mirror of
https://github.com/postfixadmin/postfixadmin.git
synced 2024-09-20 03:36:20 +02:00
Add CSRF protection for POST requests
Add the CSRF token to all forms, and validate it when those forms are submitted. https://sourceforge.net/p/postfixadmin/bugs/372/ git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1842 a1433add-5e2c-0410-b055-b7f2511e0802
This commit is contained in:
parent
2bed4110a5
commit
52a7df2b3a
@ -38,6 +38,8 @@ $smtp_from_email = smtp_get_admin_email();
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "POST")
|
||||
{
|
||||
if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
|
||||
|
||||
if (empty($_POST['subject']) || empty($_POST['message']) || empty($_POST['name']))
|
||||
{
|
||||
$error = 1;
|
||||
|
1
edit.php
1
edit.php
@ -93,6 +93,7 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") {
|
||||
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "POST") {
|
||||
if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
|
||||
$inp_values = safepost('value', array() );
|
||||
|
||||
foreach($form_fields as $key => $field) {
|
||||
|
@ -39,6 +39,8 @@ $smtp_from_email = smtp_get_admin_email();
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "POST")
|
||||
{
|
||||
if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
|
||||
|
||||
$fTo = safepost('fTo');
|
||||
$fFrom = $smtp_from_email;
|
||||
$fSubject = safepost('fSubject');
|
||||
|
@ -1,5 +1,6 @@
|
||||
<div id="edit_form">
|
||||
<form name="broadcast-message" method="post" action="">
|
||||
<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
|
||||
<table>
|
||||
<tr>
|
||||
<th colspan="2">{$PALANG.pBroadcast_title}</th>
|
||||
|
@ -1,6 +1,7 @@
|
||||
<div id="edit_form">
|
||||
<form name="edit_{$table}" method="post" action="">
|
||||
<input class="flat" type="hidden" name="table" value="{$table}" />
|
||||
<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
|
||||
|
||||
<table>
|
||||
<tr>
|
||||
|
@ -1,5 +1,6 @@
|
||||
<div id="edit_form">
|
||||
<form name="password" method="post" action="">
|
||||
<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
|
||||
<table>
|
||||
<tr>
|
||||
<th colspan="3">{$PALANG.pPassword_welcome}</th>
|
||||
|
@ -1,5 +1,6 @@
|
||||
<div id="edit_form">
|
||||
<form name="mailbox" method="post" action="">
|
||||
<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
|
||||
<table>
|
||||
<tr>
|
||||
<th colspan="3">{$PALANG.pSendmail_welcome}</th>
|
||||
|
@ -1,5 +1,6 @@
|
||||
<div id="edit_form">
|
||||
<form name="alias" method="post" action="">
|
||||
<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
|
||||
<table>
|
||||
<tr>
|
||||
<th colspan="3">{$PALANG.pEdit_alias_welcome}<br /><em>{$PALANG.pEdit_alias_help}</em></th>
|
||||
|
@ -3,6 +3,7 @@
|
||||
{/literal}
|
||||
<div id="edit_form">
|
||||
<form name="edit-vacation" method="post" action=''>
|
||||
<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
|
||||
<table>
|
||||
<tr>
|
||||
<th colspan="3">{$PALANG.pUsersVacation_welcome}</th>
|
||||
|
@ -52,6 +52,8 @@ if ($_SERVER['REQUEST_METHOD'] == "GET")
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "POST")
|
||||
{
|
||||
if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
|
||||
|
||||
// user clicked on cancel button
|
||||
if(isset($_POST['fCancel'])) {
|
||||
header("Location: main.php");
|
||||
|
@ -37,6 +37,8 @@ $pPassword_password_current_text = "";
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "POST")
|
||||
{
|
||||
if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
|
||||
|
||||
if(isset($_POST['fCancel'])) {
|
||||
header("Location: main.php");
|
||||
exit(0);
|
||||
|
@ -103,6 +103,8 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") {
|
||||
|
||||
if ($_SERVER['REQUEST_METHOD'] == "POST")
|
||||
{
|
||||
if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
|
||||
|
||||
if(isset($_POST['fCancel'])) {
|
||||
header ("Location: $Return_url");
|
||||
exit(0);
|
||||
|
Loading…
Reference in New Issue
Block a user