From 58529547e0d050648186d66523ce74fbddafbbe4 Mon Sep 17 00:00:00 2001
From: xisi <chaeldarrs@gmail.com>
Date: Thu, 16 Jan 2014 23:48:38 -0500
Subject: [PATCH] Cleaned up logic of login page csrf protection added csrf
 protection to register page

---
 public/include/config/global.inc.dist.php     |  3 +++
 public/include/pages/login.inc.php            |  8 +++++---
 public/include/pages/register.inc.php         |  2 +-
 .../include/pages/register/register.inc.php   | 19 +++++++++++++++++--
 public/templates/mpos/register/default.tpl    |  1 +
 5 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/public/include/config/global.inc.dist.php b/public/include/config/global.inc.dist.php
index b5e1ef0d..faf09b19 100644
--- a/public/include/config/global.inc.dist.php
+++ b/public/include/config/global.inc.dist.php
@@ -138,17 +138,20 @@ $config['twofactor']['options']['changepw'] = true;
  *   sitewide   =   Require a valid CSRF token for all forms, does not override specific form settings
  *   leadtime   =   Length of time in seconds to give as leeway between minute switches
  *   login      =   Use and check login-specific CSRF token
+ *   register   =   Use and check register-specific CSRF token
  *
  * Default:
  *   enabled    =   true
  *   sitewide   =   true
  *   leadtime   =   3
  *   login      =   true
+ *   register   =   true
  */
 $config['csrf']['enabled'] = true;
 $config['csrf']['sitewide'] = true;
 $config['csrf']['options']['leadtime'] = 3;
 $config['csrf']['forms']['login'] = true;
+$config['csrf']['forms']['register'] = true;
 
 /**
  * Lock account after maximum failed logins
diff --git a/public/include/pages/login.inc.php b/public/include/pages/login.inc.php
index 8559fa7d..57005c7d 100644
--- a/public/include/pages/login.inc.php
+++ b/public/include/pages/login.inc.php
@@ -21,6 +21,11 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
   }
 }
 
+// csrf if enabled
+if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) {
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0;
+}
+
 if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST['username']))) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'You are not allowed to login during maintenace.', 'TYPE' => 'info');
 } else if (!empty($_POST['username']) && !empty($_POST['password'])) {
@@ -52,9 +57,6 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST
     } else {
       $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
     }
-  } else if ($nocsrf == 0) {
-    $img = "<img src='site_assets/mpos/images/questionmark.png' title='Tokens are used to help us mitigate attacks; Simply login again to continue' width='20px' height='20px'>";
-    $_SESSION['POPUP'][] = array('CONTENT' => "Login token expired, please try again $img", 'TYPE' => 'info');
   }
 }
 // Load login template
diff --git a/public/include/pages/register.inc.php b/public/include/pages/register.inc.php
index e05ffa7b..4ae62a6a 100644
--- a/public/include/pages/register.inc.php
+++ b/public/include/pages/register.inc.php
@@ -18,7 +18,7 @@ if ($setting->getValue('lock_registration') && $setting->getValue('disable_invit
   $smarty->assign("CONTENT", "default.tpl");
   // csrf token
   if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
-    $token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
+    $token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
     $smarty->assign('CTOKEN', $token);
   }
 }
diff --git a/public/include/pages/register/register.inc.php b/public/include/pages/register/register.inc.php
index 7090a1c4..30f088ec 100644
--- a/public/include/pages/register/register.inc.php
+++ b/public/include/pages/register/register.inc.php
@@ -14,6 +14,12 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
   );
   $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), $rsp->error, true));
   if (!$rsp->is_valid) $_SESSION['POPUP'][] = array('CONTENT' => 'Invalid Captcha, please try again.', 'TYPE' => 'errormsg');
+  $recaptcha = ($rsp->isvalid) ? 1 : 0; 
+}
+
+// csrf if enabled
+if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH') == $_POST['ctoken']) ? 1 : 0;
 }
 
 if ($setting->getValue('disable_invitations') && $setting->getValue('lock_registration')) {
@@ -21,8 +27,12 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
 } else if ($setting->getValue('lock_registration') && !$setting->getValue('disable_invitations') && !isset($_POST['token'])) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Only invited users are allowed to register.', 'TYPE' => 'errormsg');
 } else {
-  // Check if recaptcha is enabled, process form data if valid or disabled
-  if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
+  // Check if csrf is enabled and fail if token is invalid
+  if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
+    $img = "<img src='site_assets/mpos/images/questionmark.png' title='Tokens are used to help us mitigate attacks; Simply login again to continue' width='20px' height='20px'>";
+    $_SESSION['POPUP'][] = array('CONTENT' => "Register token expired, please try again $img", 'TYPE' => 'info');
+  } else if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
+    // Check if recaptcha is enabled, process form data if valid or disabled
     isset($_POST['token']) ? $token = $_POST['token'] : $token = '';
     if ($user->register(@$_POST['username'], @$_POST['password1'], @$_POST['password2'], @$_POST['pin'], @$_POST['email1'], @$_POST['email2'], @$_POST['tac'], $token)) {
       ! $setting->getValue('accounts_confirm_email_disabled') ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
@@ -34,4 +44,9 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
 
 // We load the default registration template instead of an action specific one
 $smarty->assign("CONTENT", "../default.tpl");
+// csrf token
+if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
+  $smarty->assign('CTOKEN', $token);
+}
 ?>
diff --git a/public/templates/mpos/register/default.tpl b/public/templates/mpos/register/default.tpl
index d60f2209..2eb2b984 100644
--- a/public/templates/mpos/register/default.tpl
+++ b/public/templates/mpos/register/default.tpl
@@ -7,6 +7,7 @@
 {if $smarty.request.token|default:""}
     <input type="hidden" name="token" value="{$smarty.request.token|escape}" />
 {/if}
+{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.register}<input type="hidden" name="ctoken" value="{$CTOKEN}" />{/if}
     <input type="hidden" name="action" value="register">
     <fieldset>
       <label>Username</label>