webui add missing token validation

Lupul · Lupul · commit ec2910f1208c · 2019-08-07T00:14:28.000+03:00
(cherry picked from commit 0879588)
diff --git a/web/bulk/backup/exclusions/index.php b/web/bulk/backup/exclusions/index.php
@@ -9,6 +9,12 @@
 $backup = $_POST['system'];
 $action = $_POST['action'];
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('Location: /login/');
+    exit();
+}
+
 switch ($action) {
     case 'delete': $cmd='v-delete-user-backup-exclusions';
         break;
diff --git a/web/delete/backup/exclusion/index.php b/web/delete/backup/exclusion/index.php
@@ -9,6 +9,12 @@
     $user=$_GET['user'];
 }
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('Location: /login/');
+    exit();
+}
+
 if (!empty($_GET['system'])) {
     $v_username = escapeshellarg($user);
     $v_system = escapeshellarg($_GET['system']);
diff --git a/web/download/web-log/index.php b/web/download/web-log/index.php
@@ -24,5 +24,3 @@
         echo $file . "\n";
     }
 }
-
-?>
diff --git a/web/edit/file/index.php b/web/edit/file/index.php
@@ -29,6 +29,20 @@
         $content = '';
         $path = $_REQUEST['path'];
         if (!empty($_POST['save'])) {
+
+            // Check token
+            if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+                header('Location: /login/');
+                exit();
+            }
+
+            exec (HESTIA_CMD . "v-open-fs-file ".escapeshellarg($user)." ".escapeshellarg($path), $devnull, $return_var);
+            if ($return_var != 0) {
+                print 'Error while opening file';
+                exit;
+            }
+            $devnull=null;
+
             $fn = tempnam ('/tmp', 'vst-save-file-');
             if ($fn) {
                 $contents = $_POST['contents'];
@@ -39,7 +53,7 @@
                 chmod($fn, 0644);
 
                 if ($f) {
-                    exec (HESTIA_CMD . "v-copy-fs-file {$user} {$fn} ".escapeshellarg($path), $output, $return_var);
+                    exec (HESTIA_CMD . "v-copy-fs-file ".escapeshellarg($user)." ".escapeshellarg($fn)." ".escapeshellarg($path), $output, $return_var);
                     $error = check_return_code($return_var, $output);
                     if ($return_var != 0) {
                         print('<p style="color: white">Error while saving file</p>');
@@ -50,7 +64,7 @@
             }
         }
 
-        exec (HESTIA_CMD . "v-open-fs-file {$user} ".escapeshellarg($path), $content, $return_var);
+        exec (HESTIA_CMD . "v-open-fs-file ".escapeshellarg($user)." ".escapeshellarg($path), $content, $return_var);
         if ($return_var != 0) {
             print 'Error while opening file'; // todo: handle this more styled
             exit;
@@ -64,6 +78,7 @@
 <form id="edit-file-form" method="post">
 <!-- input id="do-backup" type="button" onClick="javascript:void(0);" name="save" value="backup (ctrl+F2)" class="backup" / -->
 <input type="submit" name="save" value="Save" class="save" />
+<input type="hidden" name="token" value="<?=$_SESSION['token']?>" />
 
 
 <textarea name="contents" class="editor" id="editor" rows="4" style="display:none;width: 100%; height: 100%;"><?=htmlentities($content)?></textarea>
diff --git a/web/edit/ip/index.php b/web/edit/ip/index.php
@@ -51,6 +51,13 @@
 
 // Check POST request
 if (!empty($_POST['save'])) {
+
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('Location: /login/');
+        exit();
+    }
+
     $v_ip = escapeshellarg($_POST['v_ip']);
 
     // Change Status
diff --git a/web/generate/ssl/index.php b/web/generate/ssl/index.php
@@ -27,6 +27,12 @@
     exit;
 }
 
+// Check token
+if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+    header('Location: /login/');
+    exit();
+}
+
 // Check input
 if (empty($_POST['v_domain'])) $errors[] = __('Domain');
 if (empty($_POST['v_country'])) $errors[] = __('Country');
diff --git a/web/restart/service/index.php b/web/restart/service/index.php
@@ -5,6 +5,12 @@
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('Location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     if (!empty($_GET['srv'])) {
         if ($_GET['srv'] == 'iptables') {
diff --git a/web/schedule/backup/index.php b/web/schedule/backup/index.php
@@ -5,6 +5,12 @@
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('Location: /login/');
+    exit();
+}
+
 $v_username = escapeshellarg($user);
 exec (HESTIA_CMD."v-schedule-user-backup ".$v_username, $output, $return_var);
 if ($return_var == 0) {
diff --git a/web/schedule/restore/index.php b/web/schedule/restore/index.php
@@ -6,6 +6,12 @@
 
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('Location: /login/');
+    exit();
+}
+
 $backup = escapeshellarg($_GET['backup']);
 
 $web = 'no';
diff --git a/web/start/service/index.php b/web/start/service/index.php
@@ -5,6 +5,12 @@
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('Location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     if (!empty($_GET['srv'])) {
         if ($_GET['srv'] == 'iptables') {
diff --git a/web/stop/service/index.php b/web/stop/service/index.php
@@ -5,6 +5,12 @@
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('Location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     if (!empty($_GET['srv'])) {
         if ($_GET['srv'] == 'iptables') {
diff --git a/web/templates/admin/list_backup.html b/web/templates/admin/list_backup.html
@@ -1,7 +1,7 @@
     <div class="l-center">
       <div class="l-sort clearfix noselect">
         <div class="l-unit-toolbar__buttonstrip">
-          <a href="/schedule/backup/" class="ui-button cancel" title="<?=__('Create Backup')?>"><i class="fas fa-plus-circle status-icon green"></i> <?=__('Create Backup')?></a>
+          <a href="/schedule/backup/?token=<?=$_SESSION['token']?>" class="ui-button cancel" title="<?=__('Create Backup')?>"><i class="fas fa-plus-circle status-icon green"></i> <?=__('Create Backup')?></a>
           <a href="/list/backup/exclusions/" class="ui-button cancel" title="<?=__('backup exclusions')?>"><i class="fas fa-folder-minus status-icon orange"></i> <?=__('backup exclusions')?></a>
         </div>
         <div class="l-sort-toolbar clearfix">
diff --git a/web/templates/admin/list_backup_detail.html b/web/templates/admin/list_backup_detail.html
@@ -2,7 +2,7 @@
       <div class="l-sort clearfix noselect">
         <div class="l-unit-toolbar__buttonstrip">
           <a class="ui-button cancel" id="btn-back" href="/list/backup/"><i class="fas fa-arrow-left status-icon blue"></i> <?=__('Back')?></a>
-          <a href="/schedule/restore/?backup=<?=htmlentities($_GET['backup'])?>" class="ui-button cancel" title="<?=__('Restore All')?>"><i class="fas fa-undo status-icon green"></i> <?=__('Restore All')?></a>
+          <a href="/schedule/restore/?token=<?=$_SESSION['token']?>&backup=<?=htmlentities($_GET['backup'])?>" class="ui-button cancel" title="<?=__('Restore All')?>"><i class="fas fa-undo status-icon green"></i> <?=__('Restore All')?></a>
         </div>
         <div class="l-sort-toolbar clearfix">
           <table>

Original file line number	Diff line number	Diff line change
`@@ -24,5 +24,3 @@`
`24`	`24`	`echo $file . "\n";`
`25`	`25`	`}`
`26`	`26`	`}`
`27`		`-`
`28`		`-?>`