5566 created a more general function to check referer, and updated cr…

…eate user and create admin to use it
atutor · Feb 28, 2015 · af519cf · af519cf
1 parent 068b8aa
commit af519cf
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 15 deletions.
diff --git a/include/lib/vital_funcs.inc.php b/include/lib/vital_funcs.inc.php
@@ -663,7 +663,23 @@ function admin_authenticate($privilege = 0, $check = false) {
 	}
 	return true;
 }
-
+/**
+ * Check if referer is in the $_pages array to prevent CSRF access
+ * @access public
+ * @return error message access denied
+ */
+function check_referer(){
+    global $_pages, $_base_href, $msg;
+    if(isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] !='' && $_SERVER['HTTP_REFERER'] != $_SERVER['PHP_SELF']){
+        $referer_script = preg_replace('#'.$_base_href.'#', '', $_SERVER['HTTP_REFERER']);
+        if( !in_array($_pages[$referer_script], $_pages)){
+			$msg->addError('ACCESS_DENIED');
+			require(AT_INCLUDE_PATH.'header.inc.php'); 
+			require(AT_INCLUDE_PATH.'footer.inc.php'); 
+			exit;
+        }
+    }
+}
 /**
  * Check if the give theme is a subsite customized theme. Return true if it is, otherwise, return false
  * @access public

diff --git a/mods/_core/users/admins/create.php b/mods/_core/users/admins/create.php
@@ -15,13 +15,9 @@
 define('AT_INCLUDE_PATH', '../../../../include/');
 require(AT_INCLUDE_PATH.'vitals.inc.php');
 admin_authenticate(AT_ADMIN_PRIV_ADMIN);
-if($_SERVER['HTTP_REFERER'] != $_SERVER['PHP_SELF']){
-    $referer_script = preg_replace('#'.$_base_href.'#', '', $_SERVER['HTTP_REFERER']);
-    if(!in_array($_pages[$referer_script], $_pages)){
-    echo "not a valid referer";
-    exit;
-    }
-}
+// Prevent remote access via CSRF: 5566
+// Ref include/lib/vitals-inc.php
+check_referer();
 
 if (isset($_POST['cancel'])) {
 	$msg->addFeedback('CANCELLED');

diff --git a/mods/_core/users/create_user.php b/mods/_core/users/create_user.php
@@ -16,13 +16,8 @@
 require(AT_INCLUDE_PATH.'vitals.inc.php');
 admin_authenticate(AT_ADMIN_PRIV_USERS);
 // Prevent remote access via CSRF: 5566
-if($_SERVER['HTTP_REFERER'] != $_SERVER['PHP_SELF']){
-    $referer_script = preg_replace('#'.$_base_href.'#', '', $_SERVER['HTTP_REFERER']);
-    if(!in_array($_pages[$referer_script], $_pages)){
-    echo "not a valid referer";
-    exit;
-    }
-}
+// Ref include/lib/vitals-inc.php
+check_referer();
 
 if (isset($_POST['cancel'])) {
 	header('Location: '.AT_BASE_HREF.'mods/_core/users/users.php');