*/
// Before we start processing, we should abort no install is present
if (!file_exists('includes/config/settings.php')) {
// This should never happen, but in case it does
// this means if headers are sent, redirect will fallback to JS
if (!headers_sent()) {
echo '<script language="javascript" type="text/javascript">document.location.replace("install/install.php");</script>';
} else {
header('Location: install/install.php');
}
// Now either way, we should stop processing further
exit;
}
// initialise CSRFGuard library
require_once './includes/libraries/csrfp/libs/csrf/csrfprotector.php';
csrfProtector::init();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?php
$_SESSION['CPM'] = 1;
session_id();
if (!isset($_SESSION['settings']['cpassman_dir']) || $_SESSION['settings']['cpassman_dir'] == "") {
$_SESSION['settings']['cpassman_dir'] = ".";
}
// Include files
require_once $_SESSION['settings']['cpassman_dir'] . '/includes/config/settings.php';
require_once $_SESSION['settings']['cpassman_dir'] . '/includes/config/include.php';
require_once $_SESSION['settings']['cpassman_dir'] . '/sources/SplClassLoader.php';
// connect to the server
require_once './includes/libraries/Database/Meekrodb/db.class.php';
DB::$host = $server;
/**
* Test for exception thrown when env variable is set by mod_csrfprotector
*/
public function testModCSRFPEnabledException()
{
putenv('mod_csrfp_enabled=true');
$temp = $_COOKIE[csrfprotector::$config['CSRFP_TOKEN']] = 'abc';
$_SESSION[csrfprotector::$config['CSRFP_TOKEN']] = array('abc');
csrfProtector::init();
// Assuming no cookie change
$this->assertTrue($temp == $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]);
$this->assertTrue($temp == $_COOKIE[csrfprotector::$config['CSRFP_TOKEN']]);
}
public static function ob_handler($buffer, $flags)
{
// Even though the user told us to rewrite, we should do a quick heuristic
// to check if the page is *actually* HTML. We don't begin rewriting until
// we hit the first <html tag.
if (!self::$isValidHTML) {
// not HTML until proven otherwise
if (stripos($buffer, '<html') !== false) {
self::$isValidHTML = true;
} else {
return $buffer;
}
}
//add a <noscript> message to outgoing HTML output,
//informing the user to enable js for CSRFProtector to work
//best section to add, after <body> tag
$buffer = preg_replace("/<body[^>]*>/", "\$0 <noscript>" . self::$config['disabledJavascriptMessage'] . "</noscript>", $buffer);
$hiddenInput = '<input type="hidden" id="' . CSRFP_FIELD_TOKEN_NAME . '" value="' . self::$config['CSRFP_TOKEN'] . '">' . PHP_EOL;
$hiddenInput .= '<input type="hidden" id="' . CSRFP_FIELD_URLS . '" value=\'' . json_encode(self::$config['verifyGetFor']) . '\'>';
//implant hidden fields with check url information for reading in javascript
$buffer = str_ireplace('</body>', $hiddenInput . '</body>', $buffer);
$script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL;
//implant the CSRFGuard js file to outgoing script
$buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
// Perfor static rewriting on $buffer
$buffer = self::rewriteHTML($buffer);
if (!$count) {
$buffer .= $script;
}
return $buffer;
}
public static function ob_handler($buffer, $flags)
{
// Even though the user told us to rewrite, we should do a quick heuristic
// to check if the page is *actually* HTML. We don't begin rewriting until
// we hit the first <html tag.
if (!self::$isValidHTML) {
// not HTML until proven otherwise
if (stripos($buffer, '<html') !== false) {
self::$isValidHTML = true;
} else {
return $buffer;
}
}
// TODO: statically rewrite all forms as well so that if a form is submitted
// before the js has worked on, it will still have token to send
// @priority: medium @labels: important @assign: mebjas
// @deadline: 1 week
//add a <noscript> message to outgoing HTML output,
//informing the user to enable js for CSRFProtector to work
//best section to add, after <body> tag
$buffer = preg_replace("/<body[^>]*>/", "\$0 <noscript>" . self::$config['disabledJavascriptMessage'] . "</noscript>", $buffer);
$hiddenInput = '<fieldset style="display: none"><legend>CSRF Protection</legend>' . PHP_EOL;
$hiddenInput .= '<input type="hidden" id="' . CSRFP_FIELD_TOKEN_NAME . '" value="' . self::$config['CSRFP_TOKEN'] . '" />' . PHP_EOL;
$hiddenInput .= '<input type="hidden" id="' . CSRFP_FIELD_URLS . '" value=\'' . json_encode(str_replace("&", "%26", self::$config['verifyGetFor'])) . '\' />' . PHP_EOL;
$hiddenInput .= '</fieldset>';
//implant hidden fields with check url information for reading in javascript
$buffer = str_ireplace('</body>', $hiddenInput . '</body>', $buffer);
//implant the CSRFGuard js file to outgoing script
$script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL;
$buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
if (!$count) {
$buffer .= $script;
}
return $buffer;
}
/**
* Rewrites <form> on the fly to add CSRF tokens to them. This can also
* inject our JavaScript library.
* @param: $buffer, output buffer to which all output are stored
* @param: flag
* @return string, complete output buffer
*/
public static function ob_handler($buffer, $flags)
{
// Even though the user told us to rewrite, we should do a quick heuristic
// to check if the page is *actually* HTML. We don't begin rewriting until
// we hit the first <html tag.
if (!self::$isValidHTML) {
// not HTML until proven otherwise
if (stripos($buffer, '<html') !== false) {
self::$isValidHTML = true;
} else {
return $buffer;
}
}
//add a <noscript> message to outgoing HTML output,
//informing the user to enable js for CSRFProtector to work
//best section to add, after <body> tag
$buffer = preg_replace("/<body[^>]*>/", "\$0 <noscript>" . self::$config['disabledJavascriptMessage'] . "</noscript>", $buffer);
$arrayStr = '';
if (!self::useCachedVersion()) {
try {
self::createNewJsCache();
} catch (exception $ex) {
if (self::$config['verifyGetFor']) {
foreach (self::$config['verifyGetFor'] as $key => $value) {
if ($key !== 0) {
$arrayStr .= ',';
}
$arrayStr .= "'" . $value . "'";
}
}
}
}
$script = '<script type="text/javascript" src="' . self::$config['jsUrl'] . '"></script>' . PHP_EOL;
$script .= '<script type="text/javascript">' . PHP_EOL;
if ($arrayStr !== '') {
$script .= 'CSRFP.checkForUrls = [' . $arrayStr . '];' . PHP_EOL;
}
$script .= 'window.onload = function() {' . PHP_EOL;
$script .= ' csrfprotector_init();' . PHP_EOL;
$script .= '};' . PHP_EOL;
$script .= '</script>' . PHP_EOL;
//implant the CSRFGuard js file to outgoing script
$buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
if (!$count) {
$buffer .= $script;
}
return $buffer;
}
/**
* Test for exception thrown when env variable is set by mod_csrfprotector
*/
public function testModCSRFPEnabledException()
{
putenv('mod_csrfp_enabled=true');
$temp = $_SESSION[CSRFP_TOKEN] = $_COOKIE[CSRFP_TOKEN] = 'abc';
csrfProtector::init();
// Assuming no cookie change
$this->assertTrue($temp == $_SESSION[CSRFP_TOKEN]);
$this->assertTrue($temp == $_COOKIE[CSRFP_TOKEN]);
}
