[wip] securing more forms through CSRF management

2016-05-20 14:25:46 +02:00 · 2016-05-20 14:25:46 +02:00 · 396f8c2598
parent 6043e9c3d7
commit 396f8c2598
6 changed files with 11 additions and 0 deletions
--- a/awstats/bureau/admin/aws_add.php
+++ b/awstats/bureau/admin/aws_add.php
@ -47,6 +47,7 @@ include_once("head.php");
 	}
 ?>
 <form method="post" action="<?php if (!$id) echo "aws_doadd.php"; else echo "aws_doedit.php"; ?>" id="main" name="main">
+<?php csrf_get(); ?>
 <table class="tedit">
 <tr><th><input type="hidden" name="id" value="<?php echo $id ?>" />
        <label for="hostname"><?php __("Domain name"); ?></label></th><td>
--- a/awstats/bureau/admin/aws_list.php
+++ b/awstats/bureau/admin/aws_list.php
@ -53,6 +53,7 @@ if ($quota->cancreate("aws")) { ?>
 <?php if (!$nosta) { ?>

 <form method="post" action="aws_del.php">
+<?php csrf_get(); ?>
 <table cellspacing="0" cellpadding="4">
    <tr><th colspan="2"><?php __("Action"); ?></th><th><?php __("Domain name"); ?></th><th><?php __("Allowed Users"); ?></th><th><?php __("View the statistics"); ?></th></tr>
 <?php
--- a/awstats/bureau/admin/aws_pass.php
+++ b/awstats/bureau/admin/aws_pass.php
@ -65,6 +65,7 @@ if (isset($error) && $error) {
 <?php } ?>

 <form method="post" action="aws_pass.php" name="main" id="main">
+<?php csrf_get(); ?>
 <table class="tedit">
 <tr><th>
 <?php __("Username"); ?></th><td>
--- a/awstats/bureau/admin/aws_users.php
+++ b/awstats/bureau/admin/aws_users.php
@ -46,6 +46,7 @@ if (!$r=$aws->list_login()) {
 <?php  	} ?>

 <form method="post" action="aws_useradd.php" name="main">
+<?php csrf_get(); ?>
 <table class="tedit">
 <tr><th>
 <label for="login"><?php __("Username"); ?></label></th><td>
@ -74,6 +75,7 @@ if (!$nologin) {


 <form method="post" action="aws_userdel.php" name="main2" id="main2">
+<?php csrf_get(); ?>
 <table class="tlist">
    <tr><th colspan="2"><?php __("Action"); ?></th><th><?php __("Username"); ?></th></tr>
 <?php
--- a/ssl/panel/admin/ssl_new.php
+++ b/ssl/panel/admin/ssl_new.php
@ -93,6 +93,7 @@ if (isset($error) && $error) {
            </script>

            <form method="post" action="ssl_donew.php" name="main" id="main">
+<?php csrf_get(); ?>
                <table border="1" cellspacing="0" cellpadding="4" class="tedit">
                    <tr><td colspan="2">
                            <?php __("Please choose the domain name for which you want a SSL Certificate, or enter it manually"); ?>
@ -133,6 +134,7 @@ if (isset($error) && $error) {
            <p><?php __("We will verify the content of those files and add them in your certificate repository"); ?></p>

            <form method="post" action="ssl_doimport.php" name="main" id="main">
+<?php csrf_get(); ?>
                <table border="1" cellspacing="0" cellpadding="4" class="tedit">
                    <tr>
                        <th><label for="key"><?php __("RSA Private Key"); ?></label></th>
--- a/ssl/panel/admin/ssl_view.php
+++ b/ssl/panel/admin/ssl_view.php
@ -54,6 +54,7 @@ if ($cert["status"] == $ssl::STATUS_PENDING) {
    <p><?php __("Once you'll have your <i>Certificate File</i> (CRT) and a <i>Chained Certificate File</i> (CHAIN), please paste them here to finish the enrollment."); ?></p>

    <form method="post" action="ssl_finalize.php" name="main" id="main">
+<?php csrf_get(); ?>
        <input type="hidden" name="id" id="id" value="<?php echo $cert["id"]; ?>"/>
        <table border="1" cellspacing="0" cellpadding="4" class="tedit">
            <tr>
@ -177,6 +178,7 @@ if ($cert["status"] == $ssl::STATUS_PENDING) {
                    ?>
                </p>
                <form method="post" action="ssl_share.php">
+<?php csrf_get(); ?>
                    <input type="hidden" name="id" id="id" value="<?php echo $cert["id"]; ?>"/>
                    <input type="hidden" name="action" id="action" value="0" />
                    <input class="inb cancel" type="submit" name="unshare" value="<?php __("Click here to stop sharing this certificate"); ?>" />
@ -193,6 +195,7 @@ if ($cert["status"] == $ssl::STATUS_PENDING) {
                ?>
                </p>
                <form method="post" action="ssl_share.php">
+<?php csrf_get(); ?>
                    <input type="hidden" name="id" id="id" value="<?php echo $cert["id"]; ?>"/>
                    <input type="hidden" name="action" id="action" value="1" />
                    <input class="inb ok" type="submit" name="unshare" value="<?php __("Click here to share this certificate"); ?>" />
@ -209,6 +212,7 @@ if ($cert["status"] == $ssl::STATUS_PENDING) {
    ?>
                <p>
    <form method="post" action="ssl_finalize.php" name="main" id="main">
+<?php csrf_get(); ?>
        <input type="hidden" name="id" id="id" value="<?php echo $cert["id"]; ?>"/>
            <input type="submit" class="inb delete" name="delete" value="<?php __("Delete"); ?>" onclick="return confirm('<?php 
            echo addslashes(_("Please confirm that you want to delete this certificate AND ITS PRIVATE KEY!"));