diff --git a/admin/config_edit.php b/admin/config_edit.php index 437b546db..2d97f1d9e 100644 --- a/admin/config_edit.php +++ b/admin/config_edit.php @@ -22,6 +22,8 @@ header('Location: index.php'); exit; } else if (isset($_POST['submit'])) { + check_csrf_token(); + $missing_fields = array(); $_POST['site_name'] = trim($_POST['site_name']); diff --git a/include/lib/vital_funcs.inc.php b/include/lib/vital_funcs.inc.php index 656b77642..7db811e12 100644 --- a/include/lib/vital_funcs.inc.php +++ b/include/lib/vital_funcs.inc.php @@ -680,6 +680,19 @@ function check_referer(){ } } } +/** + * Check if token supplied in a POST request corresponds to the token in memory to prevent CSRF access + * @access public + * @return error message access denied + */ +function check_csrf_token() { + global $msg; + if($_POST['csrftoken'] != $_SESSION['token']){ + $msg->addError('ACCESS_DENIED'); + header('Location: '.AT_BASE_HREF.'index.php'); + exit; + } +} /** * Check if the give theme is a subsite customized theme. Return true if it is, otherwise, return false * @access public diff --git a/mods/_core/courses/admin/create_course.php b/mods/_core/courses/admin/create_course.php index 74814ead6..7384703ed 100644 --- a/mods/_core/courses/admin/create_course.php +++ b/mods/_core/courses/admin/create_course.php @@ -23,6 +23,8 @@ header('Location: '.AT_BASE_HREF.'mods/_core/courses/admin/courses.php'); exit; } else if (isset($_POST['form_course'])) { + check_csrf_token(); + $errors = add_update_course($_POST, TRUE); if ($errors !== FALSE) { $msg->addFeedback('ACTION_COMPLETED_SUCCESSFULLY'); diff --git a/mods/_core/courses/users/create_course.php b/mods/_core/courses/users/create_course.php index 9bb90c5e7..07995721a 100644 --- a/mods/_core/courses/users/create_course.php +++ b/mods/_core/courses/users/create_course.php @@ -68,12 +68,9 @@ header('Location: index.php'); exit; }else if (isset($_POST['form_course']) && $_POST['submit'] != '') { + check_csrf_token(); + $_POST['instructor'] = $_SESSION['member_id']; - if($_POST['csrftoken'] != $_SESSION['token']){ - $msg->addError('ACCESS_DENIED'); - header('Location: '.AT_BASE_HREF.'index.php'); - exit; - } $errors = add_update_course($_POST); if ($errors !== FALSE) { diff --git a/mods/_core/enrolment/html/enroll_edit.inc.php b/mods/_core/enrolment/html/enroll_edit.inc.php index 0fe9fc2aa..49c4f629b 100644 --- a/mods/_core/enrolment/html/enroll_edit.inc.php +++ b/mods/_core/enrolment/html/enroll_edit.inc.php @@ -234,6 +234,8 @@ function alumni ($list) { exit; } else if (isset($_POST['submit_yes']) && $_POST['func'] =='unenroll' ) { + check_csrf_token(); + //Unenroll student from course unenroll($_POST['id']); @@ -241,6 +243,8 @@ function alumni ($list) { header('Location: index.php?current_tab=4'.SEP.'course_id='.$course_id); exit; } else if (isset($_POST['submit_yes']) && $_POST['func'] =='enroll' ) { + check_csrf_token(); + //Enroll student in course enroll($_POST['id']); @@ -248,6 +252,8 @@ function alumni ($list) { header('Location: index.php?current_tab=0'.SEP.'course_id='.$course_id); exit; } else if (isset($_POST['submit_yes']) && $_POST['func'] =='alumni' ) { + check_csrf_token(); + //Mark student as course alumnus alumni($_POST['id']); @@ -289,6 +295,7 @@ function alumni ($list) { $hidden_vars['current_tab'] = $_GET['current_tab']; $hidden_vars['gid'] = abs($_GET['gid']); $hidden_vars['course_id'] = $course_id; +$hidden_vars['csrftoken'] = $_SESSION['token']; //get usernames of users about to be edited $str = get_usernames($member_ids); diff --git a/mods/_core/properties/admin/delete_course.php b/mods/_core/properties/admin/delete_course.php index 443691985..e1944b7ed 100644 --- a/mods/_core/properties/admin/delete_course.php +++ b/mods/_core/properties/admin/delete_course.php @@ -22,6 +22,8 @@ header('Location: ../../courses/admin/courses.php'); exit; } else if (isset($_POST['step']) && ($_POST['step'] == 2) && isset($_POST['submit_yes'])) { + check_csrf_token(); + require_once(AT_INCLUDE_PATH.'../mods/_core/file_manager/filemanager.inc.php'); require(AT_INCLUDE_PATH.'../mods/_core/properties/lib/delete_course.inc.php'); @@ -43,6 +45,7 @@ } else if ($_POST['step'] == 1) { $hidden_vars['step'] = 2; $hidden_vars['course'] = $course; + $hidden_vars['csrftoken'] = $_SESSION['token']; $msg->addConfirm(array('DELETE_COURSE_2', $system_courses[$course]['title']), $hidden_vars); $msg->printConfirm(); } diff --git a/mods/_core/properties/admin/edit_course.php b/mods/_core/properties/admin/edit_course.php index b96ea174b..baca2de2f 100644 --- a/mods/_core/properties/admin/edit_course.php +++ b/mods/_core/properties/admin/edit_course.php @@ -22,6 +22,8 @@ header('Location: ../../courses/admin/courses.php'); exit; } else if (isset($_POST['submit'])) { + check_csrf_token(); + require(AT_INCLUDE_PATH.'../mods/_core/courses/lib/course.inc.php'); $errors = add_update_course($_POST, TRUE); diff --git a/mods/_core/users/admin_delete.php b/mods/_core/users/admin_delete.php index 7b8145cd6..411294e81 100644 --- a/mods/_core/users/admin_delete.php +++ b/mods/_core/users/admin_delete.php @@ -147,7 +147,8 @@ function delete_user($id) { $ids = explode(',', $_REQUEST['id']); if (isset($_POST['submit_yes'])) { - + check_csrf_token(); + foreach($ids as $id) { delete_user(intval($id)); } @@ -174,6 +175,7 @@ function delete_user($id) { $names_html = '