Changed the config options for CSRF/disabling forms
* Now an array to disable with granularity * Fixed all CSRF tokens back to 1 min * Added CSRF protection for unlock account * Unified error message for all csrf tokens * Fixed a few issues with last commit
This commit is contained in:
xisi
parent
163e5de1f0
commit
76a67cb71a
@ -19,9 +19,8 @@ class CSRFToken Extends Base {
|
||||
$hour = $data[3]; $minute = $data[4]; $second = $data[5];
|
||||
$salt1 = $this->salt; $salt2 = $this->salty; $seed = $salt1;
|
||||
$lead = $this->config['csrf']['leadtime'];
|
||||
if ($lead >= 11) { $lead = 10; }
|
||||
if ($lead <= 0) { $lead = 3; }
|
||||
if ($minute == 59 && $second > (60-$lead)) {
|
||||
$lead_sec = ($lead <= 11 && $lead >= 0) ? $lead : 3;
|
||||
if ($minute == 59 && $second > (60-$lead_sec)) {
|
||||
$minute = 0;
|
||||
$fhour = ($hour == 23) ? $hour = 0 : $hour+=1;
|
||||
}
|
||||
@ -36,9 +35,17 @@ class CSRFToken Extends Base {
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the HTML image (?) with short csrf description for users for the incorrect
|
||||
* token error message
|
||||
* @param dowhat string What will be put in the string "Simply $dowhat again to..."
|
||||
* Convenience method to get a token expired message with a token type, and ? image with description
|
||||
* @param string $tokentype if you want a specific tokentype, set it here
|
||||
* @param string $dowhat What will be put in the string "Simply $dowhat again to...", default is try
|
||||
*/
|
||||
public static function getErrorWithDescriptionHTML($tokentype="", $dowhat="try") {
|
||||
return ($tokentype !== "") ? "$tokentype token expired, please try again ".self::getDescriptionImageHTML($dowhat) : "Token expired, please try again ".self::getDescriptionImageHTML($dowhat);
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the HTML image (?) with short csrf description for users for the incorrect token error message
|
||||
* @param dowhat string What will be put in the string "Simply $dowhat again to...", default is try
|
||||
* @return string HTML image with description
|
||||
*/
|
||||
public static function getDescriptionImageHTML($dowhat="try") {
|
||||
|
||||
@ -134,23 +134,19 @@ $config['twofactor']['options']['changepw'] = true;
|
||||
* form is submitted.
|
||||
*
|
||||
* Options:
|
||||
* enabled = Whether or not we will generate/check for valid CSRF tokens
|
||||
* sitewide = Require a valid CSRF token for most* forms, does not override form specific settings
|
||||
* * contact, account edit, workers, notifications, invites, registration, passsword resets
|
||||
* login = Use and check login-specific CSRF token
|
||||
* leadtime = Length of time in seconds to give as leeway between minute switches
|
||||
* * Don't change this unless you know why you're changing it
|
||||
*
|
||||
* enabled = Whether or not we will generate/check for valid CSRF tokens
|
||||
* leadtime = Length of time in seconds to give as leeway between minute switches
|
||||
* * Don't change this unless you know why you're changing it
|
||||
* disabled_forms = Which forms you want to disable csrf protection on, if enabled
|
||||
* * Valid options : contact, accountedit, workers, notifications, invite, register, passreset, unlockaccount
|
||||
* Default:
|
||||
* enabled = true
|
||||
* sitewide = true
|
||||
* login = true
|
||||
* leadtime = 3
|
||||
* enabled = true
|
||||
* leadtime = 3
|
||||
* disabled_forms = array();
|
||||
*/
|
||||
$config['csrf']['enabled'] = true;
|
||||
$config['csrf']['options']['sitewide'] = true;
|
||||
$config['csrf']['forms']['login'] = true;
|
||||
$config['csrf']['leadtime'] = 3;
|
||||
$config['csrf']['disabled_forms'] = array();
|
||||
|
||||
/**
|
||||
* Lock account after maximum failed logins
|
||||
|
||||
@ -14,7 +14,7 @@ $oldtoken_wf = (isset($_POST['wf_token']) && $_POST['wf_token'] !== '') ? $_POST
|
||||
$updating = (@$_POST['do']) ? 1 : 0;
|
||||
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('accountedit', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount') == @$_POST['ctoken']) ? 1 : 0;
|
||||
}
|
||||
@ -77,8 +77,7 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
}
|
||||
else {
|
||||
@ -98,8 +97,7 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@ -119,8 +117,7 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $iPayoutId->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
} else {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'You already have one active manual payout request.', 'TYPE' => 'errormsg');
|
||||
@ -139,8 +136,7 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Failed to update your account: ' . $user->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
break;
|
||||
|
||||
@ -152,8 +148,7 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
break;
|
||||
}
|
||||
@ -198,7 +193,7 @@ $smarty->assign("DETAILSUNLOCKED", $ea_editable);
|
||||
$smarty->assign("CHANGEPASSSENT", $cp_sent);
|
||||
$smarty->assign("WITHDRAWSENT", $wf_sent);
|
||||
$smarty->assign("DETAILSSENT", $ea_sent);
|
||||
if ($csrfenabled) {
|
||||
if ($csrfenabled && !in_array('accountedit', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
|
||||
@ -6,9 +6,9 @@ if (!defined('SECURITY')) die('Hacking attempt');
|
||||
if ($user->isAuthenticated()) {
|
||||
if (!$setting->getValue('disable_invitations')) {
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('invitations', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations') == @$_POST['ctoken']) ? 1 : 0;
|
||||
}
|
||||
if ($invitation->getCountInvitations($_SESSION['USERDATA']['id']) >= $config['accounts']['invitations']['count']) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'You have exceeded the allowed invitations of ' . $config['accounts']['invitations']['count'], 'TYPE' => 'errormsg');
|
||||
@ -20,8 +20,7 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to send invitation to recipient: ' . $invitation->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Invitation token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
}
|
||||
$aInvitations = $invitation->getInvitations($_SESSION['USERDATA']['id']);
|
||||
@ -32,8 +31,8 @@ if ($user->isAuthenticated()) {
|
||||
}
|
||||
}
|
||||
// csrf token
|
||||
if ($csrfenabled) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH');
|
||||
if ($csrfenabled && !in_array('invitations', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
$smarty->assign('CONTENT', 'default.tpl');
|
||||
|
||||
@ -8,9 +8,9 @@ if ($user->isAuthenticated()) {
|
||||
$smarty->assign('CONTENT', 'empty');
|
||||
} else {
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('notifications', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editnotifs') == @$_POST['ctoken']) ? 1 : 0;
|
||||
}
|
||||
|
||||
if (@$_REQUEST['do'] == 'save') {
|
||||
@ -21,8 +21,7 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $notification->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Notification token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
}
|
||||
|
||||
@ -34,8 +33,8 @@ if ($user->isAuthenticated()) {
|
||||
$aSettings = $notification->getNotificationSettings($_SESSION['USERDATA']['id']);
|
||||
|
||||
// csrf token
|
||||
if ($csrfenabled) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH');
|
||||
if ($csrfenabled && !in_array('notifications', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
$smarty->assign('NOTIFICATIONS', $aNotifications);
|
||||
|
||||
@ -3,18 +3,33 @@
|
||||
// Make sure we are called from index.php
|
||||
if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('unlockaccount', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'unlockaccount') == @$_POST['ctoken']) ? 1 : 0;
|
||||
}
|
||||
|
||||
// Confirm an account by token
|
||||
if (!isset($_GET['token']) || empty($_GET['token'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg');
|
||||
} else if (!$aToken = $oToken->getToken($_GET['token'], 'account_unlock')) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to re-activate your account. Invalid token.', 'TYPE' => 'errormsg');
|
||||
} else {
|
||||
if ($user->setUserFailed($aToken['account_id'], 0) && $user->setUserPinFailed($aToken['account_id'], 0) && $user->changeLocked($aToken['account_id'])) {
|
||||
$oToken->deleteToken($aToken['token']);
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Account re-activated. Please login.');
|
||||
if (!$csrfenabled || $csrfenabled && !$nocsrf) {
|
||||
if ($user->setUserFailed($aToken['account_id'], 0) && $user->setUserPinFailed($aToken['account_id'], 0) && $user->changeLocked($aToken['account_id'])) {
|
||||
$oToken->deleteToken($aToken['token']);
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Account re-activated. Please login.');
|
||||
} else {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Failed to re-activate account. Contact site support.', 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Failed to re-activate account. Contact site support.', 'TYPE' => 'errormsg');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
}
|
||||
// csrf token
|
||||
if ($csrfenabled && !in_array('unlockaccount', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'unlockaccount');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
$smarty->assign('CONTENT', 'default.tpl');
|
||||
?>
|
||||
|
||||
@ -4,9 +4,9 @@ if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
if ($user->isAuthenticated()) {
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('workers', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'workers') == @$_POST['ctoken']) ? 1 : 0;
|
||||
}
|
||||
|
||||
switch (@$_REQUEST['do']) {
|
||||
@ -25,8 +25,7 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
break;
|
||||
case 'update':
|
||||
@ -37,8 +36,7 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
break;
|
||||
}
|
||||
@ -49,8 +47,8 @@ if ($user->isAuthenticated()) {
|
||||
$smarty->assign('WORKERS', $aWorkers);
|
||||
}
|
||||
// csrf token
|
||||
if ($csrfenabled) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH');
|
||||
if ($csrfenabled && !in_array('workers', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'workers');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
$smarty->assign('CONTENT', 'default.tpl');
|
||||
|
||||
@ -15,7 +15,7 @@ if ($setting->getValue('disable_contactform')) {
|
||||
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
|
||||
}
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
|
||||
if ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
|
||||
@ -3,7 +3,6 @@
|
||||
// Make sure we are called from index.php
|
||||
if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
|
||||
if ($setting->getValue('recaptcha_enabled')) {
|
||||
// Load re-captcha specific data
|
||||
require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
|
||||
@ -16,9 +15,9 @@ if ($setting->getValue('recaptcha_enabled')) {
|
||||
}
|
||||
|
||||
// csrf if enabled
|
||||
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'contact') == @$_POST['ctoken']) ? 1 : 0;
|
||||
}
|
||||
|
||||
if ($setting->getValue('disable_contactform')) {
|
||||
@ -31,8 +30,7 @@ if ($setting->getValue('disable_contactform')) {
|
||||
if ($rsp->is_valid) {
|
||||
// Check if csrf is enabled and fail if token is invalid
|
||||
if (!$nocsrf && $csrfenabled) {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
} else {
|
||||
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
|
||||
if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
|
||||
@ -53,8 +51,7 @@ if ($setting->getValue('disable_contactform')) {
|
||||
} else {
|
||||
// Check if csrf is enabled and fail if token is invalid
|
||||
if (!$nocsrf && $csrfenabled) {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
} else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
|
||||
} else {
|
||||
@ -64,8 +61,8 @@ if ($setting->getValue('disable_contactform')) {
|
||||
}
|
||||
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'contact', 'mdyH');
|
||||
if ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
// Tempalte specifics
|
||||
|
||||
@ -23,7 +23,7 @@ if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
|
||||
$debug->append('Using cached page', 3);
|
||||
}
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) {
|
||||
if ($config['csrf']['enabled'] && !in_array('login', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
// csrf if enabled
|
||||
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) ? 1 : 0;
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('login', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0;
|
||||
}
|
||||
@ -59,13 +59,11 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
// csrf enabled and invalid csrf token
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Login token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
}
|
||||
// csrf token
|
||||
if ($csrfenabled) {
|
||||
if ($csrfenabled && !in_array('login', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
|
||||
@ -7,5 +7,4 @@ if (!defined('SECURITY'))
|
||||
// This probably (?) never fails
|
||||
$user->logoutUser();
|
||||
$smarty->assign("CONTENT", "default.tpl");
|
||||
// header('Location: index.php?page=home');
|
||||
?>
|
||||
|
||||
@ -5,8 +5,8 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'resetaccount');
|
||||
if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'resetpass');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
// Tempalte specifics
|
||||
|
||||
@ -5,9 +5,9 @@ if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
// we have to use editaccount token because this can be called from 2 separate places
|
||||
// we have to use editaccount token because this that's where we'll get pushed here from
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount') == @$_POST['ctoken']) ? 1 : 0;
|
||||
}
|
||||
|
||||
@ -20,12 +20,11 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
|
||||
if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
|
||||
@ -4,9 +4,9 @@
|
||||
if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'resetaccount') == @$_POST['ctoken']) ? 1 : 0;
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'resetpass') == @$_POST['ctoken']) ? 1 : 0;
|
||||
}
|
||||
|
||||
// Process password reset request
|
||||
@ -17,13 +17,12 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML();
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'resetaccount');
|
||||
if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'resetpass');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
// Tempalte specifics, user default template by parent page
|
||||
|
||||
@ -15,8 +15,8 @@ if ($setting->getValue('lock_registration') && $setting->getValue('disable_invit
|
||||
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), null, true));
|
||||
}
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
|
||||
if ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
// Load news entries for Desktop site and unauthenticated users
|
||||
|
||||
@ -18,9 +18,9 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
|
||||
}
|
||||
|
||||
// csrf if enabled
|
||||
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH') == $_POST['ctoken']) ? 1 : 0;
|
||||
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register') == $_POST['ctoken']) ? 1 : 0;
|
||||
}
|
||||
|
||||
if ($setting->getValue('disable_invitations') && $setting->getValue('lock_registration')) {
|
||||
@ -40,16 +40,15 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$img = $csrftoken->getDescriptionImageHTML('register');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => "Register token expired, please try again $img", 'TYPE' => 'info');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
}
|
||||
|
||||
// We load the default registration template instead of an action specific one
|
||||
$smarty->assign("CONTENT", "../default.tpl");
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
|
||||
if ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
?>
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
<form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm" data-ajax="false">
|
||||
<input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.login}<input type="hidden" name="ctoken" value="{$CTOKEN}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"login"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<p><label for="userForm">Email</label><input type="text" name="username" value="" id="userForm"></p>
|
||||
<p><label for="passForm">Password</label><input type="password" name="password" value="" id="passForm"></p>
|
||||
<center>{nocache}{$RECAPTCHA|default:"" nofilter}{/nocache}</center>
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<input type="hidden" name="token" value="{$smarty.request.token|escape}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"editaccount"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="do" value="useToken">
|
||||
<table>
|
||||
<tr><td>New Password: </td><td><input type="password" name="newPassword"></td></tr>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<form action="" method="POST">
|
||||
<input type="hidden" name="page" value="password">
|
||||
<input type="hidden" name="action" value="reset">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<p>If you have an email set for your account, enter your username to get your password reset</p>
|
||||
<p><input type="text" value="{$smarty.post.username|escape|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p>
|
||||
</form>
|
||||
|
||||
@ -56,7 +56,7 @@
|
||||
<footer>
|
||||
<div class="submit_link">
|
||||
{nocache}
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ea_token" value="{$smarty.request.ea_token|escape|default:""}">
|
||||
<input type="hidden" name="utype" value="account_edit">
|
||||
{if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.details}
|
||||
@ -106,7 +106,7 @@
|
||||
<div class="submit_link">
|
||||
{nocache}
|
||||
<input type="hidden" name="wf_token" value="{$smarty.request.wf_token|escape|default:""}">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="utype" value="withdraw_funds">
|
||||
{if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.withdraw}
|
||||
{if $WITHDRAWSENT == 1 && $WITHDRAWUNLOCKED == 1}
|
||||
@ -159,7 +159,7 @@
|
||||
<div class="submit_link">
|
||||
{nocache}
|
||||
<input type="hidden" name="cp_token" value="{$smarty.request.cp_token|escape|default:""}">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="utype" value="change_pw">
|
||||
{if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw}
|
||||
{if $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 1}
|
||||
@ -183,7 +183,7 @@
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="genPin">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"editaccount"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<article class="module width_half">
|
||||
<header>
|
||||
<h3>Reset PIN</h3>
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="sendInvitation">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"invite"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<article class="module width_quarter">
|
||||
<header><h3>Invitation</h3></header>
|
||||
<div class="module_content">
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="save">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"notifications"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<article class="module width_quarter">
|
||||
<header>
|
||||
<h3>Notification Settings</h3>
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="add">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"workers"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<div class="module_content">
|
||||
<fieldset>
|
||||
<label>Worker Name</label>
|
||||
@ -30,7 +30,7 @@
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="update">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"workers"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<table class="tablesorter" cellspacing="0">
|
||||
<thead>
|
||||
<tr>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<form action="{$smarty.server.SCRIPT_NAME}" method="post">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="contactform">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"contact"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<article class="module width_3_quarter">
|
||||
<header><h3>Contact Us</h3></header>
|
||||
<div class="module_content">
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<form action="{$smarty.server.SCRIPT_NAME}" method="post">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="contactform">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"contact"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<article class="module width_3_quarter">
|
||||
<header><h3>Contact Us</h3></header>
|
||||
<div class="module_content">
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<article class="module width_half">
|
||||
<form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm">
|
||||
<input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.login}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"login"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<header><h3>Login with existing account</h3></header>
|
||||
<div class="module_content">
|
||||
<fieldset>
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<form action="" method="POST">
|
||||
<input type="hidden" name="page" value="password">
|
||||
<input type="hidden" name="action" value="reset">
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<header><h3>Password reset</h3></header>
|
||||
<div class="module_content">
|
||||
<p>If you have an email set for your account, enter your username to get your password reset</p>
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
{if $smarty.request.token|default:""}
|
||||
<input type="hidden" name="token" value="{$smarty.request.token|escape}" />
|
||||
{/if}
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"register"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="action" value="register">
|
||||
<fieldset>
|
||||
<label>Username</label>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user