An attempt to mitigate cross site request forgery vulnerability.

anuko · Apr 11, 2021 · e77be7e · e77be7e
1 parent 4642916
commit e77be7e
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 1 deletion.
diff --git a/WEB-INF/config.php.dist b/WEB-INF/config.php.dist
@@ -163,6 +163,11 @@ define('AUTH_MODULE', 'db');
 // define('DEBUG', false); // Note: enabling DEBUG breaks redirects as debug output is printed before setting redirect header. Do not enable on production systems.
 
 
+// HTTP_TARGET - defines http target for cross site request forgery protection.
+// It can be used when you access the application via a proxy.
+// define('HTTP_TARGET', 'localhost');
+
+
 // Group managers can set monthly work hour quota for years between the following  values.
 // define('MONTHLY_QUOTA_YEAR_START', 2010); // If nothing is specified, it falls back to 2015.
 // define('MONTHLY_QUOTA_YEAR_END', 2025);   // If nothing is specified, it falls back to 2030.

diff --git a/WEB-INF/lib/common.lib.php b/WEB-INF/lib/common.lib.php
@@ -363,6 +363,10 @@ function ttAccessAllowed($required_right)
     exit();
   }
 
+  // Protection against cross site request forgery.
+  if (!ttMitigateCSRF())
+    return false;
+
   // Check IP restriction, if set.
   if ($user->allow_ip && !$user->can('override_allow_ip')) {
     $access_allowed = false;
@@ -388,6 +392,41 @@ function ttAccessAllowed($required_right)
   return false;
 }
 
+// ttMitigateCSRF verifies request headers in an attempt to block cross site request forgery.
+function ttMitigateCSRF() {
+  // No need to do anything for get requests.
+  global $request;
+  if ($request->isGet())
+    return true;
+
+  $origin = $_SERVER['HTTP_ORIGIN'];
+  if ($origin) {
+    $pos = strpos($origin, '//');
+    $origin = substr($origin, $pos+2); // Strip protocol.
+  }
+  if (!$origin) {
+    // Try using referer.
+    $origin = $_SERVER['HTTP_REFERER'];
+    if ($origin) {
+      $pos = strpos($origin, '//');
+      $origin = substr($origin, $pos+2); // Strip protocol.
+      $pos = strpos($origin, '/');
+      $origin = substr($origin, 0, $pos); // Leave host only.
+    }
+  }
+  error_log("origin: ".$origin);
+  $target = defined('HTTP_TARGET') ? HTTP_TARGET : $_SERVER['HTTP_HOST'];
+  error_log("target: ".$target);
+  if (strcmp($origin, $target)) {
+    error_log("Potential cross site request forgery. Origin: '$origin' does not match target: '$target'.");
+    return false; // Origin and target do not match,
+  }
+
+  // TODO: review and improve this function for custom ports.
+  return true;
+}
+
+
 // ttStartsWith functions checks if a string starts with a given substring.
 function ttStartsWith($string, $startString)
 {

diff --git a/initialize.php b/initialize.php
@@ -13,7 +13,7 @@
 ini_set('display_errors', 'Off');
 
 // require_once('init_auth.php');
-define("APP_VERSION", "1.19.26.5430");
+define("APP_VERSION", "1.19.27.5431");
 define("APP_DIR", dirname(__FILE__));
 define("LIBRARY_DIR", APP_DIR."/WEB-INF/lib");
 define("TEMPLATE_DIR", APP_DIR."/WEB-INF/templates");