Skip to content

Commit 4f18296

Browse files
phoromatic: Some additional input sanitization and starting on some CSRF token handling
1 parent 772bb93 commit 4f18296

8 files changed

+26
-12
lines changed

Diff for: pts-core/objects/pts_strings.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -785,7 +785,7 @@ public static function sanitize($input)
785785
}
786786
public static function simple($input)
787787
{
788-
return empty($str) ? '' : pts_strings::keep_in_string($input, pts_strings::CHAR_LETTER | pts_strings::CHAR_NUMERIC | pts_strings::CHAR_DASH | pts_strings::CHAR_DECIMAL | pts_strings::CHAR_SPACE | pts_strings::CHAR_UNDERSCORE | pts_strings::CHAR_COMMA | pts_strings::CHAR_AT | pts_strings::CHAR_COLON);
788+
return empty($input) ? '' : pts_strings::keep_in_string($input, pts_strings::CHAR_LETTER | pts_strings::CHAR_NUMERIC | pts_strings::CHAR_DASH | pts_strings::CHAR_DECIMAL | pts_strings::CHAR_SPACE | pts_strings::CHAR_UNDERSCORE | pts_strings::CHAR_COMMA | pts_strings::CHAR_AT | pts_strings::CHAR_COLON);
789789
}
790790
}
791791

Diff for: pts-core/phoromatic/pages/phoromatic_local_suites.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ public static function render_page_process($PATH)
3939
$suite_dir = phoromatic_server::phoromatic_account_suite_path($_SESSION['AccountID']);
4040
$main = '<h1>Local Suites</h1><p>These are test suites created by you or another account within your group. Suites are an easy collection of test profiles. New suits can be trivially made via the <a href="/?build_suite">build suite</a> page.</p>';
4141

42-
if(!PHOROMATIC_USER_IS_VIEWER && isset($PATH[0]) && $PATH[0] == 'delete')
42+
if(!PHOROMATIC_USER_IS_VIEWER && isset($PATH[0]) && $PATH[0] == 'delete' && verify_submission_token())
4343
{
4444
foreach(explode(',', $PATH[1]) as $id)
4545
{
@@ -64,7 +64,7 @@ public static function render_page_process($PATH)
6464
$main .= '<p><em>' . pts_strings::sanitize($test_suite->get_description()) . '</em></p>';
6565
if(!PHOROMATIC_USER_IS_VIEWER)
6666
{
67-
$main .= '<p><a href="?build_suite/' . $id . '">Edit Suite</a> - <a href="?local_suites/delete/' . $id . '">Delete Suite</a></p>';
67+
$main .= '<p><a href="?build_suite/' . $id . '">Edit Suite</a> - <a href="?local_suites/delete/' . $id . append_token_to_url() . '">Delete Suite</a></p>';
6868
}
6969
$main .= '<div style="max-height: 400px; width: 80%; overflow-y: scroll;">';
7070
$test_suite->sort_contained_tests();

Diff for: pts-core/phoromatic/pages/phoromatic_schedules.php

+4-4
Original file line numberDiff line numberDiff line change
@@ -123,7 +123,7 @@ public static function render_page_process($PATH)
123123
else if(isset($PATH[1]) && $PATH[1] == 'delete-trigger' && !empty($PATH[2]))
124124
{
125125
// REMOVE TRIGGER
126-
$trigger = base64_decode($PATH[2]);
126+
$trigger = pts_strings::sanitize(base64_decode($PATH[2]));
127127
$stmt = phoromatic_server::$db->prepare('DELETE FROM phoromatic_schedules_triggers WHERE AccountID = :account_id AND Trigger = :trigger AND ScheduleID = :schedule_id');
128128
$stmt->bindValue(':account_id', $_SESSION['AccountID']);
129129
$stmt->bindValue(':schedule_id', $PATH[0]);
@@ -132,7 +132,7 @@ public static function render_page_process($PATH)
132132
if($result)
133133
$main .= '<h2 style="color: red;">Trigger Removed: ' . $trigger . '</h2>';
134134
}
135-
else if(isset($PATH[1]) && in_array($PATH[1], array('activate', 'deactivate')))
135+
else if(isset($PATH[1]) && in_array($PATH[1], array('activate', 'deactivate')) && verify_submission_token())
136136
{
137137
switch($PATH[1])
138138
{
@@ -201,11 +201,11 @@ public static function render_page_process($PATH)
201201

202202
if($row['State'] == 1)
203203
{
204-
$main .= '<a href="?schedules/' . $PATH[0] . '/deactivate">Deactivate Schedule</a>';
204+
$main .= '<a href="?schedules/' . $PATH[0] . '/deactivate' . append_token_to_url() . '">Deactivate Schedule</a>';
205205
}
206206
else
207207
{
208-
$main .= '<a href="?schedules/' . $PATH[0] . '/activate">Activate Schedule</a>';
208+
$main .= '<a href="?schedules/' . $PATH[0] . '/activate' . append_token_to_url() . '">Activate Schedule</a>';
209209
}
210210

211211
$main .= '</p>';

Diff for: pts-core/phoromatic/pages/phoromatic_users.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ public static function render_page_process($PATH)
4242
return;
4343
}
4444

45-
if(isset($_POST['group_name']))
45+
if(isset($_POST['group_name']) && verify_submission_token())
4646
{
4747
phoromatic_quit_if_invalid_input_found(array('group_name'));
4848
$stmt = phoromatic_server::$db->prepare('UPDATE phoromatic_accounts SET GroupName = :group_name WHERE AccountID = :account_id');
@@ -242,7 +242,7 @@ public static function render_page_process($PATH)
242242
</form>';
243243

244244
$group_name = phoromatic_server::account_id_to_group_name($_SESSION['AccountID']);
245-
$main .= '<hr /><form action="' . $_SERVER['REQUEST_URI'] . '" name="group_name" id="group_name" method="post"><h2>Group Name</h2>
245+
$main .= '<hr /><form action="' . $_SERVER['REQUEST_URI'] . '" name="group_name" id="group_name" method="post"><h2>Group Name</h2>' . write_token_in_form() . '
246246
<p>A group name is an alternative, user-facing name for this set of accounts. The group name feature is primarily useful for being able to better distinguish results between groups when sharing of data within a large organization, etc. The group name is showed next to test results when viewing results from multiple groups/accounts.</p>
247247
<h3>Group Name</h3>
248248
<p><input type="text" name="group_name" value="' . $group_name . '" /></p>

Diff for: pts-core/phoromatic/pages/phoromatic_welcome.php

+1
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ public static function render_page_process($PATH)
130130
$_SESSION['AccountID'] = $account_id;
131131
$_SESSION['AdminLevel'] = $admin_level;
132132
$_SESSION['CreatedOn'] = $created_on;
133+
$_SESSION['Token'] = sha1($account_salt . (function_exists('random_bytes') ? bin2hex(random_bytes(32)) : rand()) . PTS_CORE_VERSION . time());
133134
$_SESSION['CoreVersionOnSignOn'] = PTS_CORE_VERSION;
134135
$account_salt = phoromatic_server::$db->exec('UPDATE phoromatic_users SET LastIP = \'' . $_SERVER['REMOTE_ADDR'] . '\', LastLogin = \'' . phoromatic_server::current_time() . '\' WHERE UserName = "' . $matching_user['UserName'] . '"');
135136
session_write_close();

Diff for: pts-core/phoromatic/phoromatic_functions.php

+12
Original file line numberDiff line numberDiff line change
@@ -523,6 +523,18 @@ function phoromatic_oldest_result_for_schedule($schedule_id)
523523

524524
return $old_time[$schedule_id];
525525
}
526+
function write_token_in_form()
527+
{
528+
return '<input type="hidden" name="token_submit" value="' . $_SESSION['Token'] . '" />';
529+
}
530+
function append_token_to_url()
531+
{
532+
return '/&token_submit=' . $_SESSION['Token'];
533+
}
534+
function verify_submission_token()
535+
{
536+
return isset($_REQUEST['token_submit']) && $_REQUEST['token_submit'] == $_SESSION['Token'];
537+
}
526538
function create_new_phoromatic_account($register_username, $register_password, $register_password_confirm, $register_email, $seed_accountid = null)
527539
{
528540
// REGISTER NEW USER

Diff for: pts-core/phoromatic/public_html/event.php

+3-2
Original file line numberDiff line numberDiff line change
@@ -85,15 +85,16 @@
8585
}
8686
}
8787

88+
$trigger = pts_strings::sanitize($_GET['trigger']);
8889
$stmt = phoromatic_server::$db->prepare('INSERT INTO phoromatic_schedules_triggers (AccountID, ScheduleID, Trigger, TriggeredOn, SubTarget) VALUES (:account_id, :schedule_id, :trigger, :triggered_on, :sub_target)');
8990
$stmt->bindValue(':account_id', $user_row['AccountID']);
9091
$stmt->bindValue(':schedule_id', $schedule_row['ScheduleID']);
91-
$stmt->bindValue(':trigger', $_GET['trigger']);
92+
$stmt->bindValue(':trigger', $trigger);
9293
$stmt->bindValue(':triggered_on', phoromatic_server::current_time());
9394
$stmt->bindValue(':sub_target', $sub_target);
9495
if($stmt->execute())
9596
{
96-
echo 'Trigger ' . htmlspecialchars($_GET['trigger']) . ' added!';
97+
echo 'Trigger ' . $trigger . ' added!';
9798
}
9899
break;
99100

Diff for: pts-core/pts-core.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -229,7 +229,7 @@ function pts_needed_extensions()
229229
}
230230

231231
pts_define('PTS_VERSION', '10.8.0');
232-
pts_define('PTS_CORE_VERSION', 10800);
232+
pts_define('PTS_CORE_VERSION', 10801);
233233
pts_define('PTS_RELEASE_DATE', '2021125');
234234
pts_define('PTS_CODENAME', 'Nesseby');
235235

0 commit comments

Comments
 (0)