Added method to get description image of csrf token with name

moved sitewide into options portion of the config option
csrf protection for contact form under sitewide config option
changed register to 1 hour token

public/include/classes/csrftoken.class.php

@@ -35,6 +35,19 @@ class CSRFToken Extends Base {
     return $this->getHash($seed);
   }
   
+  /**
+   * 
+   * @param unknown $dowhat
+   * @return string
+   */
+  public static function getDescriptionImageHTML($dowhat="try") {
+    $string = "<img src='site_assets/mpos/images/questionmark.png' ";
+    $string.= "title='Tokens are used to help us mitigate attacks; Simply ";
+    $string.= htmlentities(strip_tags($dowhat));
+    $string.= " again to continue' width='20px' height='20px'>";
+    return $string;
+  }
+  
   private function getHash($string) {
     return hash('sha256', $this->salty.$string.$this->salt);
   }

public/include/config/global.inc.dist.php

@@ -135,7 +135,7 @@ $config['twofactor']['options']['changepw'] = true;
  *
  * Options:
  *   enabled    =   Whether or not we will generate/check for valid CSRF tokens
- *   sitewide   =   Require a valid CSRF token for all forms, does not override specific form settings
+ *   sitewide   =   Require a valid CSRF token for all forms, does not override form specific settings
  *   leadtime   =   Length of time in seconds to give as leeway between minute switches
  *   login      =   Use and check login-specific CSRF token
  *   register   =   Use and check register-specific CSRF token
@@ -148,7 +148,7 @@ $config['twofactor']['options']['changepw'] = true;
  *   register   =   true
  */
 $config['csrf']['enabled'] = true;
-$config['csrf']['sitewide'] = true;
+$config['csrf']['options']['sitewide'] = true;
 $config['csrf']['options']['leadtime'] = 3;
 $config['csrf']['forms']['login'] = true;
 $config['csrf']['forms']['register'] = true;

public/include/pages/contactform.inc.php

@@ -14,7 +14,11 @@ if ($setting->getValue('disable_contactform')) {
     require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
     $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
   }
-
+  // csrf token
+  if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+    $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
+    $smarty->assign('CTOKEN', $token);
+  }
   // Tempalte specifics
   $smarty->assign("CONTENT", "default.tpl");
 }

public/include/pages/contactform/contactform.inc.php

@@ -15,19 +15,31 @@ if ($setting->getValue('recaptcha_enabled')) {
   );
 }
 
+// csrf if enabled
+if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'contact', 'mdyH') == $_POST['ctoken']) ? 1 : 0;
+}
+
 if ($setting->getValue('disable_contactform')) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
 } else if ($setting->getValue('disable_contactform') && !$user->isAuthenticated(false)) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is disabled for guests.', 'TYPE' => 'errormsg');
 } else {
-  // Check if recaptcha is enabled, process form data if valid
-  if($setting->getValue('recaptcha_enabled') && $_POST["recaptcha_response_field"] && $_POST["recaptcha_response_field"]!=''){
+   if ($setting->getValue('recaptcha_enabled') && $_POST["recaptcha_response_field"] && $_POST["recaptcha_response_field"]!=''){
+    // Check if recaptcha is enabled, process form data if valid
     if ($rsp->is_valid) {
-      $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
-      if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
-      $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
+      // Check if csrf is enabled and fail if token is invalid
+      if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
+        $img = $csrftoken->getDescriptionImageHTML();
+        $_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
       } else {
-        $_SESSION['POPUP'][] = array('CONTENT' => 'There was a problem sending your message. Please try again.' . $user->getError(), 'TYPE' => 'errormsg');
+        // csrf is valid or disabled, send
+        $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
+        if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
+          $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
+        } else {
+          $_SESSION['POPUP'][] = array('CONTENT' => 'There was a problem sending your message. Please try again.' . $user->getError(), 'TYPE' => 'errormsg');
+        }
       }
     } else {
       $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), $rsp->error));
@@ -39,9 +51,13 @@ if ($setting->getValue('disable_contactform')) {
     $_SESSION['POPUP'][] = array('CONTENT' => 'Empty Captcha, please try again.', 'TYPE' => 'errormsg');
     // Captcha disabled
   } else {
-      if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
+    // Check if csrf is enabled and fail if token is invalid
+    if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+      $img = $csrftoken->getDescriptionImageHTML();
+      $_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
+    } else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
       $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
-      } else {
+    } else {
       $_SESSION['POPUP'][] = array('CONTENT' => 'There was a problem sending your message. Please try again. ' . $user->getError(), 'TYPE' => 'errormsg');
     }
   }
@@ -49,5 +65,9 @@ if ($setting->getValue('disable_contactform')) {
 
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
-
+// csrf token
+if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact', 'mdyH');
+  $smarty->assign('CTOKEN', $token);
+}
 ?>

public/include/pages/register/register.inc.php

@@ -29,7 +29,7 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
 } else {
   // Check if csrf is enabled and fail if token is invalid
   if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
-    $img = "<img src='site_assets/mpos/images/questionmark.png' title='Tokens are used to help us mitigate attacks; Simply login again to continue' width='20px' height='20px'>";
+    $img = $csrftoken->getDescriptionImageHTML('register');
     $_SESSION['POPUP'][] = array('CONTENT' => "Register token expired, please try again $img", 'TYPE' => 'info');
   } else if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
     // Check if recaptcha is enabled, process form data if valid or disabled

public/templates/mpos/contactform/contactform/default.tpl

@@ -1 +1,30 @@
-
+<form action="{$smarty.server.SCRIPT_NAME}" method="post">
+  <input type="hidden" name="page" value="{$smarty.request.page|escape}">
+  <input type="hidden" name="action" value="contactform">
+  {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN}" />{/if}
+    <article class="module width_3_quarter">
+    <header><h3>Contact Us</h3></header>
+    <div class="module_content">
+      <fieldset>
+        <label for="senderName">Your Name</label>
+        <input type="text" class="text tiny" name="senderName" value="" placeholder="Please type your name" size="15" maxlength="100" required />
+      </fieldset>
+      <fieldset>
+        <label for="senderEmail">Your Email Address</label>
+        <input type="text" class="text tiny" name="senderEmail" value="" placeholder="Please type your email" size="50"  maxlength="100" required />
+      </fieldset>
+      <fieldset>
+        <label for="senderEmail">Your Subject</label>
+        <input type="text" class="text tiny" name="senderSubject" value="{$smarty.request.senderSubject|escape|default:""}" placeholder="Please type your subject" size="15" maxlength="100" required />
+      </fieldset>
+      <fieldset>
+        <label for="message">Your Message</label>
+        <textarea type="text" name="senderMessage" cols="80" rows="10" maxlength="10000" required>{$smarty.request.senderMessage|escape|default:""}</textarea>
+      </fieldset>
+      <center>{nocache}{$RECAPTCHA|default:""}{/nocache}</center>
+    </div>
+    <footer>
+      <div class="submit_link"><input type="submit" class="alt_btn" name="sendMessage" value="Send Email" /></div>
+    </footer>
+  </article>
+</form>

public/templates/mpos/contactform/default.tpl

@@ -1,6 +1,7 @@
 <form action="{$smarty.server.SCRIPT_NAME}" method="post">
   <input type="hidden" name="page" value="{$smarty.request.page|escape}">
   <input type="hidden" name="action" value="contactform">
+  {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN}" />{/if}
     <article class="module width_3_quarter">
     <header><h3>Contact Us</h3></header>
     <div class="module_content">