From 84ce2c6ce0eb1b4f2f32c4ae0d7e08f3571f5018 Mon Sep 17 00:00:00 2001 From: Florian Pritz Date: Wed, 14 Aug 2013 17:06:07 +0200 Subject: Provide json output for api functions Signed-off-by: Florian Pritz --- application/core/MY_Controller.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'application/core') diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php index 278768ad2..3ee63424a 100644 --- a/application/core/MY_Controller.php +++ b/application/core/MY_Controller.php @@ -11,7 +11,7 @@ class MY_Controller extends CI_Controller { public $data = array(); public $var; - private $json_enabled_functions = array( + protected $json_enabled_functions = array( ); function __construct() @@ -31,6 +31,16 @@ class MY_Controller extends CI_Controller { mb_internal_encoding('UTF-8'); $this->load->helper(array('form', 'filebin')); + if (isset($_SERVER["HTTP_ACCEPT"])) { + if ($_SERVER["HTTP_ACCEPT"] == "application/json") { + request_type("json"); + } + } + + if (request_type() == "json" && ! in_array($this->uri->rsegment(2), $this->json_enabled_functions)) { + show_error("Function not JSON enabled"); + } + $this->data['title'] = "FileBin"; } } -- cgit v1.2.3-24-g4f1b From 285262b6c668b4f367f8222880ceb01be39fd3ac Mon Sep 17 00:00:00 2001 From: Florian Pritz Date: Thu, 29 Aug 2013 17:55:52 +0200 Subject: Add CSRF protection Signed-off-by: Florian Pritz --- application/core/MY_Controller.php | 46 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'application/core') diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php index 3ee63424a..09b813b71 100644 --- a/application/core/MY_Controller.php +++ b/application/core/MY_Controller.php @@ -19,6 +19,7 @@ class MY_Controller extends CI_Controller { parent::__construct(); $this->var = new StdClass(); + $csrf_protection = true; $this->load->library('migration'); if ( ! $this->migration->current()) { @@ -41,6 +42,51 @@ class MY_Controller extends CI_Controller { show_error("Function not JSON enabled"); } + if ($this->input->post("apikey") !== false) { + /* This relies on the authentication code always verifying the supplied + * apikey. If the key is not verified/logged in an attacker could simply + * add an empty "apikey" field to the CSRF form to circumvent the + * protection. If we always log in if a key is supplied we can ensure + * that an attacker (and the victim since they get a cookie) can only + * access the attacker's account. + */ + $csrf_protection = false; + } + + $uri_start = $this->uri->rsegment(1)."/".$this->uri->rsegment(2); + $csrf_whitelisted_handlers = array( + "always" => array( + /* Whitelist the upload pages because they don't cause harm and a user + * might keep the upload page open for more than csrf_expire seconds + * and we don't want to annoy them when they upload a big file and the + * CSRF check fails. + */ + "file/do_upload", + "file/do_paste", + ), + "cli_client" => array( + "file/do_delete", + "file/delete", + "file/upload_history", + ), + ); + if (in_array($uri_start, $csrf_whitelisted_handlers["always"])) { + $csrf_protection = false; + } + + // TODO: replace cli client with request_type("plain")? + if (is_cli_client() && in_array($uri_start, $csrf_whitelisted_handlers["cli_client"])) { + $csrf_protection = false; + } + + if ($csrf_protection) { + // 2 functions for accessing config options, really? + $this->config->set_item('csrf_protection', true); + config_item("csrf_protection", true); + $this->security->__construct(); + $this->security->csrf_verify(); + } + $this->data['title'] = "FileBin"; } } -- cgit v1.2.3-24-g4f1b From 752c59413b4899b295a9359eaef98dc9efb01533 Mon Sep 17 00:00:00 2001 From: Florian Pritz Date: Thu, 29 Aug 2013 18:01:24 +0200 Subject: Add GET parameter for json output Signed-off-by: Florian Pritz --- application/core/MY_Controller.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'application/core') diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php index 09b813b71..4c0fa278c 100644 --- a/application/core/MY_Controller.php +++ b/application/core/MY_Controller.php @@ -32,12 +32,18 @@ class MY_Controller extends CI_Controller { mb_internal_encoding('UTF-8'); $this->load->helper(array('form', 'filebin')); + // TODO: proper accept header handling or is this enough? if (isset($_SERVER["HTTP_ACCEPT"])) { if ($_SERVER["HTTP_ACCEPT"] == "application/json") { request_type("json"); } } + // Allow for easier testing in browser + if ($this->input->get("json") !== false) { + request_type("json"); + } + if (request_type() == "json" && ! in_array($this->uri->rsegment(2), $this->json_enabled_functions)) { show_error("Function not JSON enabled"); } -- cgit v1.2.3-24-g4f1b From eafc10e06fc0e08df684722e6ca2a221aebdf4d0 Mon Sep 17 00:00:00 2001 From: Florian Pritz Date: Sun, 1 Sep 2013 00:04:23 +0200 Subject: Disable CSRF checks for CLI requests Otherwise we get an error in the Security class trying to access $_SERVER["REQUEST_METHOD"]. Signed-off-by: Florian Pritz --- application/core/MY_Controller.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'application/core') diff --git a/application/core/MY_Controller.php b/application/core/MY_Controller.php index 4c0fa278c..312b0f763 100644 --- a/application/core/MY_Controller.php +++ b/application/core/MY_Controller.php @@ -85,7 +85,7 @@ class MY_Controller extends CI_Controller { $csrf_protection = false; } - if ($csrf_protection) { + if ($csrf_protection && !$this->input->is_cli_request()) { // 2 functions for accessing config options, really? $this->config->set_item('csrf_protection', true); config_item("csrf_protection", true); -- cgit v1.2.3-24-g4f1b