Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Minor security patches
  • Loading branch information
kestasjk committed Jul 23, 2021
1 parent 114457c commit e1b8730
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 2 deletions.
37 changes: 37 additions & 0 deletions lib/auth.php
Expand Up @@ -104,6 +104,43 @@ public static function gamemasterToken($gameID)
return $gameID.'_'.$time.'_'.self::gamemasterToken_Key($gameID,$time);
}

// Functions which can be used to prove that a form being submitted was generated by the server, and not
// by an attacker who might trick a user into loading a page that submits malicious data to a webDiplomacy form
// and have it successfully submit from that user. Reported by @ranjit-git
// Checks $_REQUEST['formToken']
public static function formToken_Valid()
{
if( !isset($_REQUEST['formToken'])
{
throw new Exception(l_t('No form token provided; form cannot be processed.'));
}
$formToken = $_REQUEST['formToken'];
$token = explode('_',$formToken);
if( count($token) != 2 )
throw new Exception(l_t('Corrupt form token %s',$formToken));

list($time, $hash) = $token;
if ( self::formToken_Key($time) != $hash )
throw new Exception(l_t('Invalid form token %s',$formToken));

if ( (time()-$time)>60*60 )
throw new Exception(l_t('Form token %s expired (%s), over an hour old. Please resubmit.',$formToken,time()));
}
private static function formToken_Key($time)
{
return md5($time.Config::$secret);
}
private static $formToken_cached = false;
public static function formTokenHTML()
{
if( $formToken_cached === false )
{
$time=time();
$formToken_cached = '<input type="hidden" name="formToken" value="'.$time.'_'.self::formToken_Key($time).'" />';
}
return $formToken_cached; // One token per page is fine
}

/**
* Return a URL allowing the user to validate a given e-mail.
* emailToken is the name used, and additional GET vars can be added
Expand Down
5 changes: 3 additions & 2 deletions locales/English/user.php
Expand Up @@ -170,8 +170,9 @@
*/
print '</ul>
<p><input type="submit" class="green-Submit" value="Update"></p>
</form>
<p><input type="submit" class="green-Submit" value="Update"></p>';
print libAuth::formTokenHTML();
print '</form>
</div>';

?>
8 changes: 8 additions & 0 deletions logon.php
Expand Up @@ -58,6 +58,14 @@
"<a href='logon.php?forgotPassword=1' class='light'>go back</a> and check your spelling."));
}

if( $MC->get('forgot_'+$forgottenUser->id) !== false )
{
throw new Exception(l_t("To help prevent abuse please wait 5 minutes before resending forgotten e-mail recovery links. ".
"In the meantime please check your spam folder for a missing recovery e-mail, or contact the moderator team."));
}

$MC->set('forgot_'+$forgottenUser->id, 5*60); // Set a flag preventing resends for 5 minutes

require_once(l_r('objects/mailer.php'));
$Mailer = new Mailer();
$Mailer->Send(array($forgottenUser->email=>$forgottenUser->username), l_t('webDiplomacy forgotten password verification link'),
Expand Down
4 changes: 4 additions & 0 deletions usercp.php
Expand Up @@ -39,6 +39,8 @@

if ( isset($_REQUEST['emailToken']))
{
libAuth::formToken_Valid();

if( !($email = libAuth::emailToken_email($_REQUEST['emailToken'])) )
libHTML::notice(l_t("Email change validation"), l_t("A bad email token was given, please check the validation link try again"));

Expand All @@ -56,6 +58,8 @@

if ( isset($_REQUEST['userForm']) )
{
libAuth::formToken_Valid();

$formOutput = '';

try
Expand Down

0 comments on commit e1b8730

Please sign in to comment.