diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc index d849c8d1bb9..09759b80952 100644 --- a/src/etc/inc/authgui.inc +++ b/src/etc/inc/authgui.inc @@ -72,17 +72,16 @@ function session_auth(&$Login_Error) closelog(); } - // Handle HTTPS httponly and secure flags - $currentCookieParams = session_get_cookie_params(); - session_set_cookie_params( - $currentCookieParams["lifetime"], - $currentCookieParams["path"], - null, - ($config['system']['webgui']['protocol'] == "https"), - true - ); - if (session_status() == PHP_SESSION_NONE) { + // Handle HTTPS httponly and secure flags + $currentCookieParams = session_get_cookie_params(); + session_set_cookie_params( + $currentCookieParams["lifetime"], + $currentCookieParams["path"], + null, + ($config['system']['webgui']['protocol'] == "https"), + true + ); session_start(); } diff --git a/src/opnsense/mvc/app/config/services.php b/src/opnsense/mvc/app/config/services.php index cfef07a93b7..7578b06674c 100644 --- a/src/opnsense/mvc/app/config/services.php +++ b/src/opnsense/mvc/app/config/services.php @@ -5,7 +5,8 @@ use Phalcon\Mvc\Url as UrlResolver; use Phalcon\Mvc\View\Engine\Volt as VoltEngine; use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter; -use Phalcon\Session\Adapter\Files as SessionAdapter; +use Phalcon\Session\Manager; +use Phalcon\Session\Adapter\Stream; use OPNsense\Core\Config; use OPNsense\Core\Routing; @@ -75,7 +76,9 @@ * Start the session the first time some component request the session service */ $di->setShared('session', function () { - $session = new SessionAdapter(); + $session = new Manager(); + $files = new Stream(); + $session->setAdapter($files); $session->start(); // Set session response cookie, unfortunalty we need to read the config here to determine if secure option is // a valid choice. @@ -97,6 +100,6 @@ */ $di->set('router', function () use ($config) { $routing = new Routing($config->application->controllersDir, "ui"); - $routing->getRouter()->handle(); + $routing->getRouter()->handle($_SERVER['REQUEST_URI']); return $routing->getRouter(); }); diff --git a/src/opnsense/mvc/app/config/services_api.php b/src/opnsense/mvc/app/config/services_api.php index db69dcca78c..23d6cadd4ef 100644 --- a/src/opnsense/mvc/app/config/services_api.php +++ b/src/opnsense/mvc/app/config/services_api.php @@ -31,7 +31,8 @@ use Phalcon\Mvc\Url as UrlResolver; use Phalcon\Mvc\View; use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter; -use Phalcon\Session\Adapter\Files as SessionAdapter; +use Phalcon\Session\Manager; +use Phalcon\Session\Adapter\Stream; use OPNsense\Core\Config; use OPNsense\Core\Routing; @@ -63,7 +64,9 @@ * Start the session the first time some component request the session service */ $di->setShared('session', function () { - $session = new SessionAdapter(); + $session = new Manager(); + $files = new Stream(); + $session->setAdapter($files); $session->start(); // Set session response cookie, unfortunalty we need to read the config here to determine if secure option is // a valid choice. @@ -84,7 +87,7 @@ */ $di->set('router', function () use ($config) { $routing = new Routing($config->application->controllersDir, "api"); - $routing->getRouter()->handle(); + $routing->getRouter()->handle($_SERVER['REQUEST_URI']); return $routing->getRouter(); }); diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php index 345f38e88be..ce9ea7a2102 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php +++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php @@ -30,6 +30,7 @@ use OPNsense\Core\Config; use Phalcon\Mvc\Controller; +use Phalcon\Logger; use Phalcon\Logger\Adapter\Syslog; use OPNsense\Core\ACL; @@ -44,6 +45,12 @@ class ControllerRoot extends Controller */ public $translator; + + /** + * log handle + */ + protected $logger = null; + /** * @var null|string logged in username, populated during authentication */ @@ -98,12 +105,18 @@ protected function setLang() */ protected function getLogger($ident = "api") { - $logger = new Syslog($ident, array( - 'option' => LOG_PID, - 'facility' => LOG_LOCAL4 - )); - - return $logger; + if ($this->logger == null) { + $this->logger = new Logger( + 'messages', + [ + 'main' => new Syslog($ident, array( + 'option' => LOG_PID, + 'facility' => LOG_LOCAL4 + )) + ] + ); + } + return $this->logger; } /** diff --git a/src/opnsense/mvc/app/library/OPNsense/Core/Routing.php b/src/opnsense/mvc/app/library/OPNsense/Core/Routing.php index e1189363793..e23bbc1ae19 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Core/Routing.php +++ b/src/opnsense/mvc/app/library/OPNsense/Core/Routing.php @@ -173,9 +173,6 @@ private function setup() } } } - $this->router->setUriSource( - Router::URI_SOURCE_SERVER_REQUEST_URI - ); $this->router->removeExtraSlashes(true); } } diff --git a/src/www/csrf.inc b/src/www/csrf.inc index 0f927e6320e..05e781e959e 100644 --- a/src/www/csrf.inc +++ b/src/www/csrf.inc @@ -33,37 +33,36 @@ class LegacyCSRF private $session = null; private $is_html_output = false; public function __construct() - { - $this->di = new \Phalcon\DI\FactoryDefault(); - $this->security = new Phalcon\Security(); - $this->security->setDi($this->di); - // register rewrite handler - ob_start(array($this,'csrfRewriteHandler'), 5242880); - } - - private function Session() { global $config; - if ($this->session == null) { - $this->session = new Phalcon\Session\Adapter\Files(); - $this->session->start(); + // register rewrite handler + if (session_status() == PHP_SESSION_NONE) { + // Handle HTTPS httponly and secure flags + $currentCookieParams = session_get_cookie_params(); + session_set_cookie_params( + $currentCookieParams["lifetime"], + $currentCookieParams["path"], + null, + ($config['system']['webgui']['protocol'] == "https"), + true + ); + session_start(); $secure = $config['system']['webgui']['protocol'] == 'https'; setcookie(session_name(), session_id(), null, '/', null, $secure, true); - $this->di->setShared('session', $this->session); } + ob_start(array($this,'csrfRewriteHandler'), 5242880); } public function checkToken() { $result = false; // default, not valid - $this->Session(); $securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$']; if (empty($_POST[$securityTokenKey])) { if (!empty($_SERVER['HTTP_X_CSRFTOKEN'])) { - $result = $this->security->checkToken(null, $_SERVER['HTTP_X_CSRFTOKEN'], false); + $result = $_SERVER['HTTP_X_CSRFTOKEN'] == $_SESSION['$PHALCON/CSRF$']; } } else { - $result = $this->security->checkToken($securityTokenKey, $_POST[$securityTokenKey], false); + $result = $_POST[$securityTokenKey] == $_SESSION['$PHALCON/CSRF$']; } // close session after validation session_write_close(); @@ -72,15 +71,13 @@ class LegacyCSRF private function newToken() { - $this->Session(); + $random = new \Phalcon\Security\Random(); // only request new token when session has none - $securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$']; - $securityToken = $_SESSION['$PHALCON/CSRF$']; - if (empty($securityToken) || empty($securityTokenKey)) { - $securityToken = $this->security->getToken(); - $securityTokenKey = $this->security->getTokenKey(); + if (empty($_SESSION['$PHALCON/CSRF/KEY$']) || empty($_SESSION['$PHALCON/CSRF$'])) { + $_SESSION['$PHALCON/CSRF$'] = $random->base64Safe(16); + $_SESSION['$PHALCON/CSRF/KEY$'] = $random->base64Safe(16); } - return array('token'=>$securityToken, 'key' => $securityTokenKey); + return array('token' => $_SESSION['$PHALCON/CSRF$'], 'key' => $_SESSION['$PHALCON/CSRF/KEY$']); } public function csrfRewriteHandler($buffer) @@ -113,6 +110,7 @@ class LegacyCSRF $LegacyCSRFObject = new LegacyCSRF(); + if ($_SERVER['REQUEST_METHOD'] !== 'GET' && !$LegacyCSRFObject->checkToken()) { header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); echo sprintf("%s