Merge branch 'token-whitelist' into develop

contao · Jun 26, 2012 · ee2a3f3 · ee2a3f3
2 parents 5bb272a + 537196f
commit ee2a3f3
Show file tree

Hide file tree

Showing 7 changed files with 88 additions and 49 deletions.
diff --git a/system/config/default.php b/system/config/default.php
@@ -90,9 +90,10 @@
  * In Contao 2.10, the referer check has been replaced with a request token
  * system, which you can disable here (not recommended).
  */
-$GLOBALS['TL_CONFIG']['allowedTags']         = '<a><abbr><acronym><address><area><article><aside><b><big><blockquote><br><base><bdo><button><caption><cite><code><col><colgroup><dd><del><div><dfn><dl><dt><em><figure><figcaption><form><fieldset><hr><h1><h2><h3><h4><h5><h6><i><img><input><ins><label><legend><li><link><map><object><ol><optgroup><option><p><pre><param><q><section><select><small><span><strong><sub><sup><style><table><tbody><td><textarea><tfoot><th><thead><tr><tt><u><ul>';
-$GLOBALS['TL_CONFIG']['disableRefererCheck'] = false;
-$GLOBALS['TL_CONFIG']['disableIpCheck']      = false;
+$GLOBALS['TL_CONFIG']['allowedTags']           = '<a><abbr><acronym><address><area><article><aside><b><big><blockquote><br><base><bdo><button><caption><cite><code><col><colgroup><dd><del><div><dfn><dl><dt><em><figure><figcaption><form><fieldset><hr><h1><h2><h3><h4><h5><h6><i><img><input><ins><label><legend><li><link><map><object><ol><optgroup><option><p><pre><param><q><section><select><small><span><strong><sub><sup><style><table><tbody><td><textarea><tfoot><th><thead><tr><tt><u><ul>';
+$GLOBALS['TL_CONFIG']['disableRefererCheck']   = false;
+$GLOBALS['TL_CONFIG']['disableIpCheck']        = false;
+$GLOBALS['TL_CONFIG']['requestTokenWhitelist'] = array();
 
 
 /**

diff --git a/system/docs/CHANGELOG.md b/system/docs/CHANGELOG.md
@@ -4,6 +4,16 @@ Contao Open Source CMS Changelog
 Version 3.0.beta2 (XXXX-XX-XX)
 ------------------------------
 
+### New
+Added a "requestTokenWhitelist" array to the Contao configuration which can be
+used to exempt domains from the request token check (see #3164). Example:
+
+```
+$GLOBALS['TL_CONFIG']['requestTokenWhitelist'][] = 'facebook.com';
+```
+
+The code above can be added in the local configuration file.
+
 ### Changed
 Contao now uses `crypt()` to generate stronger password hashes (see #3225).
 

diff --git a/system/initialize.php b/system/initialize.php
@@ -180,35 +180,31 @@ class_alias('Contao\\TemplateLoader', 'TemplateLoader');
 /**
  * Check the request token upon POST requests
  */
-if ($_POST && !$GLOBALS['TL_CONFIG']['disableRefererCheck'] && !defined('BYPASS_TOKEN_CHECK'))
+if ($_POST && !RequestToken::validate(Input::post('REQUEST_TOKEN')))
 {
-	// Exit if the token cannot be validated
-	if (!RequestToken::validate(Input::post('REQUEST_TOKEN')))
+	// Force JavaScript redirect upon Ajax requests (IE requires absolute link)
+	if (Environment::get('isAjaxRequest'))
 	{
-		// Force JavaScript redirect upon Ajax requests (IE requires absolute link)
-		if (Environment::get('isAjaxRequest'))
+		echo '<script>location.replace("' . Environment::get('base') . 'contao/index.php")</script>';
+	}
+	else
+	{
+		// Send an error 400 header if it is not an Ajax request
+		header('HTTP/1.1 400 Bad Request');
+
+		if (file_exists(TL_ROOT . '/templates/be_referer.html5'))
 		{
-			echo '<script>location.replace("' . Environment::get('base') . 'contao/index.php")</script>';
+			include TL_ROOT . '/templates/be_referer.html5';
+		}
+		elseif (file_exists(TL_ROOT . '/system/modules/core/templates/be_referer.html5'))
+		{
+			include TL_ROOT . '/system/modules/core/templates/be_referer.html5';
 		}
 		else
 		{
-			// Send an error 400 header if it is not an Ajax request
-			header('HTTP/1.1 400 Bad Request');
-
-			if (file_exists(TL_ROOT . '/templates/be_referer.html5'))
-			{
-				include TL_ROOT . '/templates/be_referer.html5';
-			}
-			elseif (file_exists(TL_ROOT . '/system/modules/core/templates/be_referer.html5'))
-			{
-				include TL_ROOT . '/system/modules/core/templates/be_referer.html5';
-			}
-			else
-			{
-				echo 'Invalid request token. Please <a href="javascript:window.location.href=window.location.href">go back</a> and try again.';
-			}
+			echo 'Invalid request token. Please <a href="javascript:window.location.href=window.location.href">go back</a> and try again.';
 		}
-
-		exit;
 	}
+
+	exit;
 }
diff --git a/system/library/Contao/RequestToken.php b/system/library/Contao/RequestToken.php
@@ -97,7 +97,33 @@ public static function get()
 	 */
 	public static function validate($strToken)
 	{
-		return ($strToken != '' && static::$strToken != '' && $strToken == static::$strToken);
+		// The feature has been disabled
+		if ($GLOBALS['TL_CONFIG']['disableRefererCheck'] || defined('BYPASS_TOKEN_CHECK'))
+		{
+			return true;
+		}
+
+		// Validate the token
+		if ($strToken != '' && static::$strToken != '' && $strToken == static::$strToken)
+		{
+			return true;
+		}
+
+		// Check against the whitelist (thanks to Tristan Lins) (see #3164)
+		if (!empty($GLOBALS['TL_CONFIG']['requestTokenWhitelist']))
+		{
+			$strHostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
+
+			foreach ($GLOBALS['TL_CONFIG']['requestTokenWhitelist'] as $strDomain)
+			{
+				if ($strDomain == $strHostname || preg_match('/\.' . preg_quote($strDomain, '/') . '$/', $strHostname))
+				{
+					return true;
+				}
+			}
+		}
+
+		return false;
 	}
 
 

diff --git a/system/modules/core/dca/tl_settings.php b/system/modules/core/dca/tl_settings.php
@@ -28,7 +28,7 @@
 	'palettes' => array
 	(
 		'__selector__'                => array('useSMTP'),
-		'default'                     => '{title_legend},websiteTitle,adminEmail;{date_legend},dateFormat,timeFormat,datimFormat,timeZone;{global_legend:hide},websitePath,characterSet,customSections,disableCron,minifyMarkup,gzipScripts;{backend_legend},resultsPerPage,maxResultsPerPage,staticFiles,staticSystem,staticPlugins,doNotCollapse;{frontend_legend},urlSuffix,cacheMode,rewriteURL,useAutoItem,addLanguageToUrl,doNotRedirectEmpty,folderUrl,disableAlias;{privacy_legend:hide},privacyAnonymizeIp,privacyAnonymizeGA;{safemode_legend:hide},coreOnlyMode;{security_legend:hide},allowedTags,debugMode,bypassCache,displayErrors,logErrors,disableRefererCheck,disableIpCheck;{files_legend:hide},allowedDownload,validImageTypes,editableFiles,templateFiles,maxImageWidth,jpgQuality,gdMaxImgWidth,gdMaxImgHeight;{uploads_legend:hide},uploadPath,uploadTypes,uploadFields,maxFileSize,imageWidth,imageHeight;{search_legend:hide},enableSearch,indexProtected;{smtp_legend:hide},useSMTP;{modules_legend},inactiveModules;{timeout_legend:hide},undoPeriod,versionPeriod,logPeriod,sessionTimeout,autologin,lockPeriod;{chmod_legend:hide},defaultUser,defaultGroup,defaultChmod;{update_legend:hide},liveUpdateBase'
+		'default'                     => '{title_legend},websiteTitle,adminEmail;{date_legend},dateFormat,timeFormat,datimFormat,timeZone;{global_legend:hide},websitePath,characterSet,minifyMarkup,gzipScripts,disableCron,coreOnlyMode;{backend_legend},resultsPerPage,maxResultsPerPage,staticFiles,staticSystem,staticPlugins,doNotCollapse;{frontend_legend},urlSuffix,cacheMode,rewriteURL,useAutoItem,addLanguageToUrl,doNotRedirectEmpty,folderUrl,disableAlias;{privacy_legend:hide},privacyAnonymizeIp,privacyAnonymizeGA;{security_legend:hide},allowedTags,debugMode,bypassCache,displayErrors,logErrors,disableRefererCheck,disableIpCheck;{files_legend:hide},allowedDownload,validImageTypes,editableFiles,templateFiles,maxImageWidth,jpgQuality,gdMaxImgWidth,gdMaxImgHeight;{uploads_legend:hide},uploadPath,uploadTypes,uploadFields,maxFileSize,imageWidth,imageHeight;{search_legend:hide},enableSearch,indexProtected;{smtp_legend:hide},useSMTP;{modules_legend},inactiveModules;{sections_legend:hide},customSections;{timeout_legend:hide},undoPeriod,versionPeriod,logPeriod,sessionTimeout,autologin,lockPeriod;{chmod_legend:hide},defaultUser,defaultGroup,defaultChmod;{update_legend:hide},liveUpdateBase'
 	),
 
 	// Subpalettes
@@ -90,17 +90,17 @@
 			'inputType'               => 'text',
 			'eval'                    => array('mandatory'=>true, 'rgxp'=>'alnum', 'nospace'=>true, 'tl_class'=>'w50')
 		),
-		'customSections' => array
+		'coreOnlyMode' => array
 		(
-			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['customSections'],
-			'inputType'               => 'text',
+			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['coreOnlyMode'],
+			'inputType'               => 'checkbox',
 			'eval'                    => array('tl_class'=>'w50')
 		),
 		'disableCron' => array
 		(
 			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['disableCron'],
 			'inputType'               => 'checkbox',
-			'eval'                    => array('tl_class'=>'w50 m12')
+			'eval'                    => array('tl_class'=>'w50')
 		),
 		'minifyMarkup' => array
 		(
@@ -228,6 +228,18 @@
 			'inputType'               => 'checkbox',
 			'eval'                    => array('tl_class'=>'w50')
 		),
+		'disableRefererCheck' => array
+		(
+			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['disableRefererCheck'],
+			'inputType'               => 'checkbox',
+			'eval'                    => array('tl_class'=>'w50')
+		),
+		'tokenWhitelist' => array
+		(
+			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['tokenWhitelist'],
+			'inputType'               => 'textarea',
+			'eval'                    => array('decodeEntities'=>true, 'style'=>'height:60px'),
+		),
 		'allowedTags' => array
 		(
 			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['allowedTags'],
@@ -250,11 +262,6 @@
 			'inputType'               => 'checkbox',
 			'eval'                    => array('tl_class'=>'w50')
 		),
-		'coreOnlyMode' => array
-		(
-			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['coreOnlyMode'],
-			'inputType'               => 'checkbox'
-		),
 		'displayErrors' => array
 		(
 			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['displayErrors'],
@@ -267,12 +274,6 @@
 			'inputType'               => 'checkbox',
 			'eval'                    => array('tl_class'=>'w50')
 		),
-		'disableRefererCheck' => array
-		(
-			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['disableRefererCheck'],
-			'inputType'               => 'checkbox',
-			'eval'                    => array('tl_class'=>'w50')
-		),
 		'disableIpCheck' => array
 		(
 			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['disableIpCheck'],
@@ -435,6 +436,11 @@
 				array('tl_settings', 'updateInactiveModules')
 			)
 		),
+		'customSections' => array
+		(
+			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['customSections'],
+			'inputType'               => 'text'
+		),
 		'undoPeriod' => array
 		(
 			'label'                   => &$GLOBALS['TL_LANG']['tl_settings']['undoPeriod'],

diff --git a/system/modules/core/languages/de/tl_settings.php b/system/modules/core/languages/de/tl_settings.php
@@ -43,10 +43,10 @@
 $GLOBALS['TL_LANG']['tl_settings']['lockPeriod']          = array('Wartezeit bei gesperrtem Konto', 'Ein Konto wird gesperrt, wenn drei Mal hintereinander ein falsches Passwort eingegeben wird.');
 $GLOBALS['TL_LANG']['tl_settings']['debugMode']           = array('Debugmodus aktivieren', 'Bestimmte Laufzeitinformationen wie z.B. Datenbankabfragen auf dem Bildschirm ausgeben.');
 $GLOBALS['TL_LANG']['tl_settings']['bypassCache']         = array('Internen Cache umgehen', 'Die internen Cache-Dateien ignorieren (z.B. nützlich bei der Extension-Entwicklung).');
-$GLOBALS['TL_LANG']['tl_settings']['coreOnlyMode']        = array('Abgesicherter Modus', 'Contao im abgesicherten Modus betreiben und nur Core-Module laden.');
+$GLOBALS['TL_LANG']['tl_settings']['disableRefererCheck'] = array('Anfrage-Tokens deaktivieren', 'Das Anfrage-Token beim Absenden eines Formulars nicht prüfen. Warnung: potentielles Sicherheitsrisiko!');
 $GLOBALS['TL_LANG']['tl_settings']['displayErrors']       = array('Fehlermeldungen anzeigen', 'Fehlermeldungen auf dem Bildschirm ausgeben (nicht empfohlen für produktive Seiten).');
 $GLOBALS['TL_LANG']['tl_settings']['logErrors']           = array('Fehlermeldungen protokollieren', 'Fehlermeldungen in die Fehler-Logdatei (<em>system/logs/error.log</em>) schreiben.');
-$GLOBALS['TL_LANG']['tl_settings']['disableRefererCheck'] = array('Anfrage-Token deaktivieren', 'Das Anfrage-Token beim Absenden eines Formulars nicht prüfen. Warnung: potentielles Sicherheitsrisiko!');
+$GLOBALS['TL_LANG']['tl_settings']['coreOnlyMode']        = array('Abgesicherter Modus', 'Contao im abgesicherten Modus betreiben und nur Core-Module laden.');
 $GLOBALS['TL_LANG']['tl_settings']['disableIpCheck']      = array('IP-Prüfung deaktivieren', 'Benutzersitzungen nicht an IP-Adressen binden. Warnung: potentielles Sicherheitsrisiko!');
 $GLOBALS['TL_LANG']['tl_settings']['allowedDownload']     = array('Erlaubte Download-Dateitypen', 'Hier können Sie eine kommagetrennte Liste von Dateitypen eingeben, die über Contao heruntergeladen werden dürfen.');
 $GLOBALS['TL_LANG']['tl_settings']['validImageTypes']     = array('Unterstützte Bildformate', 'Hier können Sie eine kommagetrennte Liste von Dateitypen eingeben, die von der Bild-Klasse verarbeitet werden können.');
@@ -90,7 +90,7 @@
 $GLOBALS['TL_LANG']['tl_settings']['global_legend']   = 'Globale Einstellungen';
 $GLOBALS['TL_LANG']['tl_settings']['backend_legend']  = 'Backend-Einstellungen';
 $GLOBALS['TL_LANG']['tl_settings']['frontend_legend'] = 'Frontend-Einstellungen';
-$GLOBALS['TL_LANG']['tl_settings']['safemode_legend'] = 'Abgesicherter Modus';
+$GLOBALS['TL_LANG']['tl_settings']['sections_legend'] = 'Layoutbereiche';
 $GLOBALS['TL_LANG']['tl_settings']['privacy_legend']  = 'Datenschutz-Einstellungen';
 $GLOBALS['TL_LANG']['tl_settings']['security_legend'] = 'Sicherheitseinstellungen';
 $GLOBALS['TL_LANG']['tl_settings']['files_legend']    = 'Dateien und Bilder';

diff --git a/system/modules/core/languages/en/tl_settings.php b/system/modules/core/languages/en/tl_settings.php
@@ -42,11 +42,11 @@
 $GLOBALS['TL_LANG']['tl_settings']['allowedTags']         = array('Allowed HTML tags', 'Here you can enter a list of allowed HTML tags that will not be stripped.');
 $GLOBALS['TL_LANG']['tl_settings']['debugMode']           = array('Enable debug mode', 'Print certain runtime information like database queries to the screen.');
 $GLOBALS['TL_LANG']['tl_settings']['bypassCache']         = array('Bypass the internal cache', 'Do not use the internal cache files (e.g. useful when developing extensions).');
-$GLOBALS['TL_LANG']['tl_settings']['coreOnlyMode']        = array('Run in safe mode', 'Run Contao in safe mode and load only core modules.');
+$GLOBALS['TL_LANG']['tl_settings']['disableRefererCheck'] = array('Disable request tokens', 'Do not check the request token when a form is submitted. Attention: potential security risk!');
 $GLOBALS['TL_LANG']['tl_settings']['lockPeriod']          = array('Account locking time', 'An account will be locked if a wrong password is entered three times in a row.');
 $GLOBALS['TL_LANG']['tl_settings']['displayErrors']       = array('Display error messages', 'Print error messages to the screen (not recommended for productional sites).');
 $GLOBALS['TL_LANG']['tl_settings']['logErrors']           = array('Log error messages', 'Write error messages to the error log file (<em>system/logs/error.log</em>).');
-$GLOBALS['TL_LANG']['tl_settings']['disableRefererCheck'] = array('Disable request tokens', 'Do not check the request token when a form is submitted. Attention: potential security risk!');
+$GLOBALS['TL_LANG']['tl_settings']['coreOnlyMode']        = array('Run in safe mode', 'Run Contao in safe mode and load only core modules.');
 $GLOBALS['TL_LANG']['tl_settings']['disableIpCheck']      = array('Disable IP check', 'Do not bind sessions to IP addresses. Choosing this option is a potential security risk!');
 $GLOBALS['TL_LANG']['tl_settings']['allowedDownload']     = array('Download file types', 'Here you can enter a comma separated list of downloadable file types.');
 $GLOBALS['TL_LANG']['tl_settings']['validImageTypes']     = array('Image file types', 'Here you can enter a comma separated list of file types that can be handled by the image class.');
@@ -90,7 +90,7 @@
 $GLOBALS['TL_LANG']['tl_settings']['global_legend']   = 'Global configuration';
 $GLOBALS['TL_LANG']['tl_settings']['backend_legend']  = 'Back end configuration';
 $GLOBALS['TL_LANG']['tl_settings']['frontend_legend'] = 'Front end configuration';
-$GLOBALS['TL_LANG']['tl_settings']['safemode_legend'] = 'Safe mode';
+$GLOBALS['TL_LANG']['tl_settings']['sections_legend'] = 'Layout sections';
 $GLOBALS['TL_LANG']['tl_settings']['privacy_legend']  = 'Privacy settings';
 $GLOBALS['TL_LANG']['tl_settings']['security_legend'] = 'Security settings';
 $GLOBALS['TL_LANG']['tl_settings']['files_legend']    = 'Files and images';