) {
antiCSRF();
if (!($_POST['algo'] === "8")
AND !($_POST['algo'] === "13")
AND !($_POST['algo'] === "14")

View file

@ -43,8 +43,6 @@
if (isset($_POST['action']) AND isset($_POST['subdomain']) AND isset($_POST['suffix']) AND isset($_POST['ip']) AND isset($_SESSION['username'])) {
antiCSRF();
if (in_array($_POST['suffix'], $suffixes) !== true)
userError("You don't own this domain.");

View file

@ -36,8 +36,6 @@
if (isset($_POST['domain']) AND isset($_POST['action']) AND isset($_POST['ns']) AND isset($_SESSION['username'])) {
antiCSRF();
regCheckDomainPossession($_POST['domain']);
checkAbsoluteDomainFormat($_POST['ns']);

View file

@ -17,8 +17,6 @@ Ce domaine doit être composé uniquement d'au moins 4 lettres latines non accen
if (isset($_POST['subdomain']) AND isset($_SESSION['username'])) {
antiCSRF();
if (preg_match("/" . CONF['reg']['subdomain_regex'] . "/", $_POST['subdomain']) !== 1)
userError("Erreur : Le nom de domaine doit être composé uniquement d'entre 4 et 63 lettres minuscules (a-z)");