forked from hestiacp/hestiacp
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathprevent_csrf.php
More file actions
82 lines (76 loc) · 3.66 KB
/
prevent_csrf.php
File metadata and controls
82 lines (76 loc) · 3.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<?php
$check_csrf = true;
if ($_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web/inc/mail-wrapper.php' || $_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia//web/inc/mail-wrapper.php') {
$check_csrf=false;
} // execute only from CLI
if ($_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web/reset/mail/index.php' || $_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web//reset/mail/index.php') {
$check_csrf=false;
} // Localhost only
if ($_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web/api/index.php' || $_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web//api/index.php') {
$check_csrf=false;
} // Own check
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 22)=='/usr/local/hestia/bin/') {
$check_csrf=false;
}
function checkStrictness($level)
{
if ($level >= $_SESSION['POLICY_CSRF_STRICTNESS']) {
return true;
} else {
http_response_code(400);
echo "<h1>Potential use CSRF detected</h1>\n".
"<p>Please disable any plugins/add-ons inside your browser or contact your system administrator. If you are the system administrator you can run v-change-sys-config-value 'POLICY_CSRF_STRICTNESS' '0' as root to disable this check.<p>".
"<p>If you followed a bookmark or an static link <a href='/'>please click here</a>";
die();
}
}
function prevent_post_csrf()
{
if (!empty($_SERVER['REQUEST_METHOD'])) {
if ($_SERVER['REQUEST_METHOD']==='POST') {
$hostname = explode(':', $_SERVER['HTTP_HOST']);
$port=$hostname[1];
$hostname=$hostname[0];
if (strpos($_SERVER['HTTP_ORIGIN'], gethostname()) !== false && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
return checkStrictness(2);
} else {
if (strpos($_SERVER['HTTP_ORIGIN'], $hostname) !== false && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
return checkStrictness(1);
} else {
return checkStrictness(0);
}
}
}
}
}
function prevent_get_csrf()
{
if (!empty($_SERVER['REQUEST_METHOD'])) {
if ($_SERVER['REQUEST_METHOD']==='GET') {
$hostname = explode(':', $_SERVER['HTTP_HOST']);
$port=$hostname[1];
$hostname=$hostname[0];
//list of possible entries route and these should never be blocked
if (in_array($_SERVER['DOCUMENT_URI'], array('/list/user/index.php', '/login/index.php','/list/web/index.php','/list/dns/index.php','/list/mail/index.php','/list/db/index.php','/list/cron/index.php','/list/backup/index.php','/reset/index.php'))) {
return true;
}
if (isset($_SERVER['HTTP_REFERER'])) {
if (strpos($_SERVER['HTTP_REFERER'], gethostname()) !== false && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
return checkStrictness(2);
} else {
if (strpos($_SERVER['HTTP_REFERER'], $hostname) !== false && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
return checkStrictness(1);
} else {
return checkStrictness(0);
}
}
} else {
return checkStrictness(0);
}
}
}
}
if ($check_csrf == true) {
prevent_post_csrf();
prevent_get_csrf();
}