From 6ac12c0b26cd870e17dee0521eeaaf9487b85553 Mon Sep 17 00:00:00 2001
From: nashe <thomas@chauchefoin.fr>
Date: Sat, 23 Dec 2017 21:08:44 +0100
Subject: Add CSRF token checks

---
 admin/administration.php | 2 ++
 admin/changepassword.php | 4 +++-
 admin/index.php          | 2 ++
 admin/subscriptions.php  | 4 ++++
 4 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/admin/administration.php b/admin/administration.php
index 34afe73..26f6710 100755
--- a/admin/administration.php
+++ b/admin/administration.php
@@ -24,6 +24,7 @@ $page_content = <<<"FRAGMENT"
             <div class="widget">
                 <h3>{$l10n->getString('Clear cache')}</h3>
                 <form action="purgecache.php" method="post" id="frmPurge">
+                    <input type="hidden" value="{$csrf->generate('frmPurge')}" name="_csrf">
                     <p><label>{$l10n->getString('Clear cache:')}</label><input type="submit" class="submit delete" name="purge" id="purge" value="{$l10n->getString('Clear')}" /></p>
                     <p class="help">{$l10n->getString('Clearing the cache will make moonmoon reload all feeds.')}</p>
                 </form>
@@ -32,6 +33,7 @@ $page_content = <<<"FRAGMENT"
             <div class="widget">
                 <h3>{$l10n->getString('Change administrator password')}</h3>
                 <form action="changepassword.php" method="post" id="frmPassword">
+                    <input type="hidden" value="{$csrf->generate('frmPassword')}" name="_csrf">
                     <p><label for="password">{$l10n->getString('New password:')}</label> <input type="password" class="text" value="" name="password" id="password" size="20" /> <input type="submit" class="submit delete" name="changepwd" id="changepwd" value="{$l10n->getString('Change password')}" /></p>
                 </form>
             </div>
diff --git a/admin/changepassword.php b/admin/changepassword.php
index 8c38769..3b4500e 100644
--- a/admin/changepassword.php
+++ b/admin/changepassword.php
@@ -1,7 +1,9 @@
 <?php
+
+require_once __DIR__.'/../app/app.php';
 require_once __DIR__.'/inc/auth.inc.php';
 
-if (isset($_POST['password']) && ('' != $_POST['password'])){
+if ($csrf->verify($_POST['_csrf'], 'frmPassword') && isset($_POST['password']) && ('' != $_POST['password'])) {
     $out = '<?php $login="admin"; $password="'.md5($_POST['password']).'"; ?>';
     file_put_contents(__DIR__.'/inc/pwd.inc.php', $out);
     die("Password changed. <a href='administration.php'>Login</a>");
diff --git a/admin/index.php b/admin/index.php
index a01b77b..0118923 100755
--- a/admin/index.php
+++ b/admin/index.php
@@ -79,6 +79,7 @@ ob_start();
                         <input type="submit" class="submit add" name="add" value="<?=_g('Add Feed')?>" />
                     </fieldset>
                     <p class="help"><?=_g('Accepted formats are RSS and ATOM. If the link is not a feed, moonmoon will try to autodiscover the feed.')?></p>
+                <input type="hidden" value="<?php echo $csrf->generate('feedmanage'); ?>" name="_csrf">
                 </form>
             </div>
 
@@ -87,6 +88,7 @@ ob_start();
                 <form action="subscriptions.php" method="post" id="feedmanage">
                 <p class="action">
                 <span class="count"><?php echo sprintf(_g('Number of feeds: %s'), $count_feeds)?></span>
+                <input type="hidden" value="<?php echo $csrf->generate('feedmanage'); ?>" name="_csrf">
                 <input type="submit" class="submit save" name="save" id="save" value="<?=_g('Save changes')?>" />
                 <input type="submit" class="submit delete" name="delete" id="delete" value="<?=_g('Delete selected Feeds')?>" />
                 </p>
diff --git a/admin/subscriptions.php b/admin/subscriptions.php
index f8e4c2c..0606c89 100755
--- a/admin/subscriptions.php
+++ b/admin/subscriptions.php
@@ -7,6 +7,10 @@ function removeSlashes(&$item, $key){
     $item = stripslashes($item);
 }
 
+if (!$csrf->verify($_POST['_csrf'], 'feedmanage')) {
+    die('Invalid CSRF token!');
+}
+
 if (isset($_POST['opml']) || isset($_POST['add'])) {
 
     // Load config and old OPML
-- 
cgit v1.2.1