*/ // Before we start processing, we should abort no install is present if (!file_exists('includes/config/settings.php')) { // This should never happen, but in case it does // this means if headers are sent, redirect will fallback to JS if (!headers_sent()) { echo '<script language="javascript" type="text/javascript">document.location.replace("install/install.php");</script>'; } else { header('Location: install/install.php'); } // Now either way, we should stop processing further exit; } // initialise CSRFGuard library require_once './includes/libraries/csrfp/libs/csrf/csrfprotector.php'; csrfProtector::init(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <?php $_SESSION['CPM'] = 1; session_id(); if (!isset($_SESSION['settings']['cpassman_dir']) || $_SESSION['settings']['cpassman_dir'] == "") { $_SESSION['settings']['cpassman_dir'] = "."; } // Include files require_once $_SESSION['settings']['cpassman_dir'] . '/includes/config/settings.php'; require_once $_SESSION['settings']['cpassman_dir'] . '/includes/config/include.php'; require_once $_SESSION['settings']['cpassman_dir'] . '/sources/SplClassLoader.php'; // connect to the server require_once './includes/libraries/Database/Meekrodb/db.class.php'; DB::$host = $server;
/** * Test for exception thrown when env variable is set by mod_csrfprotector */ public function testModCSRFPEnabledException() { putenv('mod_csrfp_enabled=true'); $temp = $_COOKIE[csrfprotector::$config['CSRFP_TOKEN']] = 'abc'; $_SESSION[csrfprotector::$config['CSRFP_TOKEN']] = array('abc'); csrfProtector::init(); // Assuming no cookie change $this->assertTrue($temp == $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]); $this->assertTrue($temp == $_COOKIE[csrfprotector::$config['CSRFP_TOKEN']]); }
public static function ob_handler($buffer, $flags) { // Even though the user told us to rewrite, we should do a quick heuristic // to check if the page is *actually* HTML. We don't begin rewriting until // we hit the first <html tag. if (!self::$isValidHTML) { // not HTML until proven otherwise if (stripos($buffer, '<html') !== false) { self::$isValidHTML = true; } else { return $buffer; } } //add a <noscript> message to outgoing HTML output, //informing the user to enable js for CSRFProtector to work //best section to add, after <body> tag $buffer = preg_replace("/<body[^>]*>/", "\$0 <noscript>" . self::$config['disabledJavascriptMessage'] . "</noscript>", $buffer); $hiddenInput = '<input type="hidden" id="' . CSRFP_FIELD_TOKEN_NAME . '" value="' . self::$config['CSRFP_TOKEN'] . '">' . PHP_EOL; $hiddenInput .= '<input type="hidden" id="' . CSRFP_FIELD_URLS . '" value=\'' . json_encode(self::$config['verifyGetFor']) . '\'>'; //implant hidden fields with check url information for reading in javascript $buffer = str_ireplace('</body>', $hiddenInput . '</body>', $buffer); $script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL; //implant the CSRFGuard js file to outgoing script $buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count); // Perfor static rewriting on $buffer $buffer = self::rewriteHTML($buffer); if (!$count) { $buffer .= $script; } return $buffer; }
public static function ob_handler($buffer, $flags) { // Even though the user told us to rewrite, we should do a quick heuristic // to check if the page is *actually* HTML. We don't begin rewriting until // we hit the first <html tag. if (!self::$isValidHTML) { // not HTML until proven otherwise if (stripos($buffer, '<html') !== false) { self::$isValidHTML = true; } else { return $buffer; } } // TODO: statically rewrite all forms as well so that if a form is submitted // before the js has worked on, it will still have token to send // @priority: medium @labels: important @assign: mebjas // @deadline: 1 week //add a <noscript> message to outgoing HTML output, //informing the user to enable js for CSRFProtector to work //best section to add, after <body> tag $buffer = preg_replace("/<body[^>]*>/", "\$0 <noscript>" . self::$config['disabledJavascriptMessage'] . "</noscript>", $buffer); $hiddenInput = '<fieldset style="display: none"><legend>CSRF Protection</legend>' . PHP_EOL; $hiddenInput .= '<input type="hidden" id="' . CSRFP_FIELD_TOKEN_NAME . '" value="' . self::$config['CSRFP_TOKEN'] . '" />' . PHP_EOL; $hiddenInput .= '<input type="hidden" id="' . CSRFP_FIELD_URLS . '" value=\'' . json_encode(str_replace("&", "%26", self::$config['verifyGetFor'])) . '\' />' . PHP_EOL; $hiddenInput .= '</fieldset>'; //implant hidden fields with check url information for reading in javascript $buffer = str_ireplace('</body>', $hiddenInput . '</body>', $buffer); //implant the CSRFGuard js file to outgoing script $script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL; $buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count); if (!$count) { $buffer .= $script; } return $buffer; }
/** * Rewrites <form> on the fly to add CSRF tokens to them. This can also * inject our JavaScript library. * @param: $buffer, output buffer to which all output are stored * @param: flag * @return string, complete output buffer */ public static function ob_handler($buffer, $flags) { // Even though the user told us to rewrite, we should do a quick heuristic // to check if the page is *actually* HTML. We don't begin rewriting until // we hit the first <html tag. if (!self::$isValidHTML) { // not HTML until proven otherwise if (stripos($buffer, '<html') !== false) { self::$isValidHTML = true; } else { return $buffer; } } //add a <noscript> message to outgoing HTML output, //informing the user to enable js for CSRFProtector to work //best section to add, after <body> tag $buffer = preg_replace("/<body[^>]*>/", "\$0 <noscript>" . self::$config['disabledJavascriptMessage'] . "</noscript>", $buffer); $arrayStr = ''; if (!self::useCachedVersion()) { try { self::createNewJsCache(); } catch (exception $ex) { if (self::$config['verifyGetFor']) { foreach (self::$config['verifyGetFor'] as $key => $value) { if ($key !== 0) { $arrayStr .= ','; } $arrayStr .= "'" . $value . "'"; } } } } $script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL; $script .= '<script type="text/javascript">' . PHP_EOL; if ($arrayStr !== '') { $script .= 'CSRFP.checkForUrls = [' . $arrayStr . '];' . PHP_EOL; } $script .= 'window.onload = function() {' . PHP_EOL; $script .= ' csrfprotector_init();' . PHP_EOL; $script .= '};' . PHP_EOL; $script .= '</script>' . PHP_EOL; //implant the CSRFGuard js file to outgoing script $buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count); if (!$count) { $buffer .= $script; } return $buffer; }
/** * Test for exception thrown when env variable is set by mod_csrfprotector */ public function testModCSRFPEnabledException() { putenv('mod_csrfp_enabled=true'); $temp = $_SESSION[CSRFP_TOKEN] = $_COOKIE[CSRFP_TOKEN] = 'abc'; csrfProtector::init(); // Assuming no cookie change $this->assertTrue($temp == $_SESSION[CSRFP_TOKEN]); $this->assertTrue($temp == $_COOKIE[CSRFP_TOKEN]); }