RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[FIX] CSRF/Re-captcha on Contactform

Browse Source 
Fixes #1666
This commit is contained in:
Sebastian Grewe 2014-02-06 10:19:58 +01:00
parent 837a8c58ea
commit 2f1d68448f
5 changed files with 21 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
public/include/config/admin_settings.inc.php
View File

@ -362,6 +362,13 @@ $aSettings['recaptcha'][] = array(
'name' => 'recaptcha_enabled_registrations', 'value' => $setting->getValue('recaptcha_enabled_registrations'), 'name' => 'recaptcha_enabled_registrations', 'value' => $setting->getValue('recaptcha_enabled_registrations'),
'tooltip' => 'Enable or Disable re-Captcha. Adds a re-Captcha to the registration form.' 'tooltip' => 'Enable or Disable re-Captcha. Adds a re-Captcha to the registration form.'
); );
$aSettings['recaptcha'][] = array(
'display' => 'Enable re-Captcha Contactform', 'type' => 'select',
'options' => array( 0 => 'No', 1 => 'Yes' ),
'default' => 0,
'name' => 'recaptcha_enabled_contactform', 'value' => $setting->getValue('recaptcha_enabled_contactform'),
'tooltip' => 'Enable or Disable re-Captcha. Adds a re-Captcha to the contact form.'
);
$aSettings['recaptcha'][] = array( $aSettings['recaptcha'][] = array(
'display' => 'Enable re-Captcha Logins', 'type' => 'select', 'display' => 'Enable re-Captcha Logins', 'type' => 'select',
'options' => array( 0 => 'No', 1 => 'Yes' ), 'options' => array( 0 => 'No', 1 => 'Yes' ),

2
public/include/pages/contactform.inc.php
View File

@ -8,7 +8,7 @@ if ($setting->getValue('disable_contactform')) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is disabled for guests.', 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is disabled for guests.', 'TYPE' => 'errormsg');
$smarty->assign("CONTENT", "disabled.tpl"); $smarty->assign("CONTENT", "disabled.tpl");
} else { } else {
if ($setting->getValue('recaptcha_enabled')) { if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_contactform')) {
require_once(INCLUDE_DIR . '/lib/recaptchalib.php'); require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'))); $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
} }

42
public/include/pages/contactform/contactform.inc.php
View File

@ -1,15 +1,18 @@
<?php <?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1; $defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
if ($setting->getValue('recaptcha_enabled')) { // ReCaptcha handling if enabled
// Load re-captcha specific data if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_contactform')) {
require_once(INCLUDE_DIR . '/lib/recaptchalib.php'); require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
// Load re-captcha specific data
$rsp = recaptcha_check_answer ( $rsp = recaptcha_check_answer (
$setting->getValue('recaptcha_private_key'), $setting->getValue('recaptcha_private_key'),
$_SERVER["REMOTE_ADDR"], $_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"], ( (isset($_POST["recaptcha_challenge_field"])) ? $_POST["recaptcha_challenge_field"] : null ),
$_POST["recaptcha_response_field"] ( (isset($_POST["recaptcha_response_field"])) ? $_POST["recaptcha_response_field"] : null )
); );
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), $rsp->error, true));
if (!$rsp->is_valid) $_SESSION['POPUP'][] = array('CONTENT' => 'Invalid Captcha, please try again.', 'TYPE' => 'errormsg');
} }
if ($setting->getValue('disable_contactform')) { if ($setting->getValue('disable_contactform')) {
@ -17,34 +20,9 @@ if ($setting->getValue('disable_contactform')) {
} else if ($setting->getValue('disable_contactform') && !$user->isAuthenticated(false)) { } else if ($setting->getValue('disable_contactform') && !$user->isAuthenticated(false)) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is disabled for guests.', 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is disabled for guests.', 'TYPE' => 'errormsg');
} else { } else {
if ($setting->getValue('recaptcha_enabled') && $_POST["recaptcha_response_field"] && $_POST["recaptcha_response_field"]!=''){ // Check if recaptcha is enabled, process form data if valid
// Check if recaptcha is enabled, process form data if valid if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_contactform') != 1 || $rsp->is_valid) {
if ($rsp->is_valid) { if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
// Check if csrf is enabled and fail if token is invalid
if ($config['csrf']['enabled'] && $csrftoken->valid) {
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
} else {
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => 'There was a problem sending your message. Please try again.' . $user->getError(), 'TYPE' => 'errormsg');
}
}
} else {
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), $rsp->error));
$_SESSION['POPUP'][] = array('CONTENT' => 'Invalid Captcha, please try again. (' . $rsp->error . ')', 'TYPE' => 'errormsg');
}
// Empty captcha
} else if ($setting->getValue('recaptcha_enabled')) {
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), $rsp->error));
$_SESSION['POPUP'][] = array('CONTENT' => 'Empty Captcha, please try again.', 'TYPE' => 'errormsg');
// Captcha disabled
} else {
// Check if csrf is enabled and fail if token is invalid
if ($config['csrf']['enabled'] && !$csrftoken->valid) {
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
} else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly'); $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
} else { } else {
$_SESSION['POPUP'][] = array('CONTENT' => 'There was a problem sending your message. Please try again. ' . $user->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'There was a problem sending your message. Please try again. ' . $user->getError(), 'TYPE' => 'errormsg');

3
public/templates/mpos/contactform/contactform/default.tpl
View File

@ -1,7 +1,6 @@
<form action="{$smarty.server.SCRIPT_NAME}" method="post"> <form action="{$smarty.server.SCRIPT_NAME}" method="post">
<input type="hidden" name="page" value="{$smarty.request.page|escape}"> <input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="contactform"> <input type="hidden" name="action" value="contactform">
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
<article class="module width_3_quarter"> <article class="module width_3_quarter">
<header><h3>Contact Us</h3></header> <header><h3>Contact Us</h3></header>
<div class="module_content"> <div class="module_content">
@ -21,7 +20,7 @@
<label for="message">Your Message</label> <label for="message">Your Message</label>
<textarea type="text" name="senderMessage" cols="80" rows="10" maxlength="10000" required>{$smarty.request.senderMessage|escape|default:""}</textarea> <textarea type="text" name="senderMessage" cols="80" rows="10" maxlength="10000" required>{$smarty.request.senderMessage|escape|default:""}</textarea>
</fieldset> </fieldset>
<center>{nocache}{$RECAPTCHA|default:""}{/nocache}</center> <center>{nocache}{$RECAPTCHA|default:"" nofilter}{/nocache}</center>
</div> </div>
<footer> <footer>
<div class="submit_link"><input type="submit" class="alt_btn" name="sendMessage" value="Send Email" /></div> <div class="submit_link"><input type="submit" class="alt_btn" name="sendMessage" value="Send Email" /></div>

3
public/templates/mpos/contactform/default.tpl
View File

@ -1,7 +1,6 @@
<form action="{$smarty.server.SCRIPT_NAME}" method="post"> <form action="{$smarty.server.SCRIPT_NAME}" method="post">
<input type="hidden" name="page" value="{$smarty.request.page|escape}"> <input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="contactform"> <input type="hidden" name="action" value="contactform">
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
<article class="module width_3_quarter"> <article class="module width_3_quarter">
<header><h3>Contact Us</h3></header> <header><h3>Contact Us</h3></header>
<div class="module_content"> <div class="module_content">
@ -21,7 +20,7 @@
<label for="message">Your Message</label> <label for="message">Your Message</label>
<textarea type="text" name="senderMessage" cols="80" rows="10" maxlength="10000" required>{$smarty.request.senderMessage|escape|default:""}</textarea> <textarea type="text" name="senderMessage" cols="80" rows="10" maxlength="10000" required>{$smarty.request.senderMessage|escape|default:""}</textarea>
</fieldset> </fieldset>
<center>{nocache}{$RECAPTCHA|default:""}{/nocache}</center> <center>{nocache}{$RECAPTCHA|default:"" nofilter}{/nocache}</center>
</div> </div>
<footer> <footer>
<div class="submit_link"><input type="submit" class="alt_btn" name="sendMessage" value="Send Email" /></div> <div class="submit_link"><input type="submit" class="alt_btn" name="sendMessage" value="Send Email" /></div>