prevent_csrf.php

<?php

$check_csrf = true;

if (
	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/inc/mail-wrapper.php" ||
	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia//web/inc/mail-wrapper.php"
) {
	$check_csrf = false;
} // execute only from CLI
if (
	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/reset/mail/index.php" ||
	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web//reset/mail/index.php"
) {
	$check_csrf = false;
} // Localhost only
if (
	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/api/index.php" ||
	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web//api/index.php"
) {
	$check_csrf = false;
} // Own check
if (substr($_SERVER["SCRIPT_FILENAME"], 0, 22) == "/usr/local/hestia/bin/") {
	$check_csrf = false;
}

function checkStrictness($level) {
	if ($level >= $_SESSION["POLICY_CSRF_STRICTNESS"]) {
		return true;
	} else {
		http_response_code(400);
		echo "<h1>Potential CSRF use detected</h1>\n" .
			"<p>Please disable any plugins/add-ons inside your browser or contact your system administrator. If you are the system administrator you can run v-change-sys-config-value 'POLICY_CSRF_STRICTNESS' '0' as root to disable this check.<p>" .
			"<p>If you followed a bookmark or an static link please <a href='/'>navigate to root</a>";
		die();
	}
}

function prevent_post_csrf() {
	if (!empty($_SERVER["REQUEST_METHOD"])) {
		if ($_SERVER["REQUEST_METHOD"] === "POST") {
			if (!empty($_SERVER["HTTP_HOST"])) {
				$hostname = preg_replace(
					"/(\[?[^]]*\]?):([0-9]{1,5})$/",
					"$1",
					$_SERVER["HTTP_HOST"],
				);
				$port_is_defined = preg_match("/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"]);
				if ($port_is_defined) {
					$port = preg_replace(
						"/(\[?[^]]*\]?):([0-9]{1,5})$/",
						"$2",
						$_SERVER["HTTP_HOST"],
					);
				} else {
					$port = 443;
				}
			} else {
				$hostname = gethostname();
				$port = 443;
			}
			if (isset($_SERVER["HTTP_ORIGIN"])) {
				$origin_host = parse_url($_SERVER["HTTP_ORIGIN"], PHP_URL_HOST);
				if (
					strcmp($origin_host, gethostname()) === 0 &&
					in_array($port, ["443", $_SERVER["SERVER_PORT"]])
				) {
					return checkStrictness(2);
				} else {
					if (
						strcmp($origin_host, $hostname) === 0 &&
						in_array($port, ["443", $_SERVER["SERVER_PORT"]])
					) {
						return checkStrictness(1);
					} else {
						return checkStrictness(0);
					}
				}
			}
		}
	}
}

function prevent_get_csrf() {
	if (!empty($_SERVER["REQUEST_METHOD"])) {
		if ($_SERVER["REQUEST_METHOD"] === "GET") {
			if (!empty($_SERVER["HTTP_HOST"])) {
				$hostname = preg_replace(
					"/(\[?[^]]*\]?):([0-9]{1,5})$/",
					"$1",
					$_SERVER["HTTP_HOST"],
				);
				$port_is_defined = preg_match("/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"]);
				if ($port_is_defined) {
					$port = preg_replace(
						"/(\[?[^]]*\]?):([0-9]{1,5})$/",
						"$2",
						$_SERVER["HTTP_HOST"],
					);
				} else {
					$port = 443;
				}
			} else {
				$hostname = gethostname();
				$port = 443;
			}

			//list of possible entries route and these should never be blocked
			if (
				in_array($_SERVER["DOCUMENT_URI"], [
					"/list/user/index.php",
					"/login/index.php",
					"/list/web/index.php",
					"/list/dns/index.php",
					"/list/mail/index.php",
					"/list/db/index.php",
					"/list/cron/index.php",
					"/list/backup/index.php",
					"/reset/index.php",
				])
			) {
				return true;
			}
			if (isset($_SERVER["HTTP_REFERER"])) {
				$referrer_host = parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST);
				if (
					strcmp($referrer_host, gethostname()) === 0 &&
					in_array($port, ["443", $_SERVER["SERVER_PORT"]])
				) {
					return checkStrictness(2);
				} else {
					if (
						strcmp($referrer_host, $hostname) === 0 &&
						in_array($port, ["443", $_SERVER["SERVER_PORT"]])
					) {
						return checkStrictness(1);
					} else {
						return checkStrictness(0);
					}
				}
			} else {
				return checkStrictness(0);
			}
		}
	}
}

if ($check_csrf == true) {
	prevent_post_csrf();
	prevent_get_csrf();
}