/** * Generate CSRF form token. * * Accepted $params: * * - raw If true, only return the bare token instead of returning the * default hidden input html field. * * @param array $params * @param Smarty $smarty * @return string */ function smarty_function_sugar_csrf_form_token($params, &$smarty) { $csrf = CsrfAuthenticator::getInstance(); if (!empty($params['raw'])) { return $csrf->getFormToken(); } return sprintf('<input type="hidden" name="%s" value="%s" />', $csrf::FORM_TOKEN_FIELD, $csrf->getFormToken()); }
/** * @see SugarView::display() */ public function display() { require_once 'include/utils/zip_utils.php'; $form_action = "index.php?module=Administration&action=Backups"; $backup_dir = ""; $backup_zip = ""; $run = "confirm"; $input_disabled = ""; global $mod_strings; $errors = array(); // process "run" commands if (isset($_REQUEST['run']) && $_REQUEST['run'] != "") { $run = $_REQUEST['run']; $backup_dir = $_REQUEST['backup_dir']; $backup_zip = $_REQUEST['backup_zip']; if ($run == "confirm") { if ($backup_dir == "") { $errors[] = $mod_strings['LBL_BACKUP_DIRECTORY_ERROR']; } if ($backup_zip == "") { $errors[] = $mod_strings['LBL_BACKUP_FILENAME_ERROR']; } if (sizeof($errors) > 0) { return $errors; } if (!is_dir($backup_dir)) { if (!mkdir_recursive($backup_dir)) { $errors[] = $mod_strings['LBL_BACKUP_DIRECTORY_EXISTS']; } } if (!is_writable($backup_dir)) { $errors[] = $mod_strings['LBL_BACKUP_DIRECTORY_NOT_WRITABLE']; } if (is_file("{$backup_dir}/{$backup_zip}")) { $errors[] = $mod_strings['LBL_BACKUP_FILE_EXISTS']; } if (is_dir("{$backup_dir}/{$backup_zip}")) { $errors[] = $mod_strings['LBL_BACKUP_FILE_AS_SUB']; } if (sizeof($errors) == 0) { $run = "confirmed"; $input_disabled = "readonly"; } } else { if ($run == "confirmed") { ini_set("memory_limit", "-1"); ini_set("max_execution_time", "0"); zip_dir(".", "{$backup_dir}/{$backup_zip}"); $run = "done"; } } } if (sizeof($errors) > 0) { foreach ($errors as $error) { print "<font color=\"red\">{$error}</font><br>"; } } if ($run == "done") { $size = filesize("{$backup_dir}/{$backup_zip}"); print $mod_strings['LBL_BACKUP_FILE_STORED'] . " {$backup_dir}/{$backup_zip} ({$size} bytes).<br>\n"; print "<a href=\"index.php?module=Administration&action=index\">" . $mod_strings['LBL_BACKUP_BACK_HOME'] . "</a>\n"; } else { ?> <?php $csrf = CsrfAuthenticator::getInstance(); echo getClassicModuleTitle("Administration", array("<a href='index.php?module=Administration&action=index'>" . translate('LBL_MODULE_NAME', 'Administration') . "</a>", $mod_strings['LBL_BACKUPS_TITLE']), false); echo $mod_strings['LBL_BACKUP_INSTRUCTIONS_1']; ?> <br> <?php echo $mod_strings['LBL_BACKUP_INSTRUCTIONS_2']; ?> <br> <form name="Backups" action="<?php print $form_action; ?> " method="post" onSubmit="return (check_for_errors());"> <input type="hidden" name="csrf_token" value="<?php echo $csrf->getFormToken(); ?> " /> <table> <tr> <td><?php echo $mod_strings['LBL_BACKUP_DIRECTORY']; ?> <br><i><?php echo $mod_strings['LBL_BACKUP_DIRECTORY_WRITABLE']; ?> </i></td> <td><input size="100" type="input" name="backup_dir" <?php print $input_disabled; ?> value="<?php print $backup_dir; ?> "/></td> </tr> <tr> <td><?php echo $mod_strings['LBL_BACKUP_FILENAME']; ?> </td> <td><input type="input" name="backup_zip" <?php print $input_disabled; ?> value="<?php print $backup_zip; ?> "/></td> </tr> </table> <input type=hidden name="run" value="<?php print $run; ?> " /> <?php switch ($run) { case "confirm": ?> <input type="submit" value="<?php echo $mod_strings['LBL_BACKUP_CONFIRM']; ?> " /> <?php break; case "confirmed": ?> <?php echo $mod_strings['LBL_BACKUP_CONFIRMED']; ?> <br> <input type="submit" value="<?php echo $mod_strings['LBL_BACKUP_RUN_BACKUP']; ?> " /> <?php break; } ?> </form> <script type="text/javascript"> function check_for_errors(){ addForm('Backups'); addToValidate('Backups', 'backup_dir', 'varchar', 'true', '<?php echo $mod_strings['LBL_BACKUP_DIRECTORY']; ?> '); addToValidate('Backups', 'backup_zip', 'varchar', 'true', '<?php echo $mod_strings['LBL_BACKUP_FILENAME']; ?> '); return check_form('Backups'); } </script> <?php } // end if/else of $run options $GLOBALS['log']->info("Backups"); }
/** * Perform CSRF form validation. Extension classes can override this logic * if any excotic logic is required. The default implementation uses the * same CSRF form token which is tied to the user's session. * * This logic is being called from SugarApplication for all non-GET reqs. * * @param array $fields Key/value field pairs * @return boolean */ public function isCsrfValid(array $fields) { $csrf = CsrfAuthenticator::getInstance(); $valid = $csrf->isFormTokenValid($fields); if (!$valid) { $GLOBALS['log']->fatal("CSRF: auth failure for {$this->module} -> {$this->action}"); } return $valid; }
/** * Return CSRF form token jscript * @return string */ protected function getCsrfFormTokenJscript() { return sprintf('<script>SUGAR.csrf = {}; SUGAR.csrf.form_token = "%s";</script>', CsrfAuthenticator::getInstance()->getFormToken()); }
/** * Wrapper to mimic Smarty to dynamically add CSRF form token by adding * `{sugar_csrf_form_token}` to the template file. */ public function getCsrfToken() { $csrf = CsrfAuthenticator::getInstance(); return sprintf('<input type="hidden" name="%s" value="%s" />', $csrf::FORM_TOKEN_FIELD, $csrf->getFormToken()); }