From bd2999526edd763546e8bced5378e8b46a50ee54 Mon Sep 17 00:00:00 2001 From: xisi Date: Sat, 18 Jan 2014 16:53:28 -0500 Subject: [PATCH] fixed mobile templates, have not tested as they use same methods as main template fixed change pw templates; added csrf token added csrf protection for password reset fixed reset and change pass templates; were missing csrf token (form only tpl) --- public/include/pages/password.inc.php | 6 ++++ public/include/pages/password/change.inc.php | 31 +++++++++++++++---- public/include/pages/password/reset.inc.php | 27 +++++++++++++--- .../mobile/password/change/default.tpl | 1 + public/templates/mobile/password/default.tpl | 1 + .../templates/mpos/account/edit/default.tpl | 2 +- .../mpos/password/change/default.tpl | 21 +++++++++++-- public/templates/mpos/password/default.tpl | 1 + 8 files changed, 75 insertions(+), 15 deletions(-) diff --git a/public/include/pages/password.inc.php b/public/include/pages/password.inc.php index aecab054..a33a06e5 100644 --- a/public/include/pages/password.inc.php +++ b/public/include/pages/password.inc.php @@ -4,6 +4,12 @@ if (!defined('SECURITY')) die('Hacking attempt'); +// csrf token +if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { + // we have to use editaccount token because this can be called from 2 places + $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH'); + $smarty->assign('CTOKEN', $token); +} // Tempalte specifics $smarty->assign("CONTENT", "default.tpl"); ?> diff --git a/public/include/pages/password/change.inc.php b/public/include/pages/password/change.inc.php index d8815b1d..263e20f7 100644 --- a/public/include/pages/password/change.inc.php +++ b/public/include/pages/password/change.inc.php @@ -4,13 +4,32 @@ if (!defined('SECURITY')) die('Hacking attempt'); -if (isset($_POST['do']) && $_POST['do'] == 'resetPassword') { - if ($user->resetPassword($_POST['token'], $_POST['newPassword'], $_POST['newPassword2'])) { - $_SESSION['POPUP'][] = array('CONTENT' => 'Password reset complete! Please login.', 'TYPE' => 'success'); - } else { - $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg'); - } +// csrf stuff +$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; +if ($csrfenabled) { + // we have to use editaccount token because this can be called from 2 separate places + $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; } + +if (!$csrfenabled || $csrfenabled && $nocsrf) { + if (isset($_POST['do']) && $_POST['do'] == 'resetPassword') { + if ($user->resetPassword($_POST['token'], $_POST['newPassword'], $_POST['newPassword2'])) { + $_SESSION['POPUP'][] = array('CONTENT' => 'Password reset complete! Please login.', 'TYPE' => 'success'); + } else { + $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg'); + } + } +} else { + $img = $csrftoken->getDescriptionImageHTML(); + $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info'); +} + +// csrf token +if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { + $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH'); + $smarty->assign('CTOKEN', $token); +} + // Tempalte specifics $smarty->assign("CONTENT", "default.tpl"); diff --git a/public/include/pages/password/reset.inc.php b/public/include/pages/password/reset.inc.php index cefba0ac..3c05b07e 100644 --- a/public/include/pages/password/reset.inc.php +++ b/public/include/pages/password/reset.inc.php @@ -3,13 +3,30 @@ // Make sure we are called from index.php if (!defined('SECURITY')) die('Hacking attempt'); -// Process password reset request -if ($user->initResetPassword($_POST['username'], $smarty)) { - $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mail account to finish your password reset', 'TYPE' => 'success'); -} else { - $_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg'); +// csrf stuff +$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; +if ($csrfenabled) { + // we have to use editaccount token because this can be called from 2 separate places + $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; } +// Process password reset request +if (!$csrfenabled || $csrfenabled && $nocsrf) { + if ($user->initResetPassword($_POST['username'], $smarty)) { + $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mail account to finish your password reset', 'TYPE' => 'success'); + } else { + $_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg'); + } +} else { + $img = $csrftoken->getDescriptionImageHTML(); + $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info'); +} + +// csrf token +if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { + $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH'); + $smarty->assign('CTOKEN', $token); +} // Tempalte specifics, user default template by parent page $smarty->assign("CONTENT", "../default.tpl"); ?> diff --git a/public/templates/mobile/password/change/default.tpl b/public/templates/mobile/password/change/default.tpl index 01db0d84..ecf7b987 100644 --- a/public/templates/mobile/password/change/default.tpl +++ b/public/templates/mobile/password/change/default.tpl @@ -2,6 +2,7 @@ + {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if} diff --git a/public/templates/mobile/password/default.tpl b/public/templates/mobile/password/default.tpl index b4af5660..a2fe5131 100644 --- a/public/templates/mobile/password/default.tpl +++ b/public/templates/mobile/password/default.tpl @@ -1,6 +1,7 @@ +{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if}

If you have an email set for your account, enter your username to get your password reset

diff --git a/public/templates/mpos/account/edit/default.tpl b/public/templates/mpos/account/edit/default.tpl index 5baac533..23f60066 100644 --- a/public/templates/mpos/account/edit/default.tpl +++ b/public/templates/mpos/account/edit/default.tpl @@ -147,7 +147,7 @@ {nocache}{/nocache}
- + {nocache}{/nocache}
diff --git a/public/templates/mpos/password/change/default.tpl b/public/templates/mpos/password/change/default.tpl index 19960b9b..f22815bf 100644 --- a/public/templates/mpos/password/change/default.tpl +++ b/public/templates/mpos/password/change/default.tpl @@ -3,6 +3,8 @@ + {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if} +

Password reset

@@ -17,9 +19,22 @@
-
- -
+ {nocache} + + {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if} + + {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw} + {if $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 1} + + {elseif $CHANGEPASSSENT == 0 && $CHANGEPASSUNLOCKED == 1 || $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 0} + + {elseif $CHANGEPASSSENT == 0 && $CHANGEPASSUNLOCKED == 0} + + {/if} + {else} + + {/if} + {/nocache}
diff --git a/public/templates/mpos/password/default.tpl b/public/templates/mpos/password/default.tpl index 825770b0..36505402 100644 --- a/public/templates/mpos/password/default.tpl +++ b/public/templates/mpos/password/default.tpl @@ -2,6 +2,7 @@
+ {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if}

Password reset

If you have an email set for your account, enter your username to get your password reset

New Password: