diff options
-rw-r--r-- | application/config/config.php | 2 | ||||
-rw-r--r-- | application/core/MY_Controller.php | 46 | ||||
-rw-r--r-- | application/views/file/client.php | 4 | ||||
-rw-r--r-- | application/views/file_plaintext/client.php | 4 |
4 files changed, 51 insertions, 5 deletions
diff --git a/application/config/config.php b/application/config/config.php index dda82de97..4aadac68d 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -293,7 +293,7 @@ $config['global_xss_filtering'] = FALSE; | 'csrf_cookie_name' = The cookie name | 'csrf_expire' = The number in seconds the token should expire. */ -$config['csrf_protection'] = FALSE; +$config['csrf_protection'] = FALSE; // our controller enables this later $config['csrf_token_name'] = 'csrf_test_name'; $config['csrf_cookie_name'] = 'csrf_cookie_name'; $config['csrf_expire'] = 7200; diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php index 3ee63424a..09b813b71 100644 --- a/application/core/MY_Controller.php +++ b/application/core/MY_Controller.php @@ -19,6 +19,7 @@ class MY_Controller extends CI_Controller { parent::__construct(); $this->var = new StdClass(); + $csrf_protection = true; $this->load->library('migration'); if ( ! $this->migration->current()) { @@ -41,6 +42,51 @@ class MY_Controller extends CI_Controller { show_error("Function not JSON enabled"); } + if ($this->input->post("apikey") !== false) { + /* This relies on the authentication code always verifying the supplied + * apikey. If the key is not verified/logged in an attacker could simply + * add an empty "apikey" field to the CSRF form to circumvent the + * protection. If we always log in if a key is supplied we can ensure + * that an attacker (and the victim since they get a cookie) can only + * access the attacker's account. + */ + $csrf_protection = false; + } + + $uri_start = $this->uri->rsegment(1)."/".$this->uri->rsegment(2); + $csrf_whitelisted_handlers = array( + "always" => array( + /* Whitelist the upload pages because they don't cause harm and a user + * might keep the upload page open for more than csrf_expire seconds + * and we don't want to annoy them when they upload a big file and the + * CSRF check fails. + */ + "file/do_upload", + "file/do_paste", + ), + "cli_client" => array( + "file/do_delete", + "file/delete", + "file/upload_history", + ), + ); + if (in_array($uri_start, $csrf_whitelisted_handlers["always"])) { + $csrf_protection = false; + } + + // TODO: replace cli client with request_type("plain")? + if (is_cli_client() && in_array($uri_start, $csrf_whitelisted_handlers["cli_client"])) { + $csrf_protection = false; + } + + if ($csrf_protection) { + // 2 functions for accessing config options, really? + $this->config->set_item('csrf_protection', true); + config_item("csrf_protection", true); + $this->security->__construct(); + $this->security->csrf_verify(); + } + $this->data['title'] = "FileBin"; } } diff --git a/application/views/file/client.php b/application/views/file/client.php index 5e141f141..29e254a80 100644 --- a/application/views/file/client.php +++ b/application/views/file/client.php @@ -42,7 +42,7 @@ machine <?php echo $domain; ?> login my_username password my_secret_password <h1>Shell</h1> <pre> -curl -n -F "file=@/home/user/foo" <?php echo site_url(); ?> (binary safe) -cat file | curl -n -F "file=@-;filename=stdin" <?php echo site_url(); ?> (binary safe) +curl -n -F "file=@/home/user/foo" <?php echo site_url("file/do_upload"); ?> (binary safe) +cat file | curl -n -F "file=@-;filename=stdin" <?php echo site_url("file/do_upload"); ?> (binary safe) </pre> diff --git a/application/views/file_plaintext/client.php b/application/views/file_plaintext/client.php index b37fd81bd..0ab556df2 100644 --- a/application/views/file_plaintext/client.php +++ b/application/views/file_plaintext/client.php @@ -1,6 +1,6 @@ Shell (binary safe): - curl -n -F "file=@/home/user/foo" <?php echo site_url()."\n"; ?> - cat file | curl -n -F "file=@-;filename=stdin" <?php echo site_url()."\n"; ?> + curl -n -F "file=@/home/user/foo" <?php echo site_url("file/do_upload")."\n"; ?> + cat file | curl -n -F "file=@-;filename=stdin" <?php echo site_url("file/do_upload")."\n"; ?> Client: Development (git): http://git.server-speed.net/users/flo/fb |