kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

[wip] securing *all* forms through CSRF management (requires a new table)

This commit is contained in:
Benjamin Sonntag 2016-05-20 14:21:47 +02:00
parent d9bdfaf1ac
commit 6043e9c3d7
67 changed files with 112 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bureau/admin/adm_add.php Normal file → Executable file
View File

@ -60,7 +60,7 @@ if (isset($error) && $error) {
} }
?> ?>
<form method="post" action="adm_doadd.php" id="main" name="main" autocomplete="off"> <form method="post" action="adm_doadd.php" id="main" name="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" /> <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/adm_authip_whitelist.php Normal file → Executable file
View File

@ -44,6 +44,7 @@ $list_ip = $authip->list_ip_whitelist();
<legend><?php __("Add an IP");?> - <a href="javascript:edit_ip('','<?php echo htmlentities(get_remote_ip())."','Home IP'";?>);" ><?php echo __("Add my current IP"); ?></a></legend> <legend><?php __("Add an IP");?> - <a href="javascript:edit_ip('','<?php echo htmlentities(get_remote_ip())."','Home IP'";?>);" ><?php echo __("Add my current IP"); ?></a></legend>
<span id="form_add_ip"> <span id="form_add_ip">
<form method="post" action="adm_authip_whitelist.php" name="main" id="main"> <form method="post" action="adm_authip_whitelist.php" name="main" id="main">
<?php csrf_get(); ?>
<p id="reset_edit_ip" style="display:none;"><a href="javascript:reset_edit_ip();"><?php __("Cancel edit")?></a></p> <p id="reset_edit_ip" style="display:none;"><a href="javascript:reset_edit_ip();"><?php __("Cancel edit")?></a></p>
<input type="hidden" name="id" value="" id="edit_id" /> <input type="hidden" name="id" value="" id="edit_id" />
<p> <p>

1
bureau/admin/adm_deactivate.php Normal file → Executable file
View File

@ -69,6 +69,7 @@ if (! ($confirmed ) ) {
?> ?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST"> <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
<?php csrf_get(); ?>
<input type="hidden" name="uid" value="<?php echo $uid?>" /> <input type="hidden" name="uid" value="<?php echo $uid?>" />
<?php __("Redirection URL:") ?> <input type="text" name="redirect" class="int" value="http://example.com/" /> <?php __("Redirection URL:") ?> <input type="text" name="redirect" class="int" value="http://example.com/" />
<input type="submit" name="submit" class="inb" value="<?php __("Confirm")?>" /> <input type="submit" name="submit" class="inb" value="<?php __("Confirm")?>" />

3
bureau/admin/adm_defquotas.php Normal file → Executable file
View File

@ -59,6 +59,7 @@ if (isset($error) && $error) {
} }
?> ?>
<form method="post" action="adm_dodefquotas.php"> <form method="post" action="adm_dodefquotas.php">
<?php csrf_get(); ?>
<p> <p>
<input type="hidden" name="action" value="add" /> <input type="hidden" name="action" value="add" />
<input type="text" name="type" class="int" /> <input type="text" name="type" class="int" />
@ -69,6 +70,7 @@ if (isset($error) && $error) {
<?php <?php
?> ?>
<form method="post" action="adm_dodefquotas.php"> <form method="post" action="adm_dodefquotas.php">
<?php csrf_get(); ?>
<table border="0" cellpadding="4" cellspacing="0"> <table border="0" cellpadding="4" cellspacing="0">
<tr class="lst"> <tr class="lst">
<td> <td>
@ -90,6 +92,7 @@ foreach($quota->listtype() as $type) {
<span class="inb"><a href="adm_defquotas.php?synchronise=1"><?php __("Synchronise user's quota (only to upper value)"); ?></a></span> <span class="inb"><a href="adm_defquotas.php?synchronise=1"><?php __("Synchronise user's quota (only to upper value)"); ?></a></span>
<form method="post" action="adm_dodefquotas.php"> <form method="post" action="adm_dodefquotas.php">
<?php csrf_get(); ?>
<div> <div>
<input type="hidden" name="action" value="modify" /> <input type="hidden" name="action" value="modify" />
<?php <?php

1
bureau/admin/adm_dodefquotas.php Normal file → Executable file
View File

@ -66,6 +66,7 @@ if($action == "add") {
<h3><?php printf(_("Deleting quota %s"),$type); ?> : </h3> <h3><?php printf(_("Deleting quota %s"),$type); ?> : </h3>
<form action="adm_dodefquotas.php" method="post"> <form action="adm_dodefquotas.php" method="post">
<?php csrf_get(); ?>
<input type="hidden" name="action" value="delete" /> <input type="hidden" name="action" value="delete" />
<input type="hidden" name="type" value="<?php echo $type ?>" /> <input type="hidden" name="type" value="<?php echo $type ?>" />
<input type="hidden" name="del_confirm" value="y" /> <input type="hidden" name="del_confirm" value="y" />

1
bureau/admin/adm_dodel.php Normal file → Executable file
View File

@ -67,6 +67,7 @@ if($del_confirm == "y"){
<body> <body>
<h3><?php printf(_("Deleting users")); ?> : </h3> <h3><?php printf(_("Deleting users")); ?> : </h3>
<form action="adm_dodel.php" method="post"> <form action="adm_dodel.php" method="post">
<?php csrf_get(); ?>
<input type="hidden" name="action" value="delete" /> <input type="hidden" name="action" value="delete" />
<input type="hidden" name="del_confirm" value="y" /> <input type="hidden" name="del_confirm" value="y" />
<p class="alert alert-warning"><?php __("WARNING : Confirm the deletion of the users"); ?></p> <p class="alert alert-warning"><?php __("WARNING : Confirm the deletion of the users"); ?></p>

1
bureau/admin/adm_doms.php Normal file → Executable file
View File

@ -65,6 +65,7 @@ $c=$admin->dom_list(true,$forcecheck);
<?php __("If you want to force the check of NS, MX, IP on domains, click the link"); ?> <a href="adm_doms.php?force=1"><?php __("Show domain list with refreshed checked NS, MX, IP information"); ?></a> <?php __("If you want to force the check of NS, MX, IP on domains, click the link"); ?> <a href="adm_doms.php?force=1"><?php __("Show domain list with refreshed checked NS, MX, IP information"); ?></a>
</p> </p>
<form method="post" action="adm_dodom.php" name="main" id="main"> <form method="post" action="adm_dodom.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tlist" id="dom_list_table"> <table class="tlist" id="dom_list_table">
<thead> <thead>
<tr><th></th><th><?php __("Action"); ?></th><th><?php __("Domain"); ?></th><th><?php __("Creator"); ?></th><th><?php __("Connect as"); ?></th><th><?php __("OK?"); ?></th><th><?php __("Status"); ?></th></tr> <tr><th></th><th><?php __("Action"); ?></th><th><?php __("Domain"); ?></th><th><?php __("Creator"); ?></th><th><?php __("Connect as"); ?></th><th><?php __("OK?"); ?></th><th><?php __("Status"); ?></th></tr>

1
bureau/admin/adm_doms_def_type.php Normal file → Executable file
View File

@ -43,6 +43,7 @@ if (!empty($domup)) {
$tab = $dom->lst_default_subdomains(); $tab = $dom->lst_default_subdomains();
?> ?>
<form method="post" action="adm_doms_def_type.php" name="main" id="main"> <form method="post" action="adm_doms_def_type.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tlist"> <table class="tlist">
<tr><th>&nbsp;</th><th><?php __("Sub"); ?></th><th><?php __("Type"); ?></th><th><?php __("settings"); ?></th><th><?php __("Concerned"); ?></th><th><?php __("Activation"); ?></th></tr> <tr><th>&nbsp;</th><th><?php __("Sub"); ?></th><th><?php __("Type"); ?></th><th><?php __("settings"); ?></th><th><?php __("Concerned"); ?></th><th><?php __("Activation"); ?></th></tr>
<?php for ($i = 0; $i < count($tab) + 1; $i++) { ?> <?php for ($i = 0; $i < count($tab) + 1; $i++) { ?>

1
bureau/admin/adm_domstypeedit.php Normal file → Executable file
View File

@ -68,6 +68,7 @@ if (isset($error_edit) && $error_edit) {
} ?> } ?>
<form action="adm_domstypedoedit.php" method="post" name="main" id="main"> <form action="adm_domstypedoedit.php" method="post" name="main" id="main">
<?php csrf_get(); ?>
<input type="hidden" name="name" value="<?php echo $d['name']; ?>" /> <input type="hidden" name="name" value="<?php echo $d['name']; ?>" />
<table class="tedit"> <table class="tedit">
<tr> <tr>

3
bureau/admin/adm_edit.php Normal file → Executable file
View File

@ -63,7 +63,7 @@ if (!$r=$admin->get($uid)) {
} }
?> ?>
<form method="post" action="adm_doedit.php" name="main" id="main" autocomplete="off"> <form method="post" action="adm_doedit.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" /> <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
@ -136,6 +136,7 @@ if (!$r=$admin->get($uid)) {
<?php if($r['duration']) { ?> <?php if($r['duration']) { ?>
<form method="post" action="adm_dorenew.php"> <form method="post" action="adm_dorenew.php">
<?php csrf_get(); ?>
<input type="hidden" name="uid" value="<?php echo $uid ?>" /> <input type="hidden" name="uid" value="<?php echo $uid ?>" />
<table border="1" cellspacing="0" cellpadding="4" class="tedit"> <table border="1" cellspacing="0" cellpadding="4" class="tedit">
<tr> <tr>

2
bureau/admin/adm_email.php Normal file → Executable file
View File

@ -57,7 +57,7 @@ if (isset($error) && $error) {
?> ?>
<form method="post" action="adm_email.php"> <form method="post" action="adm_email.php">
<?php csrf_get(); ?>
<table cellspacing="1" cellpadding="4" border="0" align="center" class='tedit'> <table cellspacing="1" cellpadding="4" border="0" align="center" class='tedit'>
<tr> <tr>
<th align="right"><b><?php __("From");?></b></th> <th align="right"><b><?php __("From");?></b></th>

2
bureau/admin/adm_list.php Normal file → Executable file
View File

@ -89,6 +89,7 @@ if ($mem->user["admlist"] == 0) { // Normal (large) mode
<fieldset style="clear:both;"> <fieldset style="clear:both;">
<legend><?php __("Filters"); ?></legend> <legend><?php __("Filters"); ?></legend>
<form method="post" action="adm_list.php"> <form method="post" action="adm_list.php">
<?php csrf_get(); ?>
<p> <p>
<label> <label>
<input type="radio" name="pattern_type" value="login" id="pattern_type_login" <?php if (!$pattern_type || $pattern_type === 'login') echo ' checked="checked" '; ?>/> <input type="radio" name="pattern_type" value="login" id="pattern_type_login" <?php if (!$pattern_type || $pattern_type === 'login') echo ' checked="checked" '; ?>/>
@ -149,6 +150,7 @@ if (!is_array($accountList) || empty($accountList)) {
?> ?>
<form method="post" action="adm_dodel.php"> <form method="post" action="adm_dodel.php">
<?php csrf_get(); ?>
<?php <?php
// Depending on the admin's choice, let's show a short list or a long list. // Depending on the admin's choice, let's show a short list or a long list.

2
bureau/admin/adm_mxaccount.php Normal file → Executable file
View File

@ -91,7 +91,7 @@ for($i=0;$i<count($c);$i++) { ?>
<?php } ?> <?php } ?>
<p><?php __("If you want to allow a new server to access your mx-hosted domain list, give him an account."); ?></p> <p><?php __("If you want to allow a new server to access your mx-hosted domain list, give him an account."); ?></p>
<form method="post" action="adm_mxaccount.php" name="main" id="main" autocomplete="off"> <form method="post" action="adm_mxaccount.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" /> <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/adm_passpolicy.php Normal file → Executable file
View File

@ -84,6 +84,7 @@ if (!empty($edit)) {
<p><b><?php echo $c[$edit]["description"]; ?></b></p> <p><b><?php echo $c[$edit]["description"]; ?></b></p>
<form method="post" action="adm_passpolicy.php"> <form method="post" action="adm_passpolicy.php">
<?php csrf_get(); ?>
<input type="hidden" name="doedit" value="<?php echo $edit; ?>"/> <input type="hidden" name="doedit" value="<?php echo $edit; ?>"/>
<table class="tlist"> <table class="tlist">
<tr> <tr>

1
bureau/admin/adm_quotaedit.php Normal file → Executable file
View File

@ -63,6 +63,7 @@ $mem->unsu();
} }
?> ?>
<form method="post" action="adm_quotadoedit.php"> <form method="post" action="adm_quotadoedit.php">
<?php csrf_get(); ?>
<table class="tedit"> <table class="tedit">
<tr><th><input type="hidden" name="uid" value="<?php echo $uid ?>" /> <tr><th><input type="hidden" name="uid" value="<?php echo $uid ?>" />
<?php __("Username"); ?></th><td colspan="3"><code><big><?php echo $us["login"]; ?></big></code>&nbsp;</td></tr> <?php __("Username"); ?></th><td colspan="3"><code><big><?php echo $us["login"]; ?></big></code>&nbsp;</td></tr>

3
bureau/admin/adm_slavedns.php Normal file → Executable file
View File

@ -110,6 +110,7 @@ if (is_array($c)) { ?>
<p><?php __("If you want to allow an ip address or class to connect to your dns server, enter it here. Choose 32 as a prefix for single ip address."); ?></p> <p><?php __("If you want to allow an ip address or class to connect to your dns server, enter it here. Choose 32 as a prefix for single ip address."); ?></p>
<form method="post" action="adm_slavedns.php" name="main" id="main"> <form method="post" action="adm_slavedns.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tedit"> <table class="tedit">
<tr><th><label for="newip"><?php __("IP Address"); ?></label></th><th><label for="newclass"><?php __("Prefix"); ?></label></th></tr> <tr><th><label for="newip"><?php __("IP Address"); ?></label></th><th><label for="newclass"><?php __("Prefix"); ?></label></th></tr>
<tr> <tr>
@ -154,7 +155,7 @@ if (is_array($c)) { ?>
<p><?php __("If you want to allow a new server to access your domain list, give him an account."); ?></p> <p><?php __("If you want to allow a new server to access your domain list, give him an account."); ?></p>
<form method="post" action="adm_slavedns.php" name="main" id="main" autocomplete="off"> <form method="post" action="adm_slavedns.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" /> <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/adm_tld.php Normal file → Executable file
View File

@ -69,6 +69,7 @@ $c=$admin->listtld();
</p> </p>
<p><span class="ina"><a href="adm_tldadd.php"><?php __("Add a new TLD"); ?></a></span></p> <p><span class="ina"><a href="adm_tldadd.php"><?php __("Add a new TLD"); ?></a></span></p>
<form method="post" action="adm_tld.php" name="main" id="main"> <form method="post" action="adm_tld.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tlist"> <table class="tlist">
<tr><th colspan="2"> </th><th><?php __("TLD"); ?></th><th><?php __("Allowed Mode"); ?></th></tr> <tr><th colspan="2"> </th><th><?php __("TLD"); ?></th><th><?php __("Allowed Mode"); ?></th></tr>
<?php <?php

2
bureau/admin/adm_tldadd.php Normal file → Executable file
View File

@ -60,7 +60,7 @@ include_once ("head.php");
</p> </p>
<form method="post" action="adm_tlddoadd.php" name="main" id="main"> <form method="post" action="adm_tlddoadd.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tedit"> <table class="tedit">
<tr><th><label for="tld"><?php __("TLD"); ?></label></th><td><input type="text" id="tld" name="tld" class="int" value="<?php ehe( (isset($tld)?$tld:'') ); ?>" size="20" maxlength="64" /></td></tr> <tr><th><label for="tld"><?php __("TLD"); ?></label></th><td><input type="text" id="tld" name="tld" class="int" value="<?php ehe( (isset($tld)?$tld:'') ); ?>" size="20" maxlength="64" /></td></tr>
<tr><th><label for="mode"><?php __("Allowed Mode"); ?></label></th><td><select name="mode" id="mode" class="inl"> <tr><th><label for="mode"><?php __("Allowed Mode"); ?></label></th><td><select name="mode" id="mode" class="inl">

1
bureau/admin/adm_tldedit.php Normal file → Executable file
View File

@ -60,6 +60,7 @@ include_once("head.php");
<h3><?php __("Edit a TLD"); ?></h3> <h3><?php __("Edit a TLD"); ?></h3>
<form method="post" action="adm_tlddoedit.php"> <form method="post" action="adm_tlddoedit.php">
<?php csrf_get(); ?>
<table id="main" class="tedit"> <table id="main" class="tedit">
<tr><th><label for="tld"><?php __("TLD"); ?></label></th><td><code><?php echo $tld; ?></code><input type="hidden" name="tld" id="tld" value="<?php echo $tld; ?>" /></td></tr> <tr><th><label for="tld"><?php __("TLD"); ?></label></th><td><code><?php echo $tld; ?></code><input type="hidden" name="tld" id="tld" value="<?php echo $tld; ?>" /></td></tr>
<tr><th><label for="mode"><?php __("Allowed Mode"); ?></label></th><td><select name="mode" class="inl" id="mode"> <tr><th><label for="mode"><?php __("Allowed Mode"); ?></label></th><td><select name="mode" class="inl" id="mode">

1
bureau/admin/adm_variables.php Normal file → Executable file
View File

@ -53,6 +53,7 @@ include_once ("head.php");
</p> </p>
<form method="post" action="adm_variables.php"> <form method="post" action="adm_variables.php">
<?php csrf_get(); ?>
<table border="0" cellpadding="4" cellspacing="0" class='tlist'> <table border="0" cellpadding="4" cellspacing="0" class='tlist'>
<tr><th><?php __("Names"); ?></th><th><?php __("Value"); ?></th><th><?php __("Comment"); ?></th></tr> <tr><th><?php __("Names"); ?></th><th><?php __("Value"); ?></th><th><?php __("Comment"); ?></th></tr>
<?php <?php

1
bureau/admin/bro_editor.php Normal file → Executable file
View File

@ -80,6 +80,7 @@ $content=$bro->content($R,$editfile);
?> ?>
<form action="bro_editor.php" method="post"><br /> <form action="bro_editor.php" method="post"><br />
<?php csrf_get(); ?>
<div id="tabsfile"> <div id="tabsfile">
<ul> <ul>
<li class="view"><a href="#tabsfile-view"><?php __("View"); ?></a></li> <li class="view"><a href="#tabsfile-view"><?php __("View"); ?></a></li>

6
bureau/admin/bro_main.php Normal file → Executable file
View File

@ -96,6 +96,7 @@ if (!empty($formu) && $formu) {
?> ?>
<h3><?php printf(_("Deleting files and/or directories")); ?> : </h3> <h3><?php printf(_("Deleting files and/or directories")); ?> : </h3>
<form action="bro_main.php" method="post" name="main" id="main"> <form action="bro_main.php" method="post" name="main" id="main">
<?php csrf_get(); ?>
<input type="hidden" name="formu" value="2" /> <input type="hidden" name="formu" value="2" />
<input type="hidden" name="actdel" value="1" /> <input type="hidden" name="actdel" value="1" />
<input type="hidden" name="R" value="<?php ehe($R)?>" /> <input type="hidden" name="R" value="<?php ehe($R)?>" />
@ -184,6 +185,7 @@ if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
<td class="formcell"> <td class="formcell">
<form action="bro_main.php" enctype="multipart/form-data" method="post"> <form action="bro_main.php" enctype="multipart/form-data" method="post">
<?php csrf_get(); ?>
<input type="hidden" name="R" value="<?php echo $R; ?>" /> <input type="hidden" name="R" value="<?php echo $R; ?>" />
<input type="hidden" name="formu" value="3" /> <input type="hidden" name="formu" value="3" />
@ -200,6 +202,7 @@ if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
<?php __("New file or folder:"); ?><br /> <?php __("New file or folder:"); ?><br />
<form action="bro_main.php" method="post" name="nn" id="nn"> <form action="bro_main.php" method="post" name="nn" id="nn">
<?php csrf_get(); ?>
<input type="hidden" name="R" value="<?php echo $R; ?>" /> <input type="hidden" name="R" value="<?php echo $R; ?>" />
<table><tr> <table><tr>
<td><input type="text" class="int" name="nomfich" id="nomfich" size="22" maxlength="255" /></td> <td><input type="text" class="int" name="nomfich" id="nomfich" size="22" maxlength="255" /></td>
@ -221,6 +224,7 @@ if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
if (isset($formu) && $formu==2 && isset($actrename) && $actrename && count($d)) { if (isset($formu) && $formu==2 && isset($actrename) && $actrename && count($d)) {
echo "<table cellpadding=\"6\">\n"; echo "<table cellpadding=\"6\">\n";
echo "<form action=\"bro_main.php\" method=\"post\">\n"; echo "<form action=\"bro_main.php\" method=\"post\">\n";
csrf_get();
echo "<input type=\"hidden\" name=\"R\" value=\"$R\" />\n"; echo "<input type=\"hidden\" name=\"R\" value=\"$R\" />\n";
echo "<input type=\"hidden\" name=\"formu\" value=\"4\" />\n"; echo "<input type=\"hidden\" name=\"formu\" value=\"4\" />\n";
echo "<tr><th colspan=\"2\">"._("Rename")."</th></tr>"; echo "<tr><th colspan=\"2\">"._("Rename")."</th></tr>";
@ -237,6 +241,7 @@ if (isset($formu) && $formu==2 && isset($actrename) && $actrename && count($d))
/* [ML] Changer les permissions : */ /* [ML] Changer les permissions : */
if ($formu==2 && ! (empty($actperms)) && count($d)) { if ($formu==2 && ! (empty($actperms)) && count($d)) {
echo "<form action=\"bro_main.php\" method=\"post\">\n"; echo "<form action=\"bro_main.php\" method=\"post\">\n";
csrf_get();
echo "<input type=\"hidden\" name=\"R\" value=\"$R\" />\n"; echo "<input type=\"hidden\" name=\"R\" value=\"$R\" />\n";
echo "<input type=\"hidden\" name=\"formu\" value=\"7\" />\n"; echo "<input type=\"hidden\" name=\"formu\" value=\"7\" />\n";
echo "<p>"._("Permissions")."</p>"; echo "<p>"._("Permissions")."</p>";
@ -277,6 +282,7 @@ if (count($c)) {
?> ?>
<form action="bro_main.php" method="post" name="main" id="main"> <form action="bro_main.php" method="post" name="main" id="main">
<?php csrf_get(); ?>
<input type="hidden" name="R" value="<?php echo $R; ?>" /> <input type="hidden" name="R" value="<?php echo $R; ?>" />
<input type="hidden" name="formu" value="2" /> <input type="hidden" name="formu" value="2" />

2
bureau/admin/bro_pref.php Normal file → Executable file
View File

@ -60,7 +60,7 @@ include_once("head.php");
<hr id="topbar"/> <hr id="topbar"/>
<br /> <br />
<form action="bro_pref.php" method="post"> <form action="bro_pref.php" method="post">
<?php csrf_get(); ?>
<table cellpadding="6" border="1" cellspacing="0" class='tedit'> <table cellpadding="6" border="1" cellspacing="0" class='tedit'>
<tr><th><?php __("Horizontal window size"); ?></th><td><select class="inl" name="editsizex"> <tr><th><?php __("Horizontal window size"); ?></th><td><select class="inl" name="editsizex">

1
bureau/admin/browseforfolder2.php Normal file → Executable file
View File

@ -139,6 +139,7 @@ if ($errbrowsefold) {
reset($ar); reset($ar);
?> ?>
<form method="post" id="main" name="main" action="browseforfolder2.php"> <form method="post" id="main" name="main" action="browseforfolder2.php">
<?php csrf_get(); ?>
<p> <p>
<input type="hidden" name="caller" value="<?php echo $caller; ?>" /> <input type="hidden" name="caller" value="<?php echo $caller; ?>" />
<input type="hidden" name="lastcurdir" value="<?php echo $curdir; ?>" /> <input type="hidden" name="lastcurdir" value="<?php echo $curdir; ?>" />

2
bureau/admin/cron.php Normal file → Executable file
View File

@ -27,7 +27,7 @@ $lst_cron = $cron->lst_cron();
<?php } ?> <?php } ?>
<form method="post" action="cron.php" id="main" name="cron" > <form method="post" action="cron.php" id="main" name="cron" >
<?php csrf_get(); ?>
<table class="tlist"> <table class="tlist">
<!-- <!--

1
bureau/admin/dom_add.php Normal file → Executable file
View File

@ -53,6 +53,7 @@ exit();
if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>"; if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
?> ?>
<form method="post" action="dom_doadd.php" id="main"> <form method="post" action="dom_doadd.php" id="main">
<?php csrf_get(); ?>
<p> <p>
<label for="newdomain"><b><?php __("Domain name"); ?> :</b></label> <span class="int" id="newdomwww">www.</span><input type="text" class="int" id="newdomain" name="newdomain" value="<?php ehe($newdomain); ?>" size="32" maxlength="255" /> <a class="inb configure" href="dom_import.php"><?php __("Advanced import"); ?></a> <label for="newdomain"><b><?php __("Domain name"); ?> :</b></label> <span class="int" id="newdomwww">www.</span><input type="text" class="int" id="newdomain" name="newdomain" value="<?php ehe($newdomain); ?>" size="32" maxlength="255" /> <a class="inb configure" href="dom_import.php"><?php __("Advanced import"); ?></a>
</p> </p>

1
bureau/admin/dom_dodel.php Normal file → Executable file
View File

@ -68,6 +68,7 @@ if ($del_confirm!="y") {
<?php __("This will delete the related sub-domains too."); ?></p> <?php __("This will delete the related sub-domains too."); ?></p>
<form method="post" action="dom_dodel.php" id="main"> <form method="post" action="dom_dodel.php" id="main">
<?php csrf_get(); ?>
<p> <p>
<input type="hidden" name="del_confirm" value="y" /> <input type="hidden" name="del_confirm" value="y" />
<input type="hidden" name="domain" value="<?php echo $domain ?>" /> <input type="hidden" name="domain" value="<?php echo $domain ?>" />

1
bureau/admin/dom_edit.inc.php Normal file → Executable file
View File

@ -29,6 +29,7 @@ $dom->unlock();
?> ?>
<form action="dom_subdoedit.php" method="post" name="main" id="main"> <form action="dom_subdoedit.php" method="post" name="main" id="main">
<?php csrf_get(); ?>
<table border="0"> <table border="0">
<tr> <tr>
<td> <td>

3
bureau/admin/dom_edit.php Normal file → Executable file
View File

@ -263,7 +263,7 @@ if (!$r['noerase']) {
<div id="tabsdom-params"> <div id="tabsdom-params">
<h3><?php __("DNS &amp; Email parameters"); ?></h3> <h3><?php __("DNS &amp; Email parameters"); ?></h3>
<form action="dom_editdns.php?domain=<?php echo urlencode($r["name"]) ?>" method="post" id="fdns" name="fdns" onSubmit="return destruction_alert();"> <form action="dom_editdns.php?domain=<?php echo urlencode($r["name"]) ?>" method="post" id="fdns" name="fdns" onSubmit="return destruction_alert();">
<?php csrf_get(); ?>
<table class="tlist2"> <table class="tlist2">
<tr> <tr>
<td><?php __("Manage the DNS on the server ?"); ?></td> <td><?php __("Manage the DNS on the server ?"); ?></td>
@ -321,6 +321,7 @@ if (!$r['noerase']) {
<h3><?php __("Domain removal"); ?></h3> <h3><?php __("Domain removal"); ?></h3>
<?php printf(_("If you want to destroy the domain %s, click on the button below. Warning: this also deletes all FTP accounts, email, mailing lists associated with the domain and subdomains."),$domain); ?><br /> <?php printf(_("If you want to destroy the domain %s, click on the button below. Warning: this also deletes all FTP accounts, email, mailing lists associated with the domain and subdomains."),$domain); ?><br />
<form action="dom_dodel.php?domain=<?php echo urlencode($domain) ?>" method="post"> <form action="dom_dodel.php?domain=<?php echo urlencode($domain) ?>" method="post">
<?php csrf_get(); ?>
<p> <p>
<input type="submit" class="inb delete" name="detruire" value="<?php printf(_("Delete %s from this server"),$domain); ?>" /> <input type="submit" class="inb delete" name="detruire" value="<?php printf(_("Delete %s from this server"),$domain); ?>" />
</p> </p>

1
bureau/admin/dom_import.php Normal file → Executable file
View File

@ -90,6 +90,7 @@ if ($save) {
<form method="post" action="dom_import.php"> <form method="post" action="dom_import.php">
<?php csrf_get(); ?>
<table> <table>
<tr> <tr>
<td> <td>

1
bureau/admin/dom_subdel.php Normal file → Executable file
View File

@ -59,6 +59,7 @@ if (isset($error) && $error) {
<hr id="topbar"/> <hr id="topbar"/>
<br /> <br />
<form action="dom_subdodel.php" method="post"> <form action="dom_subdodel.php" method="post">
<?php csrf_get(); ?>
<p class="alert alert-warning"> <p class="alert alert-warning">
<input type="hidden" name="sub_domain_id" value="<?php echo $sub_domain_id ?>" /> <input type="hidden" name="sub_domain_id" value="<?php echo $sub_domain_id ?>" />
<?php __("WARNING : You are going to delete a sub-domain."); ?></p> <?php __("WARNING : You are going to delete a sub-domain."); ?></p>

1
bureau/admin/ftp_del.php Normal file → Executable file
View File

@ -76,6 +76,7 @@ if(!empty($confirm_del)) {
</ul> </ul>
<form method="post" action="ftp_del.php" name="main" id="main"> <form method="post" action="ftp_del.php" name="main" id="main">
<?php csrf_get(); ?>
<?php foreach($lst_todel as $t) { <?php foreach($lst_todel as $t) {
echo "<input type='hidden' name='del_$t' value='$t' >\n"; echo "<input type='hidden' name='del_$t' value='$t' >\n";
} ?> } ?>

1
bureau/admin/ftp_doedit.php Normal file → Executable file
View File

@ -39,7 +39,6 @@ $fields = array (
); );
getFields($fields); getFields($fields);
if ($pass != $passconf) { if ($pass != $passconf) {
$error = _("Passwords do not match"); $error = _("Passwords do not match");
include_once("head.php"); include_once("head.php");

2
bureau/admin/ftp_edit.php Normal file → Executable file
View File

@ -65,7 +65,7 @@ if (isset($error) && $error) {
} }
?> ?>
<form method="post" action="ftp_doedit.php" name="main" id="main" autocomplete="off"> <form method="post" action="ftp_doedit.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" /> <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/ftp_list.php Normal file → Executable file
View File

@ -68,6 +68,7 @@ if (isset($error) && $error && !$noftp) {
?> ?>
<form method="post" action="ftp_del.php"> <form method="post" action="ftp_del.php">
<?php csrf_get(); ?>
<table class="tlist" id="ftp_list_table"> <table class="tlist" id="ftp_list_table">
<thead> <thead>
<tr><th colspan="2"> </th><th><?php __("Enabled"); ?></th><th><?php __("Username"); ?></th><th><?php __("Folder"); ?></th></tr> <tr><th colspan="2"> </th><th><?php __("Enabled"); ?></th><th><?php __("Username"); ?></th><th><?php __("Folder"); ?></th></tr>

1
bureau/admin/hta_add.php Normal file → Executable file
View File

@ -50,6 +50,7 @@ if (isset($error) && $error) {
} ?> } ?>
<form method="post" action="hta_doadd.php" name="main" id="main"> <form method="post" action="hta_doadd.php" name="main" id="main">
<?php csrf_get(); ?>
<table border="1" cellspacing="0" cellpadding="4" class='tedit'> <table border="1" cellspacing="0" cellpadding="4" class='tedit'>
<tr> <tr>
<th><label for="dir"><?php __("Folder"); ?></label></th> <th><label for="dir"><?php __("Folder"); ?></label></th>

2
bureau/admin/hta_adduser.php Normal file → Executable file
View File

@ -45,7 +45,7 @@ getFields($fields);
?> ?>
<form method="post" action="hta_doadduser.php" name="main" id="main" autocomplete="off"> <form method="post" action="hta_doadduser.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" /> <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/hta_dodeluser.php Normal file → Executable file
View File

@ -57,6 +57,7 @@ include_once('head.php');
</ul> </ul>
<form method="post" action="hta_dodeluser.php" name="main" id="main"> <form method="post" action="hta_dodeluser.php" name="main" id="main">
<?php csrf_get(); ?>
<input type='hidden' name='dir' value='<?php echo $dir;?>' > <input type='hidden' name='dir' value='<?php echo $dir;?>' >
<?php foreach($d as $t) { <?php foreach($d as $t) {
echo "<input type='hidden' name='d[$t]' value='$t' >\n"; echo "<input type='hidden' name='d[$t]' value='$t' >\n";

3
bureau/admin/hta_edit.php Normal file → Executable file
View File

@ -57,6 +57,7 @@ if (!$dir) {
reset($r); reset($r);
?> ?>
<form method="post" action="hta_dodeluser.php"> <form method="post" action="hta_dodeluser.php">
<?php csrf_get(); ?>
<table cellspacing="0" cellpadding="4" class='tlist'> <table cellspacing="0" cellpadding="4" class='tlist'>
<tr> <tr>
<th colspan="2" ><input type="hidden" name="dir" value="<?php echo $dir?>"> </th> <th colspan="2" ><input type="hidden" name="dir" value="<?php echo $dir?>"> </th>
@ -91,7 +92,7 @@ for($i=0;$i<count($r);$i++){ ?>
<legend><h3><?php __("Adding an authorized user"); ?></h3></legend> <legend><h3><?php __("Adding an authorized user"); ?></h3></legend>
<form method="post" action="hta_doadduser.php" name="main" id="main" autocomplete="off"> <form method="post" action="hta_doadduser.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" /> <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/hta_edituser.php Normal file → Executable file
View File

@ -44,6 +44,7 @@ getFields($fields);
<?php if (!empty($error) ) { echo "<p class=\"alert alert-danger\">$error</p>"; } ?> <?php if (!empty($error) ) { echo "<p class=\"alert alert-danger\">$error</p>"; } ?>
<form method="post" action="hta_doedituser.php" name="main" id="main" autocomplete="off"> <form method="post" action="hta_doedituser.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />

1
bureau/admin/hta_list.php Normal file → Executable file
View File

@ -64,6 +64,7 @@ $mem->show_help("hta_list2");
</p> </p>
<form method="post" action="hta_del.php"> <form method="post" action="hta_del.php">
<?php csrf_get(); ?>
<table class="tlist"> <table class="tlist">
<tr><th colspan="2"> </th><th><?php __("Folder"); ?></th></tr> <tr><th colspan="2"> </th><th><?php __("Folder"); ?></th></tr>
<?php <?php

1
bureau/admin/index.php Normal file → Executable file
View File

@ -93,6 +93,7 @@ if ( empty($logo) || ! $logo ) {
<?php if (!empty($authip_token)) { echo "<p style='color:red;'>";__("You are attemping to connect without IP restriction."); echo "</p>"; } ?> <?php if (!empty($authip_token)) { echo "<p style='color:red;'>";__("You are attemping to connect without IP restriction."); echo "</p>"; } ?>
<div class="menu-title"><?php __("AlternC access"); ?></div> <div class="menu-title"><?php __("AlternC access"); ?></div>
<form action="login.php" method="post" name="loginform" target="_top"> <form action="login.php" method="post" name="loginform" target="_top">
<?php csrf_get(); ?>
<div class="menu-content"> <div class="menu-content">
<div><label for="username"><?php echo _("Username"); ?></label></td><td><input type="text" class="int" name="username" id="username" value="" maxlength="128" autocapitalize="none" /></div> <div><label for="username"><?php echo _("Username"); ?></label></td><td><input type="text" class="int" name="username" id="username" value="" maxlength="128" autocapitalize="none" /></div>
<div><label for="password"><?php echo _("Password"); ?></label></td><td><input type="password" class="int" name="password" id="password" value="" maxlength="128" /></div> <div><label for="password"><?php echo _("Password"); ?></label></td><td><input type="password" class="int" name="password" id="password" value="" maxlength="128" /></div>

2
bureau/admin/ip_main.php Normal file → Executable file
View File

@ -89,6 +89,7 @@ $lac = $authip->list_affected();
<p><?php __("You need to have some 'Known IP and networks' defined below to define a new rule.") ?></p> <p><?php __("You need to have some 'Known IP and networks' defined below to define a new rule.") ?></p>
<?php } else { ?> <?php } else { ?>
<form method="post" action="ip_main.php" name="main" id="main"> <form method="post" action="ip_main.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tlistb"> <table class="tlistb">
<tbody> <tbody>
<tr valign="top"> <tr valign="top">
@ -176,6 +177,7 @@ foreach($list_ip as $i) {
<p><a href="javascript:edit_ip('','<?php echo htmlentities(get_remote_ip())."','Home IP'";?>);" ><?php echo __("Add my current IP"); ?></a></p> <p><a href="javascript:edit_ip('','<?php echo htmlentities(get_remote_ip())."','Home IP'";?>);" ><?php echo __("Add my current IP"); ?></a></p>
<span id="form_add_ip"> <span id="form_add_ip">
<form method="post" action="ip_main.php" name="main" > <form method="post" action="ip_main.php" name="main" >
<?php csrf_get(); ?>
<p id="reset_edit_ip" style="display:none;"><a href="javascript:reset_edit_ip();"><?php __("Cancel edit")?></a></p> <p id="reset_edit_ip" style="display:none;"><a href="javascript:reset_edit_ip();"><?php __("Cancel edit")?></a></p>
<input type="hidden" name="id" value="" id="edit_id" /> <input type="hidden" name="id" value="" id="edit_id" />

1
bureau/admin/mail_del.php Normal file → Executable file
View File

@ -56,6 +56,7 @@ if ($confirm=="y") {
<br /> <br />
<p><?php __("Please confirm the deletion of the following mail accounts:"); ?></p> <p><?php __("Please confirm the deletion of the following mail accounts:"); ?></p>
<form method="post" action="mail_del.php" id="main"> <form method="post" action="mail_del.php" id="main">
<?php csrf_get(); ?>
<p> <p>
<input type="hidden" name="confirm" value="y" /> <input type="hidden" name="confirm" value="y" />
<input type="hidden" name="domain_id" value="<?php echo $domain_id; ?>" /> <input type="hidden" name="domain_id" value="<?php echo $domain_id; ?>" />

2
bureau/admin/mail_edit.php Normal file → Executable file
View File

@ -62,7 +62,7 @@ if (isset($error)) {
?> ?>
<form action="mail_doedit.php" method="post" name="main" id="main" autocomplete="off"> <form action="mail_doedit.php" method="post" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" /> <input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

2
bureau/admin/mail_list.php Normal file → Executable file
View File

@ -77,6 +77,7 @@ if ($fatal) {
<td> <td>
<?php if ($quota->cancreate("mail")) { ?> <?php if ($quota->cancreate("mail")) { ?>
<form method="post" action="mail_doadd.php" id="main" name="mail_create"> <form method="post" action="mail_doadd.php" id="main" name="mail_create">
<?php csrf_get(); ?>
<input type="text" class="int intleft" style="text-align: right" name="mail_arg" value="<?php ehe($mail_arg); ?>" size="24" id="mail_arg" maxlength="255" /><span id="emaildom" class="int intright"><?php echo "@".$domain; ?></span> <input type="text" class="int intleft" style="text-align: right" name="mail_arg" value="<?php ehe($mail_arg); ?>" size="24" id="mail_arg" maxlength="255" /><span id="emaildom" class="int intright"><?php echo "@".$domain; ?></span>
<input type="hidden" name="domain_id" value="<?php echo $domain_id;?>" /> <input type="hidden" name="domain_id" value="<?php echo $domain_id;?>" />
<input type="submit" name="submit" class="inb add" value="<?php __("Create this email address"); ?>" onClick="return false_if_empty('mail_arg', '<?php echo addslashes(_("Can't have empty mail."));?>');" /> <input type="submit" name="submit" class="inb add" value="<?php __("Create this email address"); ?>" onClick="return false_if_empty('mail_arg', '<?php echo addslashes(_("Can't have empty mail."));?>');" />
@ -122,6 +123,7 @@ if (empty($allmails_list) && empty($search)) {
</td></tr></table> </td></tr></table>
<form method="post" action="mail_del.php"> <form method="post" action="mail_del.php">
<?php csrf_get(); ?>
<input type="hidden" name="domain_id" value="<?php echo $domain_id; ?>" /> <input type="hidden" name="domain_id" value="<?php echo $domain_id; ?>" />
<table class="tlist"> <table class="tlist">
<tr><th></th><th></th><th><?php __("Enabled");?></th><th style="text-align:right"><?php __("Address"); ?></th><th><?php __("Pop/Imap"); ?></th><th><?php __("Other recipients"); ?></th><th><?php __("Last login time"); ?></th></tr> <tr><th></th><th></th><th><?php __("Enabled");?></th><th style="text-align:right"><?php __("Address"); ?></th><th><?php __("Pop/Imap"); ?></th><th><?php __("Other recipients"); ?></th><th><?php __("Last login time"); ?></th></tr>

4
bureau/admin/mem_param.php Normal file → Executable file
View File

@ -78,6 +78,7 @@ echo "<p>";
__("help_chg_passwd"); ?> __("help_chg_passwd"); ?>
</p> </p>
<form method="post" action="mem_passwd.php" name="main" id="main" autocomplete="off"> <form method="post" action="mem_passwd.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
@ -96,6 +97,7 @@ echo "<p>";
<div id="tabsmem-mail"> <div id="tabsmem-mail">
<h3><?php __("Change the email of the account"); ?></h3> <h3><?php __("Change the email of the account"); ?></h3>
<form method="post" action="mem_chgmail.php"> <form method="post" action="mem_chgmail.php">
<?php csrf_get(); ?>
<table border="1" cellspacing="0" cellpadding="4" class="tedit"> <table border="1" cellspacing="0" cellpadding="4" class="tedit">
<tr><td colspan="2"><?php __("help_chg_mail"); ?></td></tr> <tr><td colspan="2"><?php __("help_chg_mail"); ?></td></tr>
<tr><th><?php __("Current mailbox"); ?></th><td><big><code><?php echo $mem->user["mail"]; ?></code></big></td></tr> <tr><th><?php __("Current mailbox"); ?></th><td><big><code><?php echo $mem->user["mail"]; ?></code></big></td></tr>
@ -107,6 +109,7 @@ echo "<p>";
<div id="tabsmem-help"> <div id="tabsmem-help">
<h3><?php __("Online help settings"); ?></h3> <h3><?php __("Online help settings"); ?></h3>
<form method="post" action="mem_param.php"> <form method="post" action="mem_param.php">
<?php csrf_get(); ?>
<table border="1" cellspacing="0" cellpadding="4" class="tedit"> <table border="1" cellspacing="0" cellpadding="4" class="tedit">
<tr><td colspan="2"><?php __("help_help_settings"); ?></td></tr> <tr><td colspan="2"><?php __("help_help_settings"); ?></td></tr>
<tr><th><label for="showhelp"><?php __("Do you want to see the help texts and links on each page?"); ?></label></th><td><input type="checkbox" class="inc" id="showhelp" name="showhelp" value="1" <?php if ($mem->get_help_param()) echo "checked=\"checked\""; ?> /></td></tr> <tr><th><label for="showhelp"><?php __("Do you want to see the help texts and links on each page?"); ?></label></th><td><input type="checkbox" class="inc" id="showhelp" name="showhelp" value="1" <?php if ($mem->get_help_param()) echo "checked=\"checked\""; ?> /></td></tr>
@ -120,6 +123,7 @@ if ($mem->user["su"]) {
<div id="tabsmem-admin"> <div id="tabsmem-admin">
<h3><?php __("Admin preferences"); ?></h3> <h3><?php __("Admin preferences"); ?></h3>
<form method="post" action="mem_admin.php"> <form method="post" action="mem_admin.php">
<?php csrf_get(); ?>
<table border="1" cellspacing="0" cellpadding="4" class="tedit"> <table border="1" cellspacing="0" cellpadding="4" class="tedit">
<tr><th><?php __("Members list view"); ?></th><td><select name="admlist" class="inl"> <tr><th><?php __("Members list view"); ?></th><td><select name="admlist" class="inl">
<option value="0"<?php if ($mem->user["admlist"]==0) echo " selected=\"selected\""; ?>><?php __("Large view"); ?></option> <option value="0"<?php if ($mem->user["admlist"]==0) echo " selected=\"selected\""; ?>><?php __("Large view"); ?></option>

1
bureau/admin/piwik_site_dodel.php Normal file → Executable file
View File

@ -66,6 +66,7 @@ include_once('head.php');
<br /> <br />
<form method="post" action="piwik_site_dodel.php" name="main" id="main"> <form method="post" action="piwik_site_dodel.php" name="main" id="main">
<?php csrf_get(); ?>
<input type="hidden" name="siteid" value="<?php echo $siteid;?>" /> <input type="hidden" name="siteid" value="<?php echo $siteid;?>" />
<input type="submit" class="inb" name="confirm_del" value="<?php __("Delete")?>" /> <input type="submit" class="inb" name="confirm_del" value="<?php __("Delete")?>" />
<input type="button" class="inb" name="cancel" value="<?php __("Cancel"); ?>" onclick="document.location='piwik_sitelist.php'" /> <input type="button" class="inb" name="cancel" value="<?php __("Cancel"); ?>" onclick="document.location='piwik_sitelist.php'" />

2
bureau/admin/piwik_sitelist.php Normal file → Executable file
View File

@ -82,6 +82,7 @@ if ($quota->cancreate("piwik")) {
?> ?>
<h3><?php __("Add a new website");?></h3> <h3><?php __("Add a new website");?></h3>
<form method="post" action="piwik_addsites.php" id="main" name="addsites" > <form method="post" action="piwik_addsites.php" id="main" name="addsites" >
<?php csrf_get(); ?>
<input type="text" class="int" name="site_urls" size="50" id="site_name" maxlength="255" value="" placeholder="<?php __("URL of the website")?>"/> <input type="text" class="int" name="site_urls" size="50" id="site_name" maxlength="255" value="" placeholder="<?php __("URL of the website")?>"/>
<input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" /> <input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" />
</form> </form>
@ -162,6 +163,7 @@ foreach ($sitelist as $site ){
// If a site was selected // If a site was selected
if ($site_id != -1 && in_array($site_id, $piwik_alternc_sites)) { if ($site_id != -1 && in_array($site_id, $piwik_alternc_sites)) {
echo '<form method="post">'; echo '<form method="post">';
csrf_get();
echo '<dl>'; echo '<dl>';
foreach ($piwik->get_users_access_from_site($site_id) AS $piwik_user => $cred) { foreach ($piwik->get_users_access_from_site($site_id) AS $piwik_user => $cred) {
printf("<dt>%s:</dt>\n\t<dd>%s</dd>\n", $piwik_user, piwik_right_widget('right', $piwik_user, $cred)); printf("<dt>%s:</dt>\n\t<dd>%s</dd>\n", $piwik_user, piwik_right_widget('right', $piwik_user, $cred));

1
bureau/admin/piwik_user_dodel.php Normal file → Executable file
View File

@ -64,6 +64,7 @@ include_once('head.php');
<br /> <br />
<form method="post" action="piwik_user_dodel.php" name="main" id="main"> <form method="post" action="piwik_user_dodel.php" name="main" id="main">
<?php csrf_get(); ?>
<input type="hidden" name="login" value="<?php echo $login;?>" /> <input type="hidden" name="login" value="<?php echo $login;?>" />
<input type="submit" class="inb" name="confirm_del" value="<?php __("Delete")?>" /> <input type="submit" class="inb" name="confirm_del" value="<?php __("Delete")?>" />
<input type="button" class="inb" name="cancel" value="<?php __("Cancel"); ?>" onclick="document.location='piwik_userlist.php'" /> <input type="button" class="inb" name="cancel" value="<?php __("Cancel"); ?>" onclick="document.location='piwik_userlist.php'" />

1
bureau/admin/piwik_useradmin.php Normal file → Executable file
View File

@ -131,6 +131,7 @@ if (count($available_user_sites)>0)
foreach ($available_user_sites AS $current_id_site => $available_user_site) foreach ($available_user_sites AS $current_id_site => $available_user_site)
{ {
printf('<li>%s <form method="post"><input type="hidden" name="site_id" value="%d"> printf('<li>%s <form method="post"><input type="hidden" name="site_id" value="%d">
<input type="hidden" name="csrf" value="'.csrf_get(true).'" />
<select name="right"> <select name="right">
<option value="noaccess">%s</option> <option value="noaccess">%s</option>
<option value="view">%s</option> <option value="view">%s</option>

2
bureau/admin/piwik_userlist.php Normal file → Executable file
View File

@ -40,6 +40,7 @@ if ($quota->cancreate("piwik")) {
?> ?>
<h3><?php __("Create a new piwik account");?></h3> <h3><?php __("Create a new piwik account");?></h3>
<form method="post" action="piwik_addaccount.php" id="main" name="addaccount" > <form method="post" action="piwik_addaccount.php" id="main" name="addaccount" >
<?php csrf_get(); ?>
<input type="text" class="int" name="account_name" size="20" id="account_name" maxlength="32" value="<?php if ($quotapiwik['u']==0) {echo $mem->user["login"];}?>"/> <input type="text" class="int" name="account_name" size="20" id="account_name" maxlength="32" value="<?php if ($quotapiwik['u']==0) {echo $mem->user["login"];}?>"/>
<input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" /> <input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" />
</form> </form>
@ -52,6 +53,7 @@ if ($quotapiwik['u']>0) {
?> ?>
<h3><?php __("Add a new website");?></h3> <h3><?php __("Add a new website");?></h3>
<form method="post" action="piwik_addsites.php" id="main" name="addsites" > <form method="post" action="piwik_addsites.php" id="main" name="addsites" >
<?php csrf_get(); ?>
<input type="text" class="int" name="site_urls" size="50" id="site_name" maxlength="255" value="" placeholder="<?php __("URL of the website")?>"/> <input type="text" class="int" name="site_urls" size="50" id="site_name" maxlength="255" value="" placeholder="<?php __("URL of the website")?>"/>
<input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" /> <input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" />
</form> </form>

1
bureau/admin/sql_bck.php Normal file → Executable file
View File

@ -65,6 +65,7 @@ if (is_array($r)) {
<h3><?php printf(_("Manage the SQL backup for database %s"),$r["db"]); ?></h3> <h3><?php printf(_("Manage the SQL backup for database %s"),$r["db"]); ?></h3>
<form action="sql_dobck.php" method="post" id="main" name="main"> <form action="sql_dobck.php" method="post" id="main" name="main">
<?php csrf_get(); ?>
<table class="tedit"> <table class="tedit">
<tr> <tr>
<th><label><?php __("Do MySQL backup?"); ?></label></th> <th><label><?php __("Do MySQL backup?"); ?></label></th>

1
bureau/admin/sql_del.php Normal file → Executable file
View File

@ -75,6 +75,7 @@ if (!$found) {
<p class="alert alert-warning"><?php __("WARNING"); ?></big><br /><?php __("Confirm the deletion of the following SQL databases"); ?><br /> <p class="alert alert-warning"><?php __("WARNING"); ?></big><br /><?php __("Confirm the deletion of the following SQL databases"); ?><br />
<?php __("This will delete all the tables currently in those db."); ?></p> <?php __("This will delete all the tables currently in those db."); ?></p>
<form method="post" action="sql_del.php" id="main"> <form method="post" action="sql_del.php" id="main">
<?php csrf_get(); ?>
<p> <p>
<input type="hidden" name="confirm" value="y" /> <input type="hidden" name="confirm" value="y" />
<?php <?php

2
bureau/admin/sql_list.php Normal file → Executable file
View File

@ -50,6 +50,7 @@ $r=$mysql->get_userslist();
if($rdb){ if($rdb){
?> ?>
<form method="post" action="sql_del.php" name="main" id="main"> <form method="post" action="sql_del.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tlist"> <table class="tlist">
<tr><th>&nbsp;</th><th><?php __("Database"); ?></th><?php if ( variable_get('sql_allow_users_backups') ) { ?><th><?php __("Backup"); ?></th><?php } // sql_allow_users_backups ?><th><?php __("Restore"); ?></th><th><?php __("Show Settings"); ?></th><th><?php __("Size"); ?></th></tr> <tr><th>&nbsp;</th><th><?php __("Database"); ?></th><?php if ( variable_get('sql_allow_users_backups') ) { ?><th><?php __("Backup"); ?></th><?php } // sql_allow_users_backups ?><th><?php __("Restore"); ?></th><th><?php __("Show Settings"); ?></th><th><?php __("Size"); ?></th></tr>
@ -91,6 +92,7 @@ for($i=0;$i<count($rdb);$i++) {
<?php }else{ <?php }else{
?> ?>
<form method="post" action="sql_doadd.php" id="main2" name="main2"> <form method="post" action="sql_doadd.php" id="main2" name="main2">
<?php csrf_get(); ?>
<table class="tedit"> <table class="tedit">
<tr> <tr>
<th><label for="dbn"><?php __("MySQL Database"); ?></label></th> <th><label for="dbn"><?php __("MySQL Database"); ?></label></th>

1
bureau/admin/sql_restore.php Normal file → Executable file
View File

@ -62,6 +62,7 @@ __("Warning: Write the complete path and the filename. <br />For example if your
echo "</p>"; echo "</p>";
?> ?>
<form action="sql_dorestore.php" method="post"> <form action="sql_dorestore.php" method="post">
<?php csrf_get(); ?>
<input type="hidden" name="id" value="<?php echo $id ?>" /> <input type="hidden" name="id" value="<?php echo $id ?>" />
<p><label for="restfile"><?php __("Please enter the path and the filename containing SQL data to be restored."); ?></label></p> <p><label for="restfile"><?php __("Please enter the path and the filename containing SQL data to be restored."); ?></label></p>
<p><input type="text" class="int" id="restfile" name="restfile" size="35" maxlength="255" value="<?php ehe($filename); ?>" /> <input class="inb" type="submit" name="submit" onClick='return restfilenotempty();' value="<?php __("Restore my database"); ?>" /><i><?php __("Tip: you can restore a file directly in the File Browser");?></i></p> <p><input type="text" class="int" id="restfile" name="restfile" size="35" maxlength="255" value="<?php ehe($filename); ?>" /> <input class="inb" type="submit" name="submit" onClick='return restfilenotempty();' value="<?php __("Restore my database"); ?>" /><i><?php __("Tip: you can restore a file directly in the File Browser");?></i></p>

1
bureau/admin/sql_users_add.php Normal file → Executable file
View File

@ -54,6 +54,7 @@ getFields($fields);
} }
?> ?>
<form method="post" action="sql_users_doadd.php" id="main" name="main" autocomplete="off"> <form method="post" action="sql_users_doadd.php" id="main" name="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields --> <!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" /> <input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />

2
bureau/admin/sql_users_del.php Normal file → Executable file
View File

@ -32,6 +32,7 @@ $fields = array (
"confirm" => array ("post", "string", ""), "confirm" => array ("post", "string", ""),
); );
getFields($fields); getFields($fields);
if(!isset($error)){ if(!isset($error)){
$error=""; $error="";
} }
@ -61,6 +62,7 @@ include_once("head.php");
<p class="alert alert-warning"><?php __("WARNING"); ?></big><br /><?php __("Confirm the deletion of the following MySQL users"); ?><br /> <p class="alert alert-warning"><?php __("WARNING"); ?></big><br /><?php __("Confirm the deletion of the following MySQL users"); ?><br />
</p> </p>
<form method="post" action="sql_users_del.php" id="main"> <form method="post" action="sql_users_del.php" id="main">
<?php csrf_get(); ?>
<p> <p>
<input type="hidden" name="confirm" value="y" /> <input type="hidden" name="confirm" value="y" />
<?php <?php

1
bureau/admin/sql_users_doadd.php Normal file → Executable file
View File

@ -36,7 +36,6 @@ $fields = array (
); );
getFields($fields); getFields($fields);
if(!empty($usern)){ if(!empty($usern)){
if (!$mysql->add_user($usern,$password,$passconf)) { if (!$mysql->add_user($usern,$password,$passconf)) {
$error=$err->errstr(); $error=$err->errstr();

1
bureau/admin/sql_users_list.php Normal file → Executable file
View File

@ -47,6 +47,7 @@ if (isset($error) && $error) {
if($r){ // if there is some userlist if($r){ // if there is some userlist
?> ?>
<form method="post" action="sql_users_del.php"> <form method="post" action="sql_users_del.php">
<?php csrf_get(); ?>
<table cellspacing="0" cellpadding="4" class="tlist"> <table cellspacing="0" cellpadding="4" class="tlist">
<tr><th>&nbsp;</th><th><?php __("User"); ?></th><th><?php __("Rights"); ?></th><th><?php __("Password");?></th></tr> <tr><th>&nbsp;</th><th><?php __("User"); ?></th><th><?php __("Rights"); ?></th><th><?php __("Password");?></th></tr>
<?php <?php

1
bureau/admin/sql_users_password.php Normal file → Executable file
View File

@ -53,6 +53,7 @@ if (! empty($error) ) {
?> ?>
<form method="post" action="sql_users_dopassword.php" autocomplete="off"> <form method="post" action="sql_users_dopassword.php" autocomplete="off">
<?php csrf_get(); ?>
<input type="hidden" name="id" value="<?php echo $id; ?>" /> <input type="hidden" name="id" value="<?php echo $id; ?>" />
<!-- honeypot fields --> <!-- honeypot fields -->

1
bureau/admin/sql_users_rights.php Normal file → Executable file
View File

@ -54,6 +54,7 @@ if ($r) {
?> ?>
<form method="post" action="sql_users_dorights.php"> <form method="post" action="sql_users_dorights.php">
<?php csrf_get(); ?>
<input type="hidden" name="id" value="<?php echo $id; ?>" /> <input type="hidden" name="id" value="<?php echo $id; ?>" />
<table cellspacing="0" cellpadding="4" class="tlist ombrage"> <table cellspacing="0" cellpadding="4" class="tlist ombrage">
<tr class="petit"> <tr class="petit">

2
bureau/admin/vm.php Normal file → Executable file
View File

@ -68,6 +68,7 @@ include_once("head.php");
?> ?>
<p class="alert alert-info"><?php __("You can start a virtual machine."); ?></p> <p class="alert alert-info"><?php __("You can start a virtual machine."); ?></p>
<form method="post" action="vm.php"> <form method="post" action="vm.php">
<?php csrf_get(); ?>
<input type="hidden" name="action" value="start" /> <input type="hidden" name="action" value="start" />
<input type="submit" class="inb ok" name="go" value="<?php __("Click here to start a virtual machine."); ?>" /> <input type="submit" class="inb ok" name="go" value="<?php __("Click here to start a virtual machine."); ?>" />
</form> </form>
@ -85,6 +86,7 @@ include_once("head.php");
?> ?>
<p class="alert alert-info"><?php __("You can stop your virtual machine."); ?></p> <p class="alert alert-info"><?php __("You can stop your virtual machine."); ?></p>
<form method="post" action="vm.php"> <form method="post" action="vm.php">
<?php csrf_get(); ?>
<input type="hidden" name="action" value="stop" /> <input type="hidden" name="action" value="stop" />
<input type="submit" class="inb cancel" name="go" value="<?php __("Click here to stop your running virtual machine."); ?>" /> <input type="submit" class="inb cancel" name="go" value="<?php __("Click here to stop your running virtual machine."); ?>" />
</form> </form>

11
bureau/class/config.php Normal file → Executable file
View File

@ -209,6 +209,17 @@ if ($oldid && $oldid != $cuid) {
$isinvited = true; $isinvited = true;
} }
// CHECK CSRF for ALL POSTS :
// you MUST add <?php csrf_get(); ?> after ALL <form method="post" in AlternC !
if (count($_POST)) {
if (csrf_check()<=0) {
$error=$err->errstr();
require_once("main.php");
exit();
}
}
// Init some vars // Init some vars
variable_get('hosting_tld', '', 'This is a FQDN that designates the main hostname of the service. For example, hosting_tld determines in what TLD the "free" user domain is created. If this is set to "example.com", a checkbox will appear in the user creation dialog requesting the creator if he wants to create the domain "username.example.com".', array('desc' => 'Wanted FQDN', 'type' => 'string')); variable_get('hosting_tld', '', 'This is a FQDN that designates the main hostname of the service. For example, hosting_tld determines in what TLD the "free" user domain is created. If this is set to "example.com", a checkbox will appear in the user creation dialog requesting the creator if he wants to create the domain "username.example.com".', array('desc' => 'Wanted FQDN', 'type' => 'string'));

14
bureau/class/functions.php Normal file → Executable file
View File

@ -1080,14 +1080,20 @@ function panel_islocked() {
* to the session cookie. We also need the $db pdo object * to the session cookie. We also need the $db pdo object
* @return the csrf cookie to add into a csrf hidden field in your form * @return the csrf cookie to add into a csrf hidden field in your form
*/ */
function csrf_get() { function csrf_get($return=false) {
global $db; global $db;
static $token="";
if (!isset($_SESSION["csrf"])) { if (!isset($_SESSION["csrf"])) {
$_SESSION["csrf"]=md5(rand().rand().rand()); $_SESSION["csrf"]=md5(rand().rand().rand());
} }
if ($token=="") {
$token=md5(rand().rand().rand()); $token=md5(rand().rand().rand());
$db->query("INSERT INTO csrf SET cookie=?, token=?, created=NOW(), used=0;",array($_SESSION["csrf"],$token)); $db->query("INSERT INTO csrf SET cookie=?, token=?, created=NOW(), used=0;",array($_SESSION["csrf"],$token));
}
if ($return)
return $token; return $token;
echo '<input type="hidden" name="csrf" value="'.$token.'" />';
return true;
} }
/** Check a CSRF token against the current session /** Check a CSRF token against the current session
@ -1096,8 +1102,11 @@ function csrf_get() {
* @return $result integer 0 for invalid token, 1 for good token, -1 for expired token (already used) * @return $result integer 0 for invalid token, 1 for good token, -1 for expired token (already used)
* if a token is invalid or expired, an $err is raised, that can be displayed * if a token is invalid or expired, an $err is raised, that can be displayed
*/ */
function csrf_check($token) { function csrf_check($token=null) {
global $db,$err; global $db,$err;
if (is_null($token)) $token=$_POST["csrf"];
if (!isset($_SESSION["csrf"])) { if (!isset($_SESSION["csrf"])) {
$err->raise("functions", _("The posted form token is incorrect. Maybe you need to allow cookies")); $err->raise("functions", _("The posted form token is incorrect. Maybe you need to allow cookies"));
return 0; // no csrf cookie :/ return 0; // no csrf cookie :/
@ -1121,5 +1130,6 @@ function csrf_check($token) {
return -1; // expired return -1; // expired
} }
$db->query("UPDATE csrf SET used=1 WHERE cookie=? AND token=?;",array($_SESSION["csrf"],$token)); $db->query("UPDATE csrf SET used=1 WHERE cookie=? AND token=?;",array($_SESSION["csrf"],$token));
$db->exec("DELETE FROM csrf WHERE created<DATE_SUB(NOW(), INTERVAL 1 DAY);");
return 1; return 1;
} }

0
bureau/class/local.php Normal file → Executable file
View File

2
install/upgrades/3.4.5.sql Normal file → Executable file
View File

@ -7,4 +7,4 @@ CREATE TABLE IF NOT EXISTS `csrf` (
`used` tinyint(3) unsigned NOT NULL DEFAULT '0' `used` tinyint(3) unsigned NOT NULL DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COMMENT='csrf tokens for AlternC forms'; ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COMMENT='csrf tokens for AlternC forms';
ALTER TABLE `csrf` ADD PRIMARY KEY (`session`,`token`), ADD KEY `created` (`created`); ALTER TABLE `csrf` ADD PRIMARY KEY (`cookie`,`token`), ADD KEY `created` (`created`);