From 5b1a14f9ea93d8e4f9d90111fd1e95026a88c512 Mon Sep 17 00:00:00 2001 From: Thomas Tanghus Date: Thu, 14 Jun 2012 18:00:13 +0200 Subject: [PATCH] Contacts: Implement CSRF prevention. --- apps/contacts/ajax/activation.php | 1 + apps/contacts/ajax/addcontact.php | 8 +------- apps/contacts/ajax/addproperty.php | 1 + apps/contacts/ajax/createaddressbook.php | 1 + apps/contacts/ajax/cropphoto.php | 4 +++- apps/contacts/ajax/deletebook.php | 1 + apps/contacts/ajax/deletecard.php | 1 + apps/contacts/ajax/deleteproperty.php | 1 + apps/contacts/ajax/oc_photo.php | 1 + apps/contacts/ajax/savecrop.php | 23 ++++++++++++++-------- apps/contacts/ajax/saveproperty.php | 1 + apps/contacts/ajax/updateaddressbook.php | 1 + apps/contacts/ajax/uploadimport.php | 6 +----- apps/contacts/ajax/uploadphoto.php | 18 +++++++++-------- apps/contacts/js/contacts.js | 4 ++-- apps/contacts/templates/part.contact.php | 1 + apps/contacts/templates/part.cropphoto.php | 2 ++ core/templates/layout.user.php | 2 +- 18 files changed, 45 insertions(+), 32 deletions(-) diff --git a/apps/contacts/ajax/activation.php b/apps/contacts/ajax/activation.php index 388a3b5438..74cb738ab8 100644 --- a/apps/contacts/ajax/activation.php +++ b/apps/contacts/ajax/activation.php @@ -10,6 +10,7 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $bookid = $_POST['bookid']; $book = OC_Contacts_App::getAddressbook($bookid);// is owner access check diff --git a/apps/contacts/ajax/addcontact.php b/apps/contacts/ajax/addcontact.php index ee451098f1..d15ad8c621 100644 --- a/apps/contacts/ajax/addcontact.php +++ b/apps/contacts/ajax/addcontact.php @@ -27,17 +27,11 @@ function bailOut($msg) { OCP\Util::writeLog('contacts','ajax/addcontact.php: '.$msg, OCP\Util::DEBUG); exit(); } -function debug($msg) { - OCP\Util::writeLog('contacts','ajax/addcontact.php: '.$msg, OCP\Util::DEBUG); -} // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); - -foreach ($_POST as $key=>$element) { - debug('_POST: '.$key.'=>'.$element); -} +OCP\JSON::callCheck(); $aid = isset($_POST['aid'])?$_POST['aid']:null; if(!$aid) { diff --git a/apps/contacts/ajax/addproperty.php b/apps/contacts/ajax/addproperty.php index 97d38397fd..be9e849be7 100644 --- a/apps/contacts/ajax/addproperty.php +++ b/apps/contacts/ajax/addproperty.php @@ -26,6 +26,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); function bailOut($msg) { OCP\JSON::error(array('data' => array('message' => $msg))); diff --git a/apps/contacts/ajax/createaddressbook.php b/apps/contacts/ajax/createaddressbook.php index af7c19eef5..616766bb1a 100644 --- a/apps/contacts/ajax/createaddressbook.php +++ b/apps/contacts/ajax/createaddressbook.php @@ -11,6 +11,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $userid = OCP\USER::getUser(); $name = trim(strip_tags($_POST['name'])); diff --git a/apps/contacts/ajax/cropphoto.php b/apps/contacts/ajax/cropphoto.php index 7b286dbdb5..7006c6fc1f 100644 --- a/apps/contacts/ajax/cropphoto.php +++ b/apps/contacts/ajax/cropphoto.php @@ -27,12 +27,14 @@ OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); -$tmp_path = $_GET['tmp_path']; +$tmp_path = strip_tags($_GET['tmp_path']); +$requesttoken = strip_tags($_GET['requesttoken']); $id = $_GET['id']; OCP\Util::writeLog('contacts','ajax/cropphoto.php: tmp_path: '.$tmp_path.', exists: '.file_exists($tmp_path), OCP\Util::DEBUG); $tmpl = new OCP\Template("contacts", "part.cropphoto"); $tmpl->assign('tmp_path', $tmp_path); $tmpl->assign('id', $id); +$tmpl->assign('requesttoken', $requesttoken); $page = $tmpl->fetchPage(); OCP\JSON::success(array('data' => array( 'page' => $page ))); diff --git a/apps/contacts/ajax/deletebook.php b/apps/contacts/ajax/deletebook.php index bcf6aa4432..4520374a23 100644 --- a/apps/contacts/ajax/deletebook.php +++ b/apps/contacts/ajax/deletebook.php @@ -26,6 +26,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); //$id = $_GET['id']; $id = $_POST['id']; diff --git a/apps/contacts/ajax/deletecard.php b/apps/contacts/ajax/deletecard.php index 98ff06ebe7..f998185be4 100644 --- a/apps/contacts/ajax/deletecard.php +++ b/apps/contacts/ajax/deletecard.php @@ -31,6 +31,7 @@ function bailOut($msg) { // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $id = isset($_POST['id'])?$_POST['id']:null; if(!$id) { diff --git a/apps/contacts/ajax/deleteproperty.php b/apps/contacts/ajax/deleteproperty.php index a137287034..95fd43e0d9 100644 --- a/apps/contacts/ajax/deleteproperty.php +++ b/apps/contacts/ajax/deleteproperty.php @@ -26,6 +26,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $id = $_POST['id']; $checksum = $_POST['checksum']; diff --git a/apps/contacts/ajax/oc_photo.php b/apps/contacts/ajax/oc_photo.php index 184217f2b7..903d2aedfb 100644 --- a/apps/contacts/ajax/oc_photo.php +++ b/apps/contacts/ajax/oc_photo.php @@ -24,6 +24,7 @@ OCP\JSON::setContentTypeHeader('text/plain'); OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); function bailOut($msg) { OCP\JSON::error(array('data' => array('message' => $msg))); OCP\Util::writeLog('contacts','ajax/oc_photo.php: '.$msg, OCP\Util::ERROR); diff --git a/apps/contacts/ajax/savecrop.php b/apps/contacts/ajax/savecrop.php index fe9e5c5b99..263361bafc 100644 --- a/apps/contacts/ajax/savecrop.php +++ b/apps/contacts/ajax/savecrop.php @@ -21,13 +21,26 @@ * TODO: Translatable strings. * Remember to delete tmp file at some point. */ -// Init owncloud -OCP\Util::writeLog('contacts','ajax/savecrop.php: Huzzah!!!', OCP\Util::DEBUG); +function bailOut($msg) { + OCP\JSON::error(array('data' => array('message' => $msg))); + OCP\Util::writeLog('contacts','ajax/savecrop.php: '.$msg, OCP\Util::DEBUG); + exit(); +} +function debug($msg) { + OCP\Util::writeLog('contacts','ajax/savecrop.php: '.$msg, OCP\Util::DEBUG); +} // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +foreach($_POST as $key=>$value) { + debug('POST: '.$key.'=>'.$value); +} +foreach($_GET as $key=>$value) { + debug('GET: '.$key.'=>'.$value); +} +OCP\JSON::callCheck(); // foreach ($_POST as $key=>$element) { // OCP\Util::writeLog('contacts','ajax/savecrop.php: '.$key.'=>'.$element, OCP\Util::DEBUG); @@ -36,12 +49,6 @@ OCP\JSON::checkAppEnabled('contacts'); // Firefox and Konqueror tries to download application/json for me. --Arthur OCP\JSON::setContentTypeHeader('text/plain'); -function bailOut($msg) { - OCP\JSON::error(array('data' => array('message' => $msg))); - OCP\Util::writeLog('contacts','ajax/savecrop.php: '.$msg, OCP\Util::DEBUG); - exit(); -} - $image = null; $x1 = (isset($_POST['x1']) && $_POST['x1']) ? $_POST['x1'] : 0; diff --git a/apps/contacts/ajax/saveproperty.php b/apps/contacts/ajax/saveproperty.php index 6509ac21f2..96e082d00e 100644 --- a/apps/contacts/ajax/saveproperty.php +++ b/apps/contacts/ajax/saveproperty.php @@ -26,6 +26,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); function bailOut($msg) { OCP\JSON::error(array('data' => array('message' => $msg))); diff --git a/apps/contacts/ajax/updateaddressbook.php b/apps/contacts/ajax/updateaddressbook.php index 19b5b3bddc..68fe8f8121 100644 --- a/apps/contacts/ajax/updateaddressbook.php +++ b/apps/contacts/ajax/updateaddressbook.php @@ -11,6 +11,7 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); $bookid = $_POST['id']; OC_Contacts_App::getAddressbook($bookid); // is owner access check diff --git a/apps/contacts/ajax/uploadimport.php b/apps/contacts/ajax/uploadimport.php index b11f380fa8..4c3f5eadf0 100644 --- a/apps/contacts/ajax/uploadimport.php +++ b/apps/contacts/ajax/uploadimport.php @@ -23,14 +23,12 @@ // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('contacts'); +OCP\JSON::callCheck(); function bailOut($msg) { OCP\JSON::error(array('data' => array('message' => $msg))); OCP\Util::writeLog('contacts','ajax/uploadimport.php: '.$msg, OCP\Util::ERROR); exit(); } -function debug($msg) { - OCP\Util::writeLog('contacts','ajax/uploadimport.php: '.$msg, OCP\Util::DEBUG); -} $view = OCP\Files::getStorage('contacts'); $tmpfile = md5(rand()); @@ -39,7 +37,6 @@ $tmpfile = md5(rand()); $fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false); if($fn) { if($view->file_put_contents('/'.$tmpfile, file_get_contents('php://input'))) { - debug($fn.' uploaded'); OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile))); exit(); } else { @@ -70,7 +67,6 @@ $file=$_FILES['importfile']; $tmpfname = tempnam(get_temp_dir(), "occOrig"); if(file_exists($file['tmp_name'])) { if($view->file_put_contents('/'.$tmpfile, file_get_contents($file['tmp_name']))) { - debug($fn.' uploaded'); OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile))); } else { bailOut(OC_Contacts_App::$l10n->t('Error uploading contacts to storage.')); diff --git a/apps/contacts/ajax/uploadphoto.php b/apps/contacts/ajax/uploadphoto.php index dca8ede6d6..2dc93362a1 100644 --- a/apps/contacts/ajax/uploadphoto.php +++ b/apps/contacts/ajax/uploadphoto.php @@ -19,14 +19,6 @@ * License along with this library. If not, see . * */ -// Init owncloud - - -// Check if we are a user -// Firefox and Konqueror tries to download application/json for me. --Arthur -OCP\JSON::setContentTypeHeader('text/plain'); -OCP\JSON::checkLoggedIn(); -OCP\JSON::checkAppEnabled('contacts'); function bailOut($msg) { OCP\JSON::error(array('data' => array('message' => $msg))); OCP\Util::writeLog('contacts','ajax/uploadphoto.php: '.$msg, OCP\Util::DEBUG); @@ -35,6 +27,16 @@ function bailOut($msg) { function debug($msg) { OCP\Util::writeLog('contacts','ajax/uploadphoto.php: '.$msg, OCP\Util::DEBUG); } +OCP\JSON::setContentTypeHeader('text/plain'); +OCP\JSON::checkLoggedIn(); +OCP\JSON::checkAppEnabled('contacts'); +foreach($_POST as $key=>$value) { + debug('POST: '.$key.'=>'.$value); +} +foreach($_GET as $key=>$value) { + debug('GET: '.$key.'=>'.$value); +} +OCP\JSON::callCheck(); // If it is a Drag'n'Drop transfer it's handled here. $fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false); diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js index 4f8f3743dc..4365995686 100644 --- a/apps/contacts/js/contacts.js +++ b/apps/contacts/js/contacts.js @@ -1150,7 +1150,7 @@ Contacts={ }, editPhoto:function(id, tmp_path){ //alert('editPhoto: ' + tmp_path); - $.getJSON(OC.filePath('contacts', 'ajax', 'cropphoto.php'),{'tmp_path':tmp_path,'id':this.id},function(jsondata){ + $.getJSON(OC.filePath('contacts', 'ajax', 'cropphoto.php'),{'tmp_path':tmp_path,'id':this.id,'requesttoken':requesttoken},function(jsondata){ if(jsondata.status == 'success'){ //alert(jsondata.data.page); $('#edit_photo_dialog_img').html(jsondata.data.page); @@ -1637,7 +1637,7 @@ $(document).ready(function(){ //} } }; - xhr.open('POST', OC.filePath('contacts', 'ajax', 'uploadphoto.php')+'?id='+Contacts.UI.Card.id+'&imagefile='+encodeURIComponent(file.name), true); + xhr.open('POST', OC.filePath('contacts', 'ajax', 'uploadphoto.php')+'?id='+Contacts.UI.Card.id+'&requesttoken='+requesttoken+'&imagefile='+encodeURIComponent(file.name), true); xhr.setRequestHeader('Cache-Control', 'no-cache'); xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest'); xhr.setRequestHeader('X_FILE_NAME', encodeURIComponent(file.name)); diff --git a/apps/contacts/templates/part.contact.php b/apps/contacts/templates/part.contact.php index 74522be37c..9a13aafa5e 100644 --- a/apps/contacts/templates/part.contact.php +++ b/apps/contacts/templates/part.contact.php @@ -4,6 +4,7 @@ $id = isset($_['id']) ? $_['id'] : '';
+ diff --git a/apps/contacts/templates/part.cropphoto.php b/apps/contacts/templates/part.cropphoto.php index 599951d9a9..e107217913 100644 --- a/apps/contacts/templates/part.cropphoto.php +++ b/apps/contacts/templates/part.cropphoto.php @@ -1,6 +1,7 @@