CSRF protection (#44)

2018-11-25 21:25:27 +01:00
parent d452b139d7
commit d8a5cc54f6
3 changed files with 34 additions and 7 deletions
--- a/conf/ynh-vpnclient-loadcubefile.sh
+++ b/conf/ynh-vpnclient-loadcubefile.sh
@@ -96,7 +96,7 @@ fi

 # Upload cube file

-output=$(curl -kL -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
+output=$(curl -kL -H "X-Requested-With: yunohost-config" -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')


 # Configure IPv6 Delegated Prefix on Hotspot
--- a/sources/controller.php
+++ b/sources/controller.php
@@ -117,6 +117,11 @@ dispatch('/', function() {
 });

 dispatch_put('/settings', function() {
+
+  if(!isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
+    throw new Exception('CSRF protection');
+  }
+
  $service_enabled = isset($_POST['service_enabled']) ? 1 : 0;

  if($service_enabled == 1) {
--- a/sources/public/js/custom.js
+++ b/sources/public/js/custom.js
@@ -28,7 +28,7 @@ function tabsClick() {
  return false;
 }

-$(document).ready(function() {
+function ready() {
  $('.btn-group').button();
  $('[data-toggle="tooltip"]').tooltip();

@@ -73,11 +73,31 @@ $(document).ready(function() {
    $(choosertxtid).val($(this).val().replace(/^.*[\/\\]/, ''));
  });

-  $('#save').click(function() {
-    $(this).prop('disabled', true);
+  $('#form').on("submit", function(event) {
+    event.preventDefault()
+    $('#save').prop('disabled', true);
    $('#save-loading').show();
-    $('#form').submit();
-  });
+    $.ajax({
+        url: this.action,
+        type: this.method,
+        contentType: false,
+        processData: false,
+        cache: false,
+        data: new FormData(this),
+        headers: {
+          'X-Requested-With': 'jQuery',
+        },
+        dataType: "html",
+        success: function(data){
+          document.body.innerHTML = new DOMParser().parseFromString(data, "text/html").body.innerHTML
+          ready()
+        },
+        error: function() {
+          $('#save').prop('disabled', false);
+          $('#save-loading').hide();
+        },
+    });
+  })

  $('#status .close').click(function() {
    $(this).parent().hide();
@@ -110,4 +130,6 @@ $(document).ready(function() {
      $('.enabled').show('slow');
    }
  });
-});
+}
+
+$(document).ready(ready)