Prevent Cross-Site Request Forgery

author: Erik Dubbelboer <erik@dubbelboer.com> 2021-08-26 21:19:02 +0300
committer: Erik Dubbelboer <erik@dubbelboer.com> 2021-08-26 21:19:02 +0300
commit: b9039adbb264c81333328faa9575ecf8e0d2be94 (patch)
tree: 1e618954382f0d696a5257ee8c8861b5b0a7e72d
parent: 51c5425d3bf6e96b4820fb23e3a50a26f0d78290 (diff)
7 files changed, 24 insertions, 0 deletions
diff --git a/edit.php b/edit.php
index 0940503..9642171 100644
--- a/edit.php
+++ b/edit.php
@@ -145,6 +145,7 @@ require 'includes/header.inc.php';
 ?>
 <h2><?php echo $edit ? 'Edit' : 'Add'?></h2>
 <form action="<?php echo format_html(getRelativePath('edit.php'))?>" method="post">
+<input type="hidden" name="csrf" value="<?php echo $csrfToken; ?>" />
 
 <p>
 <label for="type">Type:</label>
diff --git a/export.php b/export.php
index c886e46..5d88b11 100644
--- a/export.php
+++ b/export.php
@@ -187,6 +187,7 @@ require 'includes/header.inc.php';
 <h2>Export <?php echo isset($_GET['key']) ? format_html($_GET['key']) : ''?></h2>
 
 <form action="<?php echo format_html(getRelativePath('export.php'))?>" method="post">
+<input type="hidden" name="csrf" value="<?php echo $csrfToken; ?>" />
 
 <p>
 <label for="type">Type:</label>
diff --git a/import.php b/import.php
index 1786164..590467e 100644
--- a/import.php
+++ b/import.php
@@ -92,6 +92,7 @@ require 'includes/header.inc.php';
 ?>
 <h2>Import</h2>
 <form action="<?php echo format_html(getRelativePath('import.php'))?>" method="post">
+<input type="hidden" name="csrf" value="<?php echo $csrfToken; ?>" />
 
 <p>
 <label for="commands">Commands:<br>
diff --git a/includes/common.inc.php b/includes/common.inc.php
index 85dfe76..cfa5059 100644
--- a/includes/common.inc.php
+++ b/includes/common.inc.php
@@ -4,6 +4,24 @@ require dirname(__FILE__) . '/../vendor/autoload.php';
 define('PHPREDIS_ADMIN_PATH', dirname(__DIR__));
 
 
+if (session_status() !== PHP_SESSION_DISABLED) {
+  session_start();
+
+  if (isset($_SESSION['phpredisadmin_csrf'])) {
+    $csrfToken = $_SESSION['phpredisadmin_csrf'];
+  } else {
+    $csrfToken = bin2hex(random_bytes(16));
+    $_SESSION['phpredisadmin_csrf'] = $csrfToken;
+  }
+} else {
+  $csrfToken = 'nosession';
+}
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+  if ($_POST['csrf'] !== $csrfToken) {
+    die('bad csrf token');
+  }
+}
 
 
 // These includes are needed by each script.
diff --git a/login.php b/login.php
index 82c5514..298b32f 100644
--- a/login.php
+++ b/login.php
@@ -13,6 +13,7 @@ require 'includes/header.inc.php';
 <h1 class="logo">phpRedisAdmin</h1>
 
 <form class="form-signin" method="post" action="login.php">
+<input type="hidden" name="csrf" value="<?php echo $csrfToken; ?>" />
     <h2 class="form-signin-heading">Please log in</h2>
 
     <?php if (isset($_POST['username']) || isset($_POST['password'])): ?>
diff --git a/rename.php b/rename.php
index e5460a1..4dbddcd 100644
--- a/rename.php
+++ b/rename.php
@@ -36,6 +36,7 @@ require 'includes/header.inc.php';
 ?>
 <h2>Edit Name of <?php echo format_html($_GET['key'])?></h2>
 <form action="<?php echo format_html(getRelativePath('rename.php'))?>" method="post">
+<input type="hidden" name="csrf" value="<?php echo $csrfToken; ?>" />
 
 <input type="hidden" name="old" value="<?php echo format_html($_GET['key'])?>">
 
diff --git a/ttl.php b/ttl.php
index 6db0cb2..d6bdc07 100644
--- a/ttl.php
+++ b/ttl.php
@@ -27,6 +27,7 @@ require 'includes/header.inc.php';
 ?>
 <h2>Edit TTL</h2>
 <form action="<?php echo format_html(getRelativePath('ttl.php'))?>" method="post">
+<input type="hidden" name="csrf" value="<?php echo $csrfToken; ?>" />
 
 <p>
 <label for="key">Key:</label>
author	Erik Dubbelboer <erik@dubbelboer.com>	2021-08-26 21:19:02 +0300
committer	Erik Dubbelboer <erik@dubbelboer.com>	2021-08-26 21:19:02 +0300
commit	b9039adbb264c81333328faa9575ecf8e0d2be94 (patch)
tree	1e618954382f0d696a5257ee8c8861b5b0a7e72d
parent	51c5425d3bf6e96b4820fb23e3a50a26f0d78290 (diff)