From a38f7fd4082adff5cfe10fb4df163ae27a2ad407 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 16 Jun 2021 14:23:53 +0200
Subject: [PATCH] secure locking/inlocking documents with security token

---
 op/op.Ajax.php                         | 49 ++++++++++++++------------
 op/op.LockDocument.php                 |  5 +++
 op/op.UnlockDocument.php               |  5 +++
 views/bootstrap/class.Bootstrap.php    |  6 ++--
 views/bootstrap4/class.Bootstrap4.php  |  6 ++--
 views/bootstrap4/styles/application.js |  2 +-
 6 files changed, 44 insertions(+), 29 deletions(-)

diff --git a/op/op.Ajax.php b/op/op.Ajax.php
index 965a8156d..c1adcac9d 100644
--- a/op/op.Ajax.php
+++ b/op/op.Ajax.php
@@ -575,40 +575,45 @@ switch($command) {
 
 	case 'tooglelockdocument': /* {{{ */
 		if($user) {
-			$document = $dms->getDocument($_REQUEST['id']);
-			if($document) {
-				if ($document->getAccessMode($user) >= M_READWRITE) {
-					if ($document->isLocked()) {
-						$lockingUser = $document->getLockingUser();
-						if (($lockingUser->getID() == $user->getID()) || ($document->getAccessMode($user) == M_ALL)) {
-							if (!$document->setLocked(false)) {
-								header('Content-Type: application/json');
-								echo json_encode(array('success'=>false, 'message'=>'Error unlocking document', 'data'=>''));
+			if(checkFormKey('tooglelockdocument', 'GET')) {
+				$document = $dms->getDocument($_REQUEST['id']);
+				if($document) {
+					if ($document->getAccessMode($user) >= M_READWRITE) {
+						if ($document->isLocked()) {
+							$lockingUser = $document->getLockingUser();
+							if (($lockingUser->getID() == $user->getID()) || ($document->getAccessMode($user) == M_ALL)) {
+								if (!$document->setLocked(false)) {
+									header('Content-Type: application/json');
+									echo json_encode(array('success'=>false, 'message'=>'Error unlocking document', 'data'=>''));
+								} else {
+									header('Content-Type: application/json');
+									echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_unlocked'), 'data'=>''));
+								}
 							} else {
 								header('Content-Type: application/json');
-								echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_unlocked'), 'data'=>''));
+								echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>''));
 							}
 						} else {
-							header('Content-Type: application/json');
-							echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>''));
+							if (!$document->setLocked($user)) {
+								header('Content-Type: application/json');
+								echo json_encode(array('success'=>false, 'message'=>'Error locking document', 'data'=>''));
+							} else {
+								header('Content-Type: application/json');
+								echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_locked'), 'data'=>''));
+								add_log_line();
+							}
 						}
 					} else {
-						if (!$document->setLocked($user)) {
-							header('Content-Type: application/json');
-							echo json_encode(array('success'=>false, 'message'=>'Error locking document', 'data'=>''));
-						} else {
-							header('Content-Type: application/json');
-							echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_locked'), 'data'=>''));
-							add_log_line();
-						}
+						header('Content-Type: application/json');
+						echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>''));
 					}
 				} else {
 					header('Content-Type: application/json');
-					echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>''));
+					echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_doc_id'), 'data'=>''));
 				}
 			} else {
 				header('Content-Type: application/json');
-				echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_doc_id'), 'data'=>''));
+				echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_request_token'), 'data'=>''));
 			}
 		}
 		break; /* }}} */
diff --git a/op/op.LockDocument.php b/op/op.LockDocument.php
index a72b873fa..393119dc2 100644
--- a/op/op.LockDocument.php
+++ b/op/op.LockDocument.php
@@ -29,6 +29,11 @@ require_once("inc/inc.DBInit.php");
 require_once("inc/inc.ClassUI.php");
 require_once("inc/inc.Authentication.php");
 
+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('lockdocument', 'GET')) {
+	UI::exitError(getMLText("document_title"), getMLText("invalid_request_token"));
+}
+
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
diff --git a/op/op.UnlockDocument.php b/op/op.UnlockDocument.php
index 7af019958..b457f842b 100644
--- a/op/op.UnlockDocument.php
+++ b/op/op.UnlockDocument.php
@@ -28,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('unlockdocument', 'GET')) {
+	UI::exitError(getMLText("document_title"), getMLText("invalid_request_token"));
+}
+
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index ab4dba193..dd95dc547 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -714,7 +714,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
 				if($accessobject->check_controller_access('UpdateDocument'))
 					$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
 				if($accessobject->check_controller_access('LockDocument'))
-					$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid, 'label'=>getMLText('lock_document'));
+					$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid."&formtoken=".createFormKey('lockdocument'), 'label'=>getMLText('lock_document'));
 				if($accessobject->check_controller_access('EditDocument'))
 					$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid , 'label'=>getMLText('edit_document_props'));
 				$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@@ -725,7 +725,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
 					if($accessobject->check_controller_access('UpdateDocument'))
 						$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
 					if($accessobject->check_controller_access('UnlockDocument'))
-						$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid, 'label'=>getMLText('unlock_document'));
+						$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid."&formtoken=".createFormKey('unlockdocument'), 'label'=>getMLText('unlock_document'));
 					if($accessobject->check_controller_access('EditDocument'))
 						$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid, 'label'=>getMLText('edit_document_props'));
 					$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@@ -2486,7 +2486,7 @@ $(function() {
 			$title = 'lock_document';
 		}
 		$content = '';
-		$content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'"><i class="fa fa-'.$icon.'"></i></a>';
+		$content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'" data-formtoken="'.createFormKey('tooglelockdocument').'"><i class="fa fa-'.$icon.'"></i></a>';
 		if($return)
 			return $content;
 		else
diff --git a/views/bootstrap4/class.Bootstrap4.php b/views/bootstrap4/class.Bootstrap4.php
index eb509332d..a578c4031 100644
--- a/views/bootstrap4/class.Bootstrap4.php
+++ b/views/bootstrap4/class.Bootstrap4.php
@@ -703,7 +703,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
 				if($accessobject->check_controller_access('UpdateDocument'))
 					$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
 				if($accessobject->check_controller_access('LockDocument'))
-					$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid, 'label'=>getMLText('lock_document'));
+					$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid."&formtoken=".createFormKey('lockdocument'), 'label'=>getMLText('lock_document'));
 				if($accessobject->check_controller_access('EditDocument'))
 					$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid , 'label'=>getMLText('edit_document_props'));
 				$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@@ -714,7 +714,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
 					if($accessobject->check_controller_access('UpdateDocument'))
 						$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
 					if($accessobject->check_controller_access('UnlockDocument'))
-						$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid, 'label'=>getMLText('unlock_document'));
+						$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid."&formtoken=".createFormKey('unlockdocument'), 'label'=>getMLText('unlock_document'));
 					if($accessobject->check_controller_access('EditDocument'))
 						$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid, 'label'=>getMLText('edit_document_props'));
 					$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@@ -2539,7 +2539,7 @@ $(function() {
 			$title = 'lock_document';
 		}
 		$content = '';
-		$content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'"><i class="fa fa-'.$icon.'"></i></a>';
+		$content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'" data-formtoken="'.createFormKey('tooglelockdocument').'"><i class="fa fa-'.$icon.'"></i></a>';
 		if($return)
 			return $content;
 		else
diff --git a/views/bootstrap4/styles/application.js b/views/bootstrap4/styles/application.js
index fb0db9907..4958bdcd1 100644
--- a/views/bootstrap4/styles/application.js
+++ b/views/bootstrap4/styles/application.js
@@ -389,7 +389,7 @@ $(document).ready( function() {
 		attr_msg = $(ev.currentTarget).attr('msg');
 		id = attr_rel;
 		$.get('../op/op.Ajax.php',
-			{ command: 'tooglelockdocument', id: id },
+			{ command: 'tooglelockdocument', formtoken: $(ev.currentTarget).data('formtoken'), id: id },
 			function(data) {
 				if(data.success) {
 					//$("#table-row-document-"+id).html('Loading').load('../op/op.Ajax.php?command=view&view=documentlistrow&id='+id)