fix possible csrf attack due to missing form token

2025-10-31 13:18:06 +00:00 · 2021-01-24 17:05:13 +01:00 · 2021-01-24 17:05:13 +01:00 · 3fa952c5cb
commit 3fa952c5cb
parent b2182362d3
4 changed files with 12 additions and 0 deletions
--- a/op/op.EditDocument.php
+++ b/op/op.EditDocument.php
@ -32,6 +32,11 @@ include("../inc/inc.Authentication.php");
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('editdocument')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
--- a/op/op.EditFolder.php
+++ b/op/op.EditFolder.php
@ -32,6 +32,11 @@ include("../inc/inc.Authentication.php");
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('editfolder')) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["folderid"]) || !is_numeric($_POST["folderid"]) || intval($_POST["folderid"])<1) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
--- a/views/bootstrap/class.EditDocument.php
+++ b/views/bootstrap/class.EditDocument.php
@ -90,6 +90,7 @@ $(document).ready( function() {
 			$expdate = '';
 ?>
 <form class="form-horizontal" action="../op/op.EditDocument.php" name="form1" id="form1" method="post">
+		<?php echo createHiddenFieldWithKey('editdocument'); ?>
 	<input type="hidden" name="documentid" value="<?php echo $document->getID() ?>">
 <?php
 		$this->formField(
--- a/views/bootstrap/class.EditFolder.php
+++ b/views/bootstrap/class.EditFolder.php
@ -81,6 +81,7 @@ $(document).ready(function() {
 		$this->contentContainerStart();
 ?>
 <form class="form-horizontal" action="../op/op.EditFolder.php" id="form1" name="form1" method="post">
+		<?php echo createHiddenFieldWithKey('editfolder'); ?>
 		<input type="hidden" name="folderid" value="<?php print $folder->getID();?>">
 		<input type="hidden" name="showtree" value="<?php echo showtree();?>">
 <?php