Update CSRF token handling

NNTmux · Mar 2, 2018 · 32ba20d · 32ba20d
1 parent 9adfd61
commit 32ba20d
Show file tree

Hide file tree

Showing 14 changed files with 32 additions and 13 deletions.
diff --git a/Blacklight/utility/Utility.php b/Blacklight/utility/Utility.php
@@ -1088,11 +1088,12 @@ public static function convertMultiArray($array, $separator): string
     }
 
     /**
-     * @param string $tableName
+     * @param $tableName
      * @param $start
      * @param $num
      *
      * @return array
+     * @throws \Exception
      */
     public static function getRange($tableName, $start, $num): array
     {
@@ -1109,9 +1110,10 @@ public static function getRange($tableName, $start, $num): array
     }
 
     /**
-     * @param string $tableName
+     * @param $tableName
      *
      * @return int
+     * @throws \Exception
      */
     public static function getCount($tableName): int
     {
@@ -1124,8 +1126,8 @@ public static function getCount($tableName): int
     /**
      * @return bool
      */
-    public static function checkCsrfToken(): bool
+    public static function checkCSRFToken(): bool
     {
-        return ! empty($_POST['_token']) && hash_equals($_SESSION['token'], $_POST['_token']);
+        return request()->has('_token') && hash_equals($_SESSION['_token'], request()->input('_token'));
     }
 }
diff --git a/Changelog b/Changelog
@@ -1,4 +1,5 @@
 2018-03-02 DariusIII
+	* Chg: Update CSRF token handling
 	* Chg: Update font-awesome to version 5.0.8
 2018-03-01 DariusIII
 	* Chg: Update symfony components, league/flysystem to latest versions

diff --git a/app/Models/User.php b/app/Models/User.php
@@ -825,7 +825,7 @@ public static function updateSiteAccessed($userID, $host = ''): void
     public static function setCookies($userID): void
     {
         $user = self::find($userID);
-        $secure_cookie = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? '1' : '0');
+        $secure_cookie = request()->secure();
         setcookie('uid', $userID, time() + 2592000, '/', null, $secure_cookie, true);
         setcookie('idh', self::hashSHA1($user['userseed'].$userID), time() + 2592000, '/', null, $secure_cookie, true);
     }

diff --git a/public/pages/BasePage.php b/public/pages/BasePage.php
@@ -7,6 +7,7 @@
 use Blacklight\SABnzbd;
 use App\Models\Settings;
 use App\Models\RoleExcludedCategory;
+use Illuminate\Support\Carbon;
 
 class BasePage
 {
@@ -99,12 +100,18 @@ class BasePage
     public function __construct()
     {
         if (session_id() === '') {
-            session_set_cookie_params(0, '/', '', $this->https, true);
             session_start();
-            if (empty($_SESSION['token'])) {
-                $_SESSION['token'] = sodium_bin2hex(random_bytes(32));
+
+            $lifetime = Carbon::now()->addMinutes(config('session.lifetime'))->timestamp;
+            $domain = config('session.domain');
+            $http_only = config('session.http_only');
+            $secure = request()->secure();
+
+            if (empty($_SESSION['_token'])) {
+                $_SESSION['_token'] = sodium_bin2hex(random_bytes(32));
             }
-            $this->token = $_SESSION['token'];
+            setcookie('XSRF-TOKEN', $_SESSION['_token'], $lifetime, '/', $domain, $secure, false);
+            setcookie(config('session.cookie'), $_SESSION['_token'], $lifetime, '/', $domain, $secure, $http_only);
         }
 
         if (env('FLOOD_CHECK', false)) {
@@ -138,6 +145,8 @@ public function __construct()
             $this->smarty->assign('serverroot', $this->serverurl);
         }
 
+        $this->smarty->assign('csrf_token', $_SESSION['_token']);
+
         $this->page = request()->input('page') ?? 'content';
 
         if (User::isLoggedIn()) {
@@ -299,7 +308,7 @@ public function showMaintenance(): void
      */
     public function showTokenError(): void
     {
-        header('HTTP/1.1 503 Service Temporarily Unavailable');
+        header('HTTP/1.1 419 Token Mismatch Error');
         die(view('errors.tokenError'));
     }
 

diff --git a/public/pages/login.php b/public/pages/login.php
@@ -15,7 +15,7 @@
     } elseif ($captcha->getError() === false) {
         $username = htmlspecialchars(request()->input('username'), ENT_QUOTES | ENT_HTML5);
         $page->smarty->assign('username', $username);
-        if (Utility::checkCsrfToken() === true) {
+        if (Utility::checkCSRFToken() === true) {
             $res = User::getByUsername($username);
             if ($res === null) {
                 $res = User::getByEmail($username);
@@ -50,7 +50,6 @@
 }
 
 $page->smarty->assign('redirect', request()->input('redirect') ?? '');
-$page->smarty->assign('csrf_token', $page->token);
 $page->meta_title = 'Login';
 $page->meta_keywords = 'Login';
 $page->meta_description = 'Login';

diff --git a/public/pages/register.php b/public/pages/register.php
@@ -35,7 +35,7 @@
     switch ($action) {
         case 'submit':
             if ($captcha->getError() === false) {
-                if (Utility::checkCsrfToken() === true) {
+                if (Utility::checkCSRFToken() === true) {
                     $userName = request()->input('username');
                     $password = request()->input('password');
                     $confirmPassword = request()->input('confirmpassword');

diff --git a/public/themes/Charisma/basepage.tpl b/public/themes/Charisma/basepage.tpl
@@ -26,6 +26,7 @@
 	<meta charset="utf-8">
 	<title>{$page->meta_title}{if $page->meta_title != "" && $site->metatitle != ""} - {/if}{$site->metatitle}</title>
 	<meta content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no' name='viewport'>
+	<meta name="csrf-token" content="{$csrf_token}">
 	<!-- The styles -->
 	<link id="bs-css" href="{$smarty.const.WWW_THEMES}/shared/assets/bootswatch/slate/bootstrap.min.css"
 		  rel="stylesheet">

diff --git a/public/themes/Charisma/profileedit.tpl b/public/themes/Charisma/profileedit.tpl
@@ -24,6 +24,7 @@
 								</li>
 							</ul>
 							<form action="profileedit?action=submit" method="post">
+								<input type="hidden" name="_token" value="{$csrf_token}">
 								<div class="tab-content">
 									<div class="tab-pane fade active in" id="tab2_1">
 										<table cellpadding="0" cellspacing="0" width="100%">

diff --git a/public/themes/Gamma/basepage.tpl b/public/themes/Gamma/basepage.tpl
@@ -10,6 +10,7 @@
 	<meta name="application-name" content="newznab-{$site->version}" />
 	<title>{$page->meta_title}{if $page->meta_title != "" && $site->metatitle != ""} - {/if}{$site->metatitle}</title>
 	<meta content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no' name='viewport'>
+	<meta name="csrf-token" content="{$csrf_token}">
 
 {if $loggedin == "true"}
 	<link rel="alternate" type="application/rss+xml" title="{$site->title} Full Rss Feed" href="{$smarty.const.WWW_TOP}/rss?t=0&amp;dl=1&amp;i={$userdata.id}&amp;r={$userdata.rsstoken}" />

diff --git a/public/themes/Gamma/profileedit.tpl b/public/themes/Gamma/profileedit.tpl
@@ -11,6 +11,7 @@
 {/if}
 
 <form class="form-horizontal" action="profileedit?action=submit" method="post">
+	<input type="hidden" name="_token" value="{$csrf_token}">
 	<fieldset>
 		<div class="control-group">
 			<label class="control-label">Username</label>

diff --git a/public/themes/Gentele/basepage.tpl b/public/themes/Gentele/basepage.tpl
@@ -17,6 +17,7 @@
 	<meta charset="utf-8">
 	<meta http-equiv="X-UA-Compatible" content="IE=edge">
 	<meta name="viewport" content="width=device-width, initial-scale=1">
+	<meta name="csrf-token" content="{$csrf_token}">
 
 	<title>{$page->meta_title}{if $page->meta_title != "" && $site->metatitle != ""} - {/if}{$site->metatitle}</title>
 	<meta content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no' name='viewport'>

diff --git a/public/themes/Gentele/profileedit.tpl b/public/themes/Gentele/profileedit.tpl
@@ -23,6 +23,7 @@
 							</li>
 						</ul>
 						<form action="profileedit?action=submit" method="post">
+							<input type="hidden" name="_token" value="{$csrf_token}">
 							<div class="tab-content">
 								<div class="tab-pane fade active in" id="tab2_1">
 									<table cellpadding="0" cellspacing="0" width="100%">

diff --git a/public/themes/Omicron/basepage.tpl b/public/themes/Omicron/basepage.tpl
@@ -15,6 +15,7 @@
 	<meta charset="UTF-8">
 	<title>{$page->meta_title}{if $page->meta_title != "" && $site->metatitle != ""} - {/if}{$site->metatitle}</title>
 	<meta content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no' name='viewport'>
+	<meta name="csrf-token" content="{$csrf_token}">
 	<!-- Bootstrap 3.3.6 -->
 	<link href="{$smarty.const.WWW_THEMES}/shared/assets/bootstrap-3.x/dist/css/bootstrap.min.css" rel="stylesheet"
 		  type="text/css"/>

diff --git a/public/themes/Omicron/profileedit.tpl b/public/themes/Omicron/profileedit.tpl
@@ -24,6 +24,7 @@
 								</li>
 							</ul>
 							<form action="profileedit?action=submit" method="post">
+								<input type="hidden" name="_token" value="{$csrf_token}">
 								<div class="tab-content">
 									<div class="tab-pane fade active in" id="tab2_1">
 										<table cellpadding="0" cellspacing="0" width="100%">