Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lots of things ;-) #6

Merged
merged 46 commits into from Nov 14, 2018
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
46 commits
Select commit Hold shift + click to select a range
814080d
add Bootstrap files
May 31, 2015
33ed0f5
change design
May 31, 2015
592cd7d
allow displaying all rows
May 31, 2015
3ec0476
add jquery
May 31, 2015
8c5f19f
improve table design
May 31, 2015
39c4269
improve search by first letter; auto-focus username in login field
Jun 12, 2015
5317200
remove unauthenticated phpInfo
Jul 28, 2015
f24d1e2
replace Pear JSON class with PHP built-in json_* methods
Jul 28, 2015
02b47c3
return only associative arrays from database, not combined with colum…
Jul 28, 2015
c6d95cb
return proper Content-Type for JSON responses
Jul 28, 2015
eb306f4
sort records in a nice way
Jul 28, 2015
2f2d139
add support for U2F two factor auth
Oct 13, 2018
19b4a84
better sort order
Oct 13, 2018
c25f6eb
preserve soa values
Oct 13, 2018
16e469d
css and markup changes
Oct 13, 2018
69cbe09
whitespace changes
Oct 13, 2018
f284b86
fixes in freshdns.js
Oct 13, 2018
cd8a577
fix header links
Oct 13, 2018
4dcb114
fix user edit for non-u2f users
Oct 13, 2018
6f7e6d8
use PDO for database connection; use prepared statements everywhere
Oct 13, 2018
129eb5f
use createModel for user creation
Oct 13, 2018
92ba3b9
refactor database reads
Nov 7, 2018
8d56b33
rename fetch_array to fetch_row to make difference to fetch_all clearer
Nov 7, 2018
f00f354
refactor error messages
Nov 7, 2018
6332a01
fix creating domains
Nov 7, 2018
150fa10
use database transactions for domain creating
Nov 7, 2018
7b0c225
simplify error handling - DB class throws exception in case of problem
Nov 7, 2018
8751c7c
use POST for dangerous requests
Nov 7, 2018
a304c0f
enable more persistent urls
Nov 7, 2018
06ffd96
refactor API post requests
Nov 7, 2018
bdeff81
security: add protection against XSRF (Cross Site Request Forgery) on…
Nov 7, 2018
48b5ca8
protect against persistent XSS by other users
Nov 7, 2018
0e3e0ee
refactor api GET requests
Nov 7, 2018
14b96e3
remove prototype.js
Nov 7, 2018
54ea21d
refactor error handling
Nov 7, 2018
f00e9fd
use closures for callbacks
Nov 7, 2018
0dd92a2
regenerate XSRF token on login to prevent session fixation
Nov 7, 2018
75110d5
refactor javascript; don't show error on save all records when no cha…
Nov 7, 2018
ffa5a56
exit after json exception output
Nov 7, 2018
dd1d421
some messages
Nov 7, 2018
ab95eac
use secure password hashing algorithm
Nov 7, 2018
c7cb42c
refactoring
Nov 7, 2018
98c8c22
consolidate white-space, file endings
Nov 7, 2018
4c62e34
remove unused code
Nov 7, 2018
782b922
db change for longer password hashes
Nov 7, 2018
eddf09d
fix some bugs
Nov 7, 2018
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
security: add protection against XSRF (Cross Site Request Forgery) on…
… all POST requests
  • Loading branch information
Max committed Nov 7, 2018
commit bdeff81bd4baff9463d46b90fb1889e7ac7ec4ed
19 changes: 17 additions & 2 deletions class/class.login.php
Expand Up @@ -2,13 +2,28 @@
class login
{
private $database;

public $token;

function __construct ($database)
{
if (session_id() == "") session_start();

if (empty($_SESSION['token'])) {
if (function_exists('mcrypt_create_iv')) {
$_SESSION['token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
} else {
$_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
}
}

$this->database = $database;
}

function xsrfCheck() {
if ($_POST['xsrf_token'] !== $_SESSION['token']) {
http_response_code(403);
throw new Exception("XSRF Token missing or mismatch");
}
}

function isLoggedIn ()
{
Expand Down
9 changes: 9 additions & 0 deletions index.php
Expand Up @@ -22,6 +22,15 @@
exit;
}

if (count($_POST)) {
try {
$login->xsrfCheck();
} catch(Exception $ex) {
$json->print_exception($ex);
exit;
}
}

if(!$login->isLoggedIn())
// THE USER IS NOT LOGGED IN
{
Expand Down
1 change: 1 addition & 0 deletions js/freshdns.js
Expand Up @@ -36,6 +36,7 @@ function updateHash(hash) {
}

function apiPost(functionCall, postParameters, callbackFunction) {
postParameters['xsrf_token'] = window.xsrf_token;
new Ajax.Request(baseurl+"?p="+encodeURIComponent(functionCall),
{
method:"post",
Expand Down
1 change: 1 addition & 0 deletions templates/header.tpl.php
Expand Up @@ -13,6 +13,7 @@
<?php
echo "var userlevel='".$_SESSION['level']."';\n";
echo "var myUserId='".$_SESSION['userId']."';\n";
echo "var xsrf_token='".$_SESSION['token']."';\n";
?>
</script>
<link rel="stylesheet" href="vendor/bootstrap/css/bootstrap.min.css">
Expand Down