CSRF Protection for login and new notice. Ticket #503

darcs-hash:20081111022330-462f3-810b2a86e6e209330ade628fc0e97df96151d496.gz

actions/login.php

@@ -37,8 +37,15 @@ class LoginAction extends Action {
 	}
 
 	function check_login() {
-		# XXX: form token in $_SESSION to prevent XSS
 		# XXX: login throttle
+
+		# CSRF protection - token set in common_notice_form()
+		$token = $this->trimmed('token');
+		if (!$token || $token != common_session_token()) {
+			$this->client_error(_('There was a problem with your session token. Try again, please.'));
+			return;
+		}
+
 		$nickname = common_canonical_nickname($this->trimmed('nickname'));
 		$password = $this->arg('password');
 		if (common_check_user($nickname, $password)) {
@@ -104,6 +111,7 @@ class LoginAction extends Action {
 		                _('Automatically login in the future; ' .
 		                   'not for shared computers!'));
 		common_submit('submit', _('Login'));
+		common_hidden('token', common_session_token());
 		common_element_end('form');
 		common_element_start('p');
 		common_element('a', array('href' => common_local_url('recoverpassword')),

actions/newnotice.php

@@ -20,7 +20,7 @@
 if (!defined('LACONICA')) { exit(1); }
 
 class NewnoticeAction extends Action {
-	
+
 	function handle($args) {
 		parent::handle($args);
 		# XXX: Ajax!
@@ -36,10 +36,17 @@ class NewnoticeAction extends Action {
 
 	function save_new_notice() {
 
+		# CSRF protection - token set in common_notice_form()
+		$token = $this->trimmed('token');
+		if (!$token || $token != common_session_token()) {
+			$this->client_error(_('There was a problem with your session token. Try again, please.'));
+			return;
+		}
+
 		$user = common_current_user();
 		assert($user); # XXX: maybe an error instead...
 		$content = $this->trimmed('status_textarea');
-		
+
 		if (!$content) {
 			$this->show_form(_('No content!'));
 			return;
@@ -51,9 +58,9 @@ class NewnoticeAction extends Action {
 		}
 
 		$inter = new CommandInterpreter();
-		
+
 		$cmd = $inter->handle_command($user, $content);
-		
+
 		if ($cmd) {
 			$cmd->execute(new WebChannel());
 			return;
@@ -62,18 +69,18 @@ class NewnoticeAction extends Action {
 		$replyto = $this->trimmed('inreplyto');
 
 		common_debug("Replyto = $replyto\n");
-		
+
 		$notice = Notice::saveNew($user->id, $content, 'web', 1, ($replyto == 'false') ? NULL : $replyto);
-		
+
 		if (is_string($notice)) {
 			$this->show_form($notice);
 			return;
 		}
-		
+
 		common_broadcast_notice($notice);
-		
+
 		$returnto = $this->trimmed('returnto');
-		
+
 		if ($returnto) {
 			$url = common_local_url($returnto,
 									array('nickname' => $user->nickname));

actions/noticesearch.php

@@ -142,6 +142,8 @@ class NoticesearchAction extends SearchAction {
 								   'onclick' => 'doreply("'.$profile->nickname.'"); return false',
 								   'title' => _('reply'),
 								   'class' => 'replybutton'));
+		common_hidden('posttoken', common_session_token());
+		
 		common_raw('→');
 		common_element_end('a');
 		common_element_end('p');

lib/util.php

@@ -1353,12 +1353,13 @@ function common_notice_form($action=NULL, $content=NULL) {
 	common_element('label', array('for' => 'status_textarea',
 								  'id' => 'status_label'),
 				   sprintf(_('What\'s up, %s?'), $user->nickname));
-        common_element('span', array('id' => 'counter', 'class' => 'counter'), '140');
+    common_element('span', array('id' => 'counter', 'class' => 'counter'), '140');
 	common_element('textarea', array('id' => 'status_textarea',
 									 'cols' => 60,
 									 'rows' => 3,
 									 'name' => 'status_textarea'),
 				   ($content) ? $content : '');
+	common_hidden('token', common_session_token());
 	if ($action) {
 		common_hidden('returnto', $action);
 	}