aboutsummaryrefslogtreecommitdiffstats
path: root/admin
diff options
context:
space:
mode:
authorThomas Lange <code@nerdmind.de>2021-08-05 17:38:36 +0200
committerThomas Lange <code@nerdmind.de>2021-08-05 17:59:30 +0200
commitde51f59ef9a50bce0ef63a883c590d1feeadca5d (patch)
treeb1e5d51389b069e27dd3391b28516a0214590a8e /admin
parent5b2770aa34f0fb329492311080c101c03c493fb3 (diff)
downloadblog-de51f59ef9a50bce0ef63a883c590d1feeadca5d.tar.gz
blog-de51f59ef9a50bce0ef63a883c590d1feeadca5d.tar.xz
blog-de51f59ef9a50bce0ef63a883c590d1feeadca5d.zip
Show error message if CSRF token does not matches
Print an error message for various actions in the administration area if the security token is invalid, instead of silently preventing the user's desired action to perform if the token is invalid for some reason. This change applies for the delete actions on all entity types and also for the login action and the database command execution form; the forms for creating/modifying entities had already shown a CSRF error before.
Diffstat (limited to 'admin')
-rw-r--r--admin/auth.php34
-rw-r--r--admin/category/delete.php16
-rw-r--r--admin/database.php20
-rw-r--r--admin/page/delete.php16
-rw-r--r--admin/post/delete.php16
-rw-r--r--admin/user/delete.php16
6 files changed, 69 insertions, 49 deletions
diff --git a/admin/auth.php b/admin/auth.php
index 5a3cc5f..d0abc38 100644
--- a/admin/auth.php
+++ b/admin/auth.php
@@ -27,27 +27,27 @@ if(Application::isAuthenticated()) {
#===============================================================================
# IF: Login action
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'username', 'password')) {
- $UserRepository = Application::getRepository('User');
+if(HTTP::issetPOST('username', 'password')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ $UserRepository = Application::getRepository('User');
- if($User = $UserRepository->findBy('username', HTTP::POST('username'))) {
- if(password_verify(HTTP::POST('password'), $User->get('password'))) {
- $_SESSION['auth'] = $User->getID();
- HTTP::redirect(Application::getAdminURL());
- }
+ if($User = $UserRepository->findBy('username', HTTP::POST('username'))) {
+ if(password_verify(HTTP::POST('password'), $User->get('password'))) {
+ $_SESSION['auth'] = $User->getID();
+ HTTP::redirect(Application::getAdminURL());
+ } else {
+ $messages[] = $Language->text('authentication_failure');
+ }
+ } else {
+ $fake_hash = '$2y$10$xpnwDU2HumOgGQhVpMOP9uataEF82YXizniFhSUhYjUiXF8aoDk0C';
+ $fake_pass = HTTP::POST('password');
+
+ password_verify($fake_pass, $fake_hash);
- else {
$messages[] = $Language->text('authentication_failure');
}
- }
-
- else {
- $fake_hash = '$2y$10$xpnwDU2HumOgGQhVpMOP9uataEF82YXizniFhSUhYjUiXF8aoDk0C';
- $fake_pass = HTTP::POST('password');
-
- password_verify($fake_pass, $fake_hash);
-
- $messages[] = $Language->text('authentication_failure');
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}
diff --git a/admin/category/delete.php b/admin/category/delete.php
index e92387c..d7b3001 100644
--- a/admin/category/delete.php
+++ b/admin/category/delete.php
@@ -25,13 +25,17 @@ if(!$Category = $CategoryRepository->find(HTTP::GET('id'))) {
#===============================================================================
# Check for delete request
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) {
- try {
- if($CategoryRepository->delete($Category)) {
- HTTP::redirect(Application::getAdminURL('category/'));
+if(HTTP::issetPOST('delete')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ try {
+ if($CategoryRepository->delete($Category)) {
+ HTTP::redirect(Application::getAdminURL('category/'));
+ }
+ } catch(PDOException $Exception) {
+ $messages[] = $Exception->getMessage();
}
- } catch(PDOException $Exception) {
- $messages[] = $Exception->getMessage();
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}
diff --git a/admin/database.php b/admin/database.php
index a257071..1d3404f 100644
--- a/admin/database.php
+++ b/admin/database.php
@@ -13,15 +13,19 @@ require '../core/application.php';
#===============================================================================
# Execute database command(s)
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'command')) {
- try {
- $Statement = $Database->query(HTTP::POST('command'));
+if(HTTP::issetPOST('command')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ try {
+ $Statement = $Database->query(HTTP::POST('command'));
- do {
- $result[] = print_r($Statement->fetchAll(), TRUE);
- } while($Statement->nextRowset());
- } catch(PDOException $Exception) {
- $messages[] = $Exception->getMessage();
+ do {
+ $result[] = print_r($Statement->fetchAll(), TRUE);
+ } while($Statement->nextRowset());
+ } catch(PDOException $Exception) {
+ $messages[] = $Exception->getMessage();
+ }
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}
diff --git a/admin/page/delete.php b/admin/page/delete.php
index d815023..035dbee 100644
--- a/admin/page/delete.php
+++ b/admin/page/delete.php
@@ -25,13 +25,17 @@ if(!$Page = $PageRepository->find(HTTP::GET('id'))) {
#===============================================================================
# Check for delete request
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) {
- try {
- if($PageRepository->delete($Page)) {
- HTTP::redirect(Application::getAdminURL('page/'));
+if(HTTP::issetPOST('delete')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ try {
+ if($PageRepository->delete($Page)) {
+ HTTP::redirect(Application::getAdminURL('page/'));
+ }
+ } catch(PDOException $Exception) {
+ $messages[] = $Exception->getMessage();
}
- } catch(PDOException $Exception) {
- $messages[] = $Exception->getMessage();
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}
diff --git a/admin/post/delete.php b/admin/post/delete.php
index 519ba9e..3fb4c84 100644
--- a/admin/post/delete.php
+++ b/admin/post/delete.php
@@ -25,13 +25,17 @@ if(!$Post = $PostRepository->find(HTTP::GET('id'))) {
#===============================================================================
# Check for delete request
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) {
- try {
- if($PostRepository->delete($Post)) {
- HTTP::redirect(Application::getAdminURL('post/'));
+if(HTTP::issetPOST('delete')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ try {
+ if($PostRepository->delete($Post)) {
+ HTTP::redirect(Application::getAdminURL('post/'));
+ }
+ } catch(PDOException $Exception) {
+ $messages[] = $Exception->getMessage();
}
- } catch(PDOException $Exception) {
- $messages[] = $Exception->getMessage();
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}
diff --git a/admin/user/delete.php b/admin/user/delete.php
index 5a38b53..31389a2 100644
--- a/admin/user/delete.php
+++ b/admin/user/delete.php
@@ -25,13 +25,17 @@ if(!$User = $UserRepository->find(HTTP::GET('id'))) {
#===============================================================================
# Check for delete request
#===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) {
- try {
- if($UserRepository->delete($User)) {
- HTTP::redirect(Application::getAdminURL('user/'));
+if(HTTP::issetPOST('delete')) {
+ if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+ try {
+ if($UserRepository->delete($User)) {
+ HTTP::redirect(Application::getAdminURL('user/'));
+ }
+ } catch(PDOException $Exception) {
+ $messages[] = $Exception->getMessage();
}
- } catch(PDOException $Exception) {
- $messages[] = $Exception->getMessage();
+ } else {
+ $messages[] = $Language->text('error_security_csrf');
}
}