Implement token system to fix CSRF vulnerabilities

Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.

Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

1 files changed, 11 insertions, 3 deletions

diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 539f0561..c566cb47 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -27,9 +27,16 @@ if ($uid):
 
 	if (isset($_REQUEST['pkgsubmit'])) {
 
+		# Make sure authenticated user submitted the package themselves
+		if (!check_token()) {
+			$error = __("Invalid token for user action.");
+		}
+
 		# Before processing, make sure we even have a file
-		if ($_FILES['pfile']['size'] == 0){
-			$error = __("Error - No file uploaded");
+		if (!$error) {
+			if ($_FILES['pfile']['size'] == 0){
+				$error = __("Error - No file uploaded");
+			}
 		}
 
 		# Check whether the file is gzip'ed
@@ -448,7 +455,8 @@ html_header("Submit");
 ?>
 
 <form action='pkgsubmit.php' method='post' enctype='multipart/form-data'>
-	<div> <input type='hidden' name='pkgsubmit' value='1' /> </div>
+	<div> <input type='hidden' name='pkgsubmit' value='1' />
+	<input type='hidden' name='token' value='<?php print htmlspecialchars($_COOKIE['AURSID']) ?>' /> </div>
 	<table border='0' cellspacing='5'>
 		<tr>
 			<td class='f4' align='right'><?php print __("Package Category"); ?>:</td>