Security: Add form->protect() to validate token when submitting a form.

Function called in user_edit.php
chamilo · Apr 24, 2020 · bf50545 · bf50545
1 parent 42d1a5d
commit bf50545
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/main/admin/user_edit.php b/main/admin/user_edit.php
@@ -99,6 +99,7 @@ function confirmation(name) {
     api_get_self().'?user_id='.$user_id,
     ''
 );
+$form->protect();
 $form->addElement('header', $tool_name);
 $form->addElement('hidden', 'user_id', $user_id);
 

diff --git a/main/inc/lib/pear/HTML/QuickForm.php b/main/inc/lib/pear/HTML/QuickForm.php
@@ -1,5 +1,7 @@
 <?php
 
+use ChamiloSession as Session;
+
 /**
  * Create, validate and process HTML forms
  *
@@ -64,6 +66,7 @@ class HTML_QuickForm extends HTML_Common
 {
     const MAX_ELEMENT_ARGUMENT = 10;
     private $dateTimePickerLibraryAdded;
+    private $token;
 
     /**
      * Array containing the form fields
@@ -227,7 +230,9 @@ public function __construct(
         $attributes = null,
         $trackSubmit = false
     ) {
+        $this->token = null;
         parent::__construct($attributes);
+
         $method = (strtoupper($method) == 'GET') ? 'get' : 'post';
         $action = ($action == '') ? api_get_self() : $action;
         $target = empty($target) ? array() : array('target' => $target);
@@ -270,6 +275,28 @@ public function __construct(
         }
     }
 
+    public function protect()
+    {
+        $token = $this->getSubmitValue('protect_token');
+        if (null === $token) {
+            $token = Security::get_token();
+        } else {
+            $token = Security::get_existing_token();
+        }
+        $this->addHidden('protect_token', $token);
+        $this->setToken($token);
+    }
+
+    public function setToken($token)
+    {
+        $this->token = $token;
+    }
+
+    public function getToken()
+    {
+        return $this->token;
+    }
+
     /**
      * Returns the current API version
      *
@@ -1401,6 +1428,14 @@ public function validate()
             return false;
         }
 
+        if (null !== $this->getToken()) {
+            $check = Security::check_token('form', $this);
+            Security::clear_token();
+            if (false === $check) {
+                return false;
+            }
+        }
+
         $registry =& HTML_QuickForm_RuleRegistry::singleton();
 
         foreach ($this->_rules as $target => $rules) {

diff --git a/main/inc/lib/security.lib.php b/main/inc/lib/security.lib.php
@@ -1,4 +1,5 @@
 <?php
+
 /* For licensing terms, see /license.txt */
 
 use Chamilo\CoreBundle\Component\HTMLPurifier\Filter\AllowIframes;
@@ -143,7 +144,7 @@ public static function getTokenFromSession()
      *
      * @return bool True if it's the right token, false otherwise
      */
-    public static function check_token($request_type = 'post')
+    public static function check_token($request_type = 'post', FormValidator $form = null)
     {
         $sessionToken = Session::read('sec_token');
         switch ($request_type) {
@@ -164,6 +165,14 @@ public static function check_token($request_type = 'post')
                     return true;
                 }
 
+                return false;
+            case 'form':
+                $token = $form->getSubmitValue('protect_token');
+
+                if (!empty($sessionToken) && !empty($token) && $sessionToken === $token) {
+                    return true;
+                }
+
                 return false;
             default:
                 if (!empty($sessionToken) && isset($request_type) && $sessionToken === $request_type) {