From d8a5cc54f6d1a408887792cf0ba09b189786d224 Mon Sep 17 00:00:00 2001
From: Gabriel Corona <gabriel.corona@free.fr>
Date: Sun, 25 Nov 2018 21:25:27 +0100
Subject: [PATCH] CSRF protection (#44)

---
 conf/ynh-vpnclient-loadcubefile.sh |  2 +-
 sources/controller.php             |  5 +++++
 sources/public/js/custom.js        | 34 ++++++++++++++++++++++++------
 3 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/conf/ynh-vpnclient-loadcubefile.sh b/conf/ynh-vpnclient-loadcubefile.sh
index 7f10afe..e99a91e 100644
--- a/conf/ynh-vpnclient-loadcubefile.sh
+++ b/conf/ynh-vpnclient-loadcubefile.sh
@@ -96,7 +96,7 @@ fi
 
 # Upload cube file
 
-output=$(curl -kL -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
+output=$(curl -kL -H "X-Requested-With: yunohost-config" -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
 
 
 # Configure IPv6 Delegated Prefix on Hotspot
diff --git a/sources/controller.php b/sources/controller.php
index a27b900..8a9ed13 100644
--- a/sources/controller.php
+++ b/sources/controller.php
@@ -117,6 +117,11 @@ dispatch('/', function() {
 });
 
 dispatch_put('/settings', function() {
+
+  if(!isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
+    throw new Exception('CSRF protection');
+  }
+
   $service_enabled = isset($_POST['service_enabled']) ? 1 : 0;
 
   if($service_enabled == 1) {
diff --git a/sources/public/js/custom.js b/sources/public/js/custom.js
index c918ab6..f4e36e2 100644
--- a/sources/public/js/custom.js
+++ b/sources/public/js/custom.js
@@ -28,7 +28,7 @@ function tabsClick() {
   return false;
 }
 
-$(document).ready(function() {
+function ready() {
   $('.btn-group').button();
   $('[data-toggle="tooltip"]').tooltip();
 
@@ -73,11 +73,31 @@ $(document).ready(function() {
     $(choosertxtid).val($(this).val().replace(/^.*[\/\\]/, ''));
   });
 
-  $('#save').click(function() {
-    $(this).prop('disabled', true);
+  $('#form').on("submit", function(event) {
+    event.preventDefault()
+    $('#save').prop('disabled', true);
     $('#save-loading').show();
-    $('#form').submit();
-  });
+    $.ajax({
+        url: this.action,
+        type: this.method,
+        contentType: false,
+        processData: false,
+        cache: false,
+        data: new FormData(this),
+        headers: {
+          'X-Requested-With': 'jQuery',
+        },
+        dataType: "html",
+        success: function(data){
+          document.body.innerHTML = new DOMParser().parseFromString(data, "text/html").body.innerHTML
+          ready()
+        },
+        error: function() {
+          $('#save').prop('disabled', false);
+          $('#save-loading').hide();
+        },
+    });
+  })
 
   $('#status .close').click(function() {
     $(this).parent().hide();
@@ -110,4 +130,6 @@ $(document).ready(function() {
       $('.enabled').show('slow');
     }
   });
-});
+}
+
+$(document).ready(ready)