security: fix potential CSRF issue

Fixes #392

PodcastGenerator/admin/checkLogin.php

@@ -8,7 +8,7 @@
 # This is Free Software released under the GNU/GPL License.
 ############################################################
 session_start();
-if(!isset($_SESSION['username'])) {
+if(!isset($_SESSION['username']) || !isset($_SESSION['token'])) {
     header('Location: login.php');
     die();
 }

PodcastGenerator/admin/episodes_edit.php

@@ -19,6 +19,7 @@
 
 // Delete episode
 if (isset($_GET['delete'])) {
+    checkToken();
     // Delete the audio file
     unlink('../' . $config['upload_dir'] . $_GET['name']);
     // Delete the XML file
@@ -37,6 +38,7 @@
 
 // Edit episode
 if (sizeof($_POST) > 0) {
+    checkToken();
     // CHeck if all fields are set
     $req_fields = [
         $_POST['title'],
@@ -222,13 +224,17 @@
                         <input type="text" class="form-control" name="authorname" placeholder="Author Name" value="<?php echo htmlspecialchars($episode->episode->authorPG->namePG); ?>"><br>
                         <input type="email" class="form-control" name="authoremail" placeholder="Author E-Mail" value="<?php echo htmlspecialchars($episode->episode->authorPG->emailPG); ?>"><br>
                     </div>
+                    <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
                     <input type="submit" class="btn btn-success btn-lg" value="<?php echo _('Save Changes'); ?>">
                 </div>
             </div>
         </form>
         <hr>
         <h3><?php echo _('Delete Episode'); ?></h3>
-        <a href="episodes_edit.php?name=<?php echo htmlspecialchars($_GET['name']); ?>&delete=1" class="btn btn-danger">Delete</a>
+        <form action="episodes_edit.php?name=<?php echo htmlspecialchars($_GET['name']); ?>&delete=1" method="POST">
+            <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
+            <input type="submit" class="btn btn-danger" value="<?php echo _('Delete'); ?>">
+        </form>
     </div>
     <script type="text/javascript">
         function shortDescCheck() {

PodcastGenerator/admin/episodes_ftp_feature.php

@@ -28,6 +28,7 @@ function getID3Tag($fileinfo, $tagName, $defaultValue = null)
 }
 
 if (isset($_GET['start'])) {
+    checkToken();
     $new_files = array();
     $mimetypes = simplexml_load_file($config['absoluteurl'] . 'components/supported_media/supported_media.xml');
     // Get all files and check if they have an XML file associated
@@ -170,7 +171,10 @@ function getID3Tag($fileinfo, $tagName, $defaultValue = null)
         <h1><?php echo _('FTP Auto Indexing'); ?></h1>
         <?php
         if (!isset($_GET['start'])) {
-            echo '<a href="episodes_ftp_feature.php?start=1" class="btn btn-success">' . _('Begin') . '<a>';
+            echo '<form action="episodes_ftp_feature.php?start=1" method="POST">';
+            echo '<input type="hidden" name="token" value="' . $_SESSION['token']  . '">';
+            echo '<input class="btn btn-success" type="submit" value="' . _('Begin') . '">';
+            echo '</form>';
         }
         if (isset($success)) {
             echo '<p>' . htmlspecialchars($success) . '</p>';
@@ -179,4 +183,4 @@ function getID3Tag($fileinfo, $tagName, $defaultValue = null)
     </div>
 </body>
 
-</html>
+</html>

PodcastGenerator/admin/episodes_manage_cats.php

@@ -12,6 +12,7 @@
 
 // If episode is deleted
 if (isset($_GET['del'])) {
+    checkToken();
     $cats_xml = simplexml_load_file('../categories.xml');
     // Get index of item
     foreach ($cats_xml as $item) {
@@ -27,6 +28,7 @@
 }
 // If episode is added
 if (isset($_GET['add'])) {
+    checkToken();
     $cats_xml = simplexml_load_file('../categories.xml');
     $description = $_POST['categoryname'];
     // These chars should be replaced with an underscore
@@ -78,18 +80,21 @@
         <form action="episodes_manage_cats.php?add=1" method="POST">
             <?php echo _('Category Name'); ?>:<br>
             <input type="text" name="categoryname" placeholder="<?php echo _('Category Name'); ?>"><br><br>
+            <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
             <input type="submit" value="<?php echo _('Add'); ?>" class="btn btn-success"><br><br>
         </form>
         <h3><?php _('Current Categories'); ?></h3>
-        <ul>
-            <?php
-            $cats_xml = simplexml_load_file('../categories.xml');
-            foreach ($cats_xml as $item) {
-                echo '<li><a href="' . htmlspecialchars($config["url"]) . $config['indexfile'] . '?cat=' . htmlspecialchars($item->id) . '">' . htmlspecialchars($item->description) . '</a> <a class="btn btn-sm btn-danger" href="episodes_manage_cats.php?del=' . htmlspecialchars($item->id) . '">' . _('Delete') . '</a></li>';
-            }
-            ?>
-        </ul>
+        <?php
+        $cats_xml = simplexml_load_file('../categories.xml');
+        foreach($cats_xml as $item) {
+            echo '<form action="episodes_manage_cats.php?del=' . htmlspecialchars($item->id) . '" method="POST">';
+            echo '<input type="hidden" name="token" value="' . $_SESSION['token'] . '">';
+            echo '<a href="' . htmlspecialchars($config['url']) . $config['indexfile'] . '?cat=' . htmlspecialchars($item->id) . '">' . htmlspecialchars($item->description) . '</a> ';
+            echo '<input class="btn btn-sm btn-danger" type="submit" value="' . _('Delete')  . '">';
+            echo '</form><br>';
+        }
+        ?>
     </div>
 </body>
 
-</html>
+</html>

PodcastGenerator/admin/episodes_upload.php

@@ -11,6 +11,7 @@
 require '../core/include_admin.php';
 
 if (sizeof($_POST) > 0) {
+    checkToken();
     // CHeck if all fields are set (except "category")
     $req_fields = [
         $_POST['title'],
@@ -261,6 +262,7 @@
                         <input type="text" class="form-control" name="authorname" placeholder="<?php echo htmlspecialchars($config["author_name"]); ?>"><br>
                         <input type="email" class="form-control" name="authoremail" placeholder="<?php echo htmlspecialchars($config["author_email"]); ?>"><br>
                     </div>
+                    <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
                     <input type="submit" class="btn btn-success btn-lg" value="<?php echo _('Upload episode'); ?>">
                 </div>
             </div>

PodcastGenerator/admin/login.php

@@ -31,6 +31,7 @@
     }
     if (checkLogin($_POST['username'], $_POST['password'])) {
         $_SESSION['username'] = $_POST['username'];
+        $_SESSION['token'] = randomString(32);
         header('Location: index.php');
         die();
     } else {
@@ -78,4 +79,4 @@
     </div>
 </body>
 
-</html>
+</html>

PodcastGenerator/admin/pg_config.php

@@ -11,6 +11,7 @@
 require '../core/include_admin.php';
 
 if (isset($_GET['edit'])) {
+    checkToken();
     foreach ($_POST as $key => $value) {
         updateConfig('../config.php', $key, $value);
     }
@@ -57,9 +58,10 @@
             <small><?php echo _('Leave empty for no password, keep in mind that the feed and the audio files will still be accessible no matter if a password is set or not'); ?></small><br>
             <input type="text" name="podcastPassword" value="<?php echo $config['podcastPassword']; ?>"><br>
             <hr>
+            <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
             <input type="submit" value="<?php echo _("Submit"); ?>" class="btn btn-success"><br>
         </form>
     </div>
 </body>
 
-</html>
+</html>

PodcastGenerator/admin/pg_users.php

@@ -14,6 +14,7 @@
 
 // Change password case
 if (isset($_GET['change'])) {
+    checkToken();
     if (!changeUserPassword($_GET['change'], $_POST['password'])) {
         $error = _('Error while changing password');
         goto error;
@@ -24,6 +25,7 @@
 }
 // Delete user case
 else if (isset($_GET['delete'])) {
+    checkToken();
     // Check if the deleted user is the logged in user
     // Don't permit to delete the logged in user
     if ($_GET['delete'] == $_SESSION['username']) {
@@ -45,6 +47,7 @@
 }
 // Create user case
 else if (isset($_GET['create'])) {
+    checkToken();
     if (empty($_POST['username']) || empty($_POST['password'])) {
         $error = _('Missing fields');
         goto error;
@@ -101,6 +104,7 @@
                     <?php echo _('Password') ?>:<br>
                     <input type="password" name="password"><br>
                     <br>
+                    <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
                     <input type="submit" value="<?php echo _('Submit'); ?>" class="btn btn-success"><br>
                 </form>
             <?php
@@ -120,6 +124,7 @@
                     <?php echo _('Repeat new password'); ?><br>
                     <input type="password" name="password2"><br>
                     <br>
+                    <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
                     <input type="submit" value="<?php echo _('Change'); ?>" class="btn btn-success">
                 </form>
                 <hr>
@@ -129,7 +134,10 @@
                 if ($_GET['username'] == $_SESSION['username']) {
                     echo '<p>' . _('You cannot delete yourself') . '</p>';
                 } else {
-                    echo '<a href="pg_users.php?delete=' . $_GET['username'] . '" class="btn btn-danger">Delete</a>';
+                    echo '<form action="pg_users.php?delete=' . $_GET['username'] . '" method="POST">';
+                    echo '<input type="hidden" name="token" value="' . $_SESSION['token' ]. '">';
+                    echo '<input class="btn btn-danger" type="submit" value="' . _('Delete') . '">';
+                    echo '</form>';
                 }
                 ?>
             <?php
@@ -144,4 +152,4 @@
     </div>
 </body>
 
-</html>
+</html>

PodcastGenerator/admin/podcast_details.php

@@ -11,6 +11,7 @@
 require '../core/include_admin.php';
 
 if (isset($_GET['edit'])) {
+    checkToken();
     foreach ($_POST as $key => $value) {
         updateConfig('../config.php', $key, $value);
     }
@@ -136,9 +137,10 @@
             <?php echo _('Explicit Podcast'); ?>:<br>
             <input type="radio" name="explicit_podcast" value="yes" <?php echo $config['explicit_podcast'] == 'yes' ? 'checked' : '' ?>> <?php echo _('Yes'); ?> <input type="radio" name="explicit_podcast" value="no" <?php echo $config['explicit_podcast'] == 'no' ? 'checked' : '' ?>> <?php echo _('No'); ?><br>
             <br>
+            <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
             <input type="submit" value="<?php echo _("Submit") ?>" class="btn btn-success">
         </form>
     </div>
 </body>
 
-</html>
+</html>

PodcastGenerator/admin/store_cat.php

@@ -13,6 +13,7 @@
 $categories = simplexml_load_file('../components/itunes_categories/itunes_categories.xml');
 
 if (isset($_GET['edit'])) {
+    checkToken();
     if (empty($_POST['cat1'])) {
         $error = _('Category 1 needs to be set');
         goto error;
@@ -102,9 +103,10 @@
                 ?>
             </select>
             <hr>
+            <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
             <input type="submit" value="<?php echo _('Save') ?>" class="btn btn-success"><br>
         </form>
     </div>
 </body>
 
-</html>
+</html>

PodcastGenerator/admin/store_cover.php

@@ -11,6 +11,7 @@
 require '../core/include_admin.php';
 
 if (isset($_GET['upload'])) {
+    checkToken();
     // Check mime type
     if(mime_content_type($_FILES['file']['tmp_name']) != "image/jpeg") {
         $error = _('Image is not a JPEG');
@@ -69,9 +70,10 @@
         <form action="store_cover.php?upload=1" method="POST" enctype="multipart/form-data">
             <?php echo _('Select file'); ?>:<br>
             <input type="file" name="file"><br><br>
+            <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
             <input type="submit" value="<?php echo _('Upload'); ?>" class="btn btn-success">
         </form>
     </div>
 </body>
 
-</html>
+</html>

PodcastGenerator/admin/theme_buttons.php

@@ -13,6 +13,7 @@
 $buttons = getButtons();
 
 if (isset($_GET['add'])) {
+    checkToken();
     $exists = false;
     foreach ($buttons as $item) {
         if ($item->name == $_GET['name']) {
@@ -47,6 +48,7 @@
     header('Location: theme_buttons.php');
     die();
 } else if (isset($_GET['edit'])) {
+    checkToken();
     // Find item
     foreach ($buttons as $item) {
         if ($item->name == $_GET['name']) {
@@ -62,6 +64,7 @@
     header('Location: theme_buttons.php');
     die();
 } else if (isset($_GET['del'])) {
+    checkToken();
     // Find item
     foreach ($buttons as $item) {
         if ($item->name == $_GET['name']) {
@@ -124,10 +127,14 @@
                 <input type="text" name="class" value="<?php echo htmlspecialchars($btn->class); ?>"><br>
                 <?php echo _("Protocol (Leave it blank if you don't know what you are doing)"); ?>:<br>
                 <input type="text" name="protocol" value="<?php echo htmlspecialchars($btn->protocol); ?>"><br><br>
+                <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
                 <input type="submit" value="<?php echo _('Submit'); ?>" class="btn btn-success">
             </form>
             <hr>
-            <a href="theme_buttons.php?del=1&name=<?php echo htmlspecialchars($_GET['name']); ?>" class="btn btn-danger"><?php echo _('Delete Button'); ?></a>
+            <form action="theme_buttons.php?del=1&name=<?php echo htmlspecialchars($_GET['name']); ?>" method="POST">
+                <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
+                <input class="btn btn-danger" type="submit" value="<?php echo _('Delete Button'); ?>">
+            </form>
         <?php
         }
         ?>
@@ -145,6 +152,7 @@
                 <input type="text" name="class" value="<?php echo htmlspecialchars($btn->class); ?>"><br>
                 <?php echo _("Protocol (Leave it blank if you don't know what you are doing)"); ?>:<br>
                 <input type="text" name="protocol" value="<?php echo htmlspecialchars($btn->protocol); ?>"><br><br>
+                <input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
                 <input type="submit" value="<?php echo _('Submit'); ?>" class="btn btn-success">
             </form>
         <?php
@@ -153,4 +161,4 @@
     </div>
 </body>
 
-</html>
+</html>

PodcastGenerator/admin/theme_change.php

@@ -28,6 +28,7 @@
 unset($realthemes);
 
 if (isset($_GET['change'])) {
+    checkToken();
     if ($_GET['change'] > sizeof($themes)) {
         goto error;
     }
@@ -80,7 +81,10 @@
                     if ($themes[$i][0] == htmlspecialchars($config['theme_path'])) {
                         echo '<small>' . _('This theme is currently in use') . '</small>';
                     } else {
-                        echo '<a href="theme_change.php?change=' . $i . '" class="btn btn-success">' . _('Switch theme') . '</a>';
+                        echo '<form action="theme_change.php?change=' . $i . '" method="POST">';
+                        echo '<input type="hidden" name="token" value="' . $_SESSION['token'] . '"';
+                        echo '<input class="btn btn-success" type="submit" value="' . _('Switch theme') . '">';
+                        echo '</form>';
                     }
                     echo '</div>';
                     echo '</div>';
@@ -92,4 +96,4 @@
     </div>
 </body>
 
-</html>
+</html>