Add CSRF protection

Signed-off-by: Florian Pritz <bluewind@xinu.at>

4 files changed, 51 insertions, 5 deletions

diff --git a/application/config/config.php b/application/config/config.php
index dda82de97..4aadac68d 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -293,7 +293,7 @@ $config['global_xss_filtering'] = FALSE;
 | 'csrf_cookie_name' = The cookie name
 | 'csrf_expire' = The number in seconds the token should expire.
 */
-$config['csrf_protection'] = FALSE;
+$config['csrf_protection'] = FALSE; // our controller enables this later
 $config['csrf_token_name'] = 'csrf_test_name';
 $config['csrf_cookie_name'] = 'csrf_cookie_name';
 $config['csrf_expire'] = 7200;
diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php
index 3ee63424a..09b813b71 100644
--- a/application/core/MY_Controller.php
+++ b/application/core/MY_Controller.php
@@ -19,6 +19,7 @@ class MY_Controller extends CI_Controller {
 		parent::__construct();
 
 		$this->var = new StdClass();
+		$csrf_protection = true;
 
 		$this->load->library('migration');
 		if ( ! $this->migration->current()) {
@@ -41,6 +42,51 @@ class MY_Controller extends CI_Controller {
 			show_error("Function not JSON enabled");
 		}
 
+		if ($this->input->post("apikey") !== false) {
+			/* This relies on the authentication code always verifying the supplied
+			 * apikey. If the key is not verified/logged in an attacker could simply
+			 * add an empty "apikey" field to the CSRF form to circumvent the
+			 * protection. If we always log in if a key is supplied we can ensure
+			 * that an attacker (and the victim since they get a cookie) can only
+			 * access the attacker's account.
+			 */
+			$csrf_protection = false;
+		}
+
+		$uri_start = $this->uri->rsegment(1)."/".$this->uri->rsegment(2);
+		$csrf_whitelisted_handlers = array(
+			"always" => array(
+				/* Whitelist the upload pages because they don't cause harm and a user
+				 * might keep the upload page open for more than csrf_expire seconds
+				 * and we don't want to annoy them when they upload a big file and the
+				 * CSRF check fails.
+				 */
+				"file/do_upload",
+				"file/do_paste",
+			),
+			"cli_client" => array(
+				"file/do_delete",
+				"file/delete",
+				"file/upload_history",
+			),
+		);
+		if (in_array($uri_start, $csrf_whitelisted_handlers["always"])) {
+			$csrf_protection = false;
+		}
+
+		// TODO: replace cli client with request_type("plain")?
+		if (is_cli_client() && in_array($uri_start, $csrf_whitelisted_handlers["cli_client"])) {
+			$csrf_protection = false;
+		}
+
+		if ($csrf_protection) {
+			// 2 functions for accessing config options, really?
+			$this->config->set_item('csrf_protection', true);
+			config_item("csrf_protection", true);
+			$this->security->__construct();
+			$this->security->csrf_verify();
+		}
+
 		$this->data['title'] = "FileBin";
 	}
 }
diff --git a/application/views/file/client.php b/application/views/file/client.php
index 5e141f141..29e254a80 100644
--- a/application/views/file/client.php
+++ b/application/views/file/client.php
@@ -42,7 +42,7 @@ machine <?php echo $domain; ?> login my_username password my_secret_password
 <h1>Shell</h1>
 
 <pre>
-curl -n -F "file=@/home/user/foo" <?php echo site_url(); ?>   (binary safe)
-cat file | curl -n -F "file=@-;filename=stdin" <?php echo site_url(); ?>   (binary safe)
+curl -n -F "file=@/home/user/foo" <?php echo site_url("file/do_upload"); ?>   (binary safe)
+cat file | curl -n -F "file=@-;filename=stdin" <?php echo site_url("file/do_upload"); ?>   (binary safe)
 </pre>
 
diff --git a/application/views/file_plaintext/client.php b/application/views/file_plaintext/client.php
index b37fd81bd..0ab556df2 100644
--- a/application/views/file_plaintext/client.php
+++ b/application/views/file_plaintext/client.php
@@ -1,6 +1,6 @@
 Shell (binary safe):
-  curl -n -F "file=@/home/user/foo" <?php echo site_url()."\n"; ?>
-  cat file | curl -n -F "file=@-;filename=stdin" <?php echo site_url()."\n"; ?>
+  curl -n -F "file=@/home/user/foo" <?php echo site_url("file/do_upload")."\n"; ?>
+  cat file | curl -n -F "file=@-;filename=stdin" <?php echo site_url("file/do_upload")."\n"; ?>
 
 Client:
 Development (git): http://git.server-speed.net/users/flo/fb