diff --git a/public/include/classes/csrftoken.class.php b/public/include/classes/csrftoken.class.php index 6c32b8ca..21e8b5f7 100644 --- a/public/include/classes/csrftoken.class.php +++ b/public/include/classes/csrftoken.class.php @@ -35,6 +35,19 @@ class CSRFToken Extends Base { return $this->getHash($seed); } + /** + * + * @param unknown $dowhat + * @return string + */ + public static function getDescriptionImageHTML($dowhat="try") { + $string = "salty.$string.$this->salt); } diff --git a/public/include/config/global.inc.dist.php b/public/include/config/global.inc.dist.php index faf09b19..3b7562c9 100644 --- a/public/include/config/global.inc.dist.php +++ b/public/include/config/global.inc.dist.php @@ -135,7 +135,7 @@ $config['twofactor']['options']['changepw'] = true; * * Options: * enabled = Whether or not we will generate/check for valid CSRF tokens - * sitewide = Require a valid CSRF token for all forms, does not override specific form settings + * sitewide = Require a valid CSRF token for all forms, does not override form specific settings * leadtime = Length of time in seconds to give as leeway between minute switches * login = Use and check login-specific CSRF token * register = Use and check register-specific CSRF token @@ -148,7 +148,7 @@ $config['twofactor']['options']['changepw'] = true; * register = true */ $config['csrf']['enabled'] = true; -$config['csrf']['sitewide'] = true; +$config['csrf']['options']['sitewide'] = true; $config['csrf']['options']['leadtime'] = 3; $config['csrf']['forms']['login'] = true; $config['csrf']['forms']['register'] = true; diff --git a/public/include/pages/contactform.inc.php b/public/include/pages/contactform.inc.php index ad4a54c7..9b46c4db 100644 --- a/public/include/pages/contactform.inc.php +++ b/public/include/pages/contactform.inc.php @@ -14,7 +14,11 @@ if ($setting->getValue('disable_contactform')) { require_once(INCLUDE_DIR . '/lib/recaptchalib.php'); $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'))); } - + // csrf token + if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { + $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact'); + $smarty->assign('CTOKEN', $token); + } // Tempalte specifics $smarty->assign("CONTENT", "default.tpl"); } diff --git a/public/include/pages/contactform/contactform.inc.php b/public/include/pages/contactform/contactform.inc.php index 28425bfd..5fadba39 100644 --- a/public/include/pages/contactform/contactform.inc.php +++ b/public/include/pages/contactform/contactform.inc.php @@ -15,19 +15,31 @@ if ($setting->getValue('recaptcha_enabled')) { ); } +// csrf if enabled +if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { + $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'contact', 'mdyH') == $_POST['ctoken']) ? 1 : 0; +} + if ($setting->getValue('disable_contactform')) { $_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is currently disabled. Please try again later.', 'TYPE' => 'errormsg'); } else if ($setting->getValue('disable_contactform') && !$user->isAuthenticated(false)) { $_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is disabled for guests.', 'TYPE' => 'errormsg'); } else { - // Check if recaptcha is enabled, process form data if valid - if($setting->getValue('recaptcha_enabled') && $_POST["recaptcha_response_field"] && $_POST["recaptcha_response_field"]!=''){ + if ($setting->getValue('recaptcha_enabled') && $_POST["recaptcha_response_field"] && $_POST["recaptcha_response_field"]!=''){ + // Check if recaptcha is enabled, process form data if valid if ($rsp->is_valid) { - $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'))); - if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) { - $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly'); + // Check if csrf is enabled and fail if token is invalid + if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) { + $img = $csrftoken->getDescriptionImageHTML(); + $_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info'); } else { - $_SESSION['POPUP'][] = array('CONTENT' => 'There was a problem sending your message. Please try again.' . $user->getError(), 'TYPE' => 'errormsg'); + // csrf is valid or disabled, send + $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'))); + if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) { + $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly'); + } else { + $_SESSION['POPUP'][] = array('CONTENT' => 'There was a problem sending your message. Please try again.' . $user->getError(), 'TYPE' => 'errormsg'); + } } } else { $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), $rsp->error)); @@ -39,9 +51,13 @@ if ($setting->getValue('disable_contactform')) { $_SESSION['POPUP'][] = array('CONTENT' => 'Empty Captcha, please try again.', 'TYPE' => 'errormsg'); // Captcha disabled } else { - if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) { + // Check if csrf is enabled and fail if token is invalid + if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { + $img = $csrftoken->getDescriptionImageHTML(); + $_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info'); + } else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) { $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly'); - } else { + } else { $_SESSION['POPUP'][] = array('CONTENT' => 'There was a problem sending your message. Please try again. ' . $user->getError(), 'TYPE' => 'errormsg'); } } @@ -49,5 +65,9 @@ if ($setting->getValue('disable_contactform')) { // Tempalte specifics $smarty->assign("CONTENT", "default.tpl"); - +// csrf token +if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { + $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact', 'mdyH'); + $smarty->assign('CTOKEN', $token); +} ?> diff --git a/public/include/pages/register/register.inc.php b/public/include/pages/register/register.inc.php index 30f088ec..cb262546 100644 --- a/public/include/pages/register/register.inc.php +++ b/public/include/pages/register/register.inc.php @@ -29,7 +29,7 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist } else { // Check if csrf is enabled and fail if token is invalid if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) { - $img = ""; + $img = $csrftoken->getDescriptionImageHTML('register'); $_SESSION['POPUP'][] = array('CONTENT' => "Register token expired, please try again $img", 'TYPE' => 'info'); } else if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) { // Check if recaptcha is enabled, process form data if valid or disabled diff --git a/public/templates/mpos/contactform/contactform/default.tpl b/public/templates/mpos/contactform/contactform/default.tpl index 8b137891..8e4785c2 100644 --- a/public/templates/mpos/contactform/contactform/default.tpl +++ b/public/templates/mpos/contactform/contactform/default.tpl @@ -1 +1,30 @@ - +
+ + + {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if} +
+

Contact Us

+
+
+ + +
+
+ + +
+
+ + +
+
+ + +
+
{nocache}{$RECAPTCHA|default:""}{/nocache}
+
+ +
+
diff --git a/public/templates/mpos/contactform/default.tpl b/public/templates/mpos/contactform/default.tpl index a086e69b..ee4ef607 100644 --- a/public/templates/mpos/contactform/default.tpl +++ b/public/templates/mpos/contactform/default.tpl @@ -1,6 +1,7 @@
+ {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if}

Contact Us