From: Alex Dehnert <adehnert@mit.edu>
Date: Thu, 7 Apr 2011 06:26:14 +0000 (+0000)
Subject: Fix CSRF vulnerabilities
X-Git-Url: http://andersk.mit.edu/gitweb/sql-web.git/commitdiff_plain/96f685938defc906144aa50fe129f7343e9c73ea

Fix CSRF vulnerabilities

git-svn-id: svn://sql.mit.edu/sql@193 a142d4bd-2cfb-0310-9673-cb33a7e74f58
---

diff --git a/main.php b/main.php
index 4551be7..b4935af 100644
--- a/main.php
+++ b/main.php
@@ -9,16 +9,27 @@ require_once('proc.lib.php');
 
 if (!isLoggedIn()) redirect('index');
 
+if(!isset($_SESSION['csrf_token']))
+{
+	$n = rand(10e16, 10e20);
+	$_SESSION['csrf_token'] = base_convert($n, 10, 36);
+}
+
 $err1 = $msg1 = array();
 
 $User = new User($Login->getUserID());
 
 if (isPost()) {
-	if (isset($i_newdb)) {
-		list($msg1, $err1) = proc::newdb($User, $i_newdb);
-	}
-	if (isset($i_drop)) {
-		list($msg1, $err1) = proc::drop($User, $i_drop);
+	if($_SESSION['csrf_token'] != $_POST['csrf_token'])
+	{
+		$err1[] = "CSRF token incorrect or not found. Try submitting again.";
+	} else {
+		if (isset($i_newdb)) {
+			list($msg1, $err1) = proc::newdb($User, $i_newdb);
+		}
+		if (isset($i_drop)) {
+			list($msg1, $err1) = proc::drop($User, $i_drop);
+		}
 	}
 }
 
diff --git a/tpl/main.php b/tpl/main.php
index 2a605dd..fc642dd 100644
--- a/tpl/main.php
+++ b/tpl/main.php
@@ -15,12 +15,14 @@ if (isset($i_dropask)) {
 <h3>Databases</h3>
 
 <form method="post" action="<?=$URI?>">
+<input type='hidden' name='csrf_token' value='<?php echo $_SESSION['csrf_token']; ?>'>
 <?php printErrors($err1); ?>
 <?php printMsgs($msg1); ?>
 </form>
 
 <table width="100%">
 <form method="post" action="<?=$URI?>">
+<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
 <?php
 	$bytes = $User->getBytes();
 	$usage = $bytes['nBytes'];
@@ -55,6 +57,7 @@ if (isset($i_dropask)) {
 
 <form method="post" action="<?=$URI?>">
 <p align="right"><span style="width: 150px; font-style: italic;"><label for="p1">new database:</label></span> <?=$Login->getUsername()?>+<input type="text" name="newdb">
+<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
 <input type=submit value="add"></p>
 </form>