Bug fix: prevent from CSRF vulnerabilities on profile page (thank you Etienne Z.)

git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@164 b3834d28-1941-0410-a4f8-b48e95affb8f

diff --git a/profile.php b/profile.php
index fe86daa7ad20ee1afefea7bcc29f18447cca23af..1ad92bad994fa418f4271214ee2866159839c7d4 100644 (file)
--- a/profile.php
+++ b/profile.php
@@ -73,6 +73,15 @@ if (isset($_POST['submitted']) && $currentUserID == $userid) {
     $detMail = trim($_POST['pMail']);
     $detPage = trim($_POST['pPage']);
     $detDesc = filter($_POST['pDesc']);
+    
+    // manage token preventing from CSRF vulnaribilities
+    if ( !isset($_SESSION['token'], $_SESSION['token_stamp']) 
+        || time() - $_SESSION['token_stamp'] > 600 //limit token lifetime, optionnal
+        || $_SESSION['token'] != $_POST['token']) {
+        $error = true;
+        $tplVars['error'] = T_('Invalid Token');
+    }
+    
     if ($detPass != $detPassConf) {
         $error = true;
         $tplVars['error'] = T_('Password and confirmation do not match.');
@@ -98,8 +107,14 @@ if (isset($_POST['submitted']) && $currentUserID == $userid) {
 if ($currentUserID != $userid) {
     $templatename = 'profile.tpl.php';
 } else {
+       //Token Init
+       $_SESSION['token'] = md5(uniqid(rand(), true));
+       $_SESSION['token_stamp'] = time();
+       
     $templatename = 'editprofile.tpl.php';
     $tplVars['formaction']  = createURL('profile', $user);
+    $tplVars['token'] = $_SESSION['token'];
+    
 }
 
 $tplVars['row'] = $userinfo;

diff --git a/templates/editprofile.tpl.php b/templates/editprofile.tpl.php
index a38dbd854ea2c182beb5c5cfb53a1ec97833c6df..055aab04d9b0caa4b3e90ce6609580f56b926fe5 100644 (file)
--- a/templates/editprofile.tpl.php
+++ b/templates/editprofile.tpl.php
@@ -3,6 +3,7 @@ $this->includeTemplate($GLOBALS['top_include']);
 ?>
 
 <form action="<?php echo $formaction; ?>" method="post">
+<input type="hidden" name="token" value="<?php echo $token; ?>">
 
 </table>