1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
<?php
/*
* Copyright 2009-2013 Florian "Bluewind" Pritz <bluewind@server-speed.net>
*
* Licensed under AGPLv3
* (see COPYING for full license text)
*
*/
class MY_Controller extends CI_Controller {
public $data = array();
public $var;
protected $json_enabled_functions = array(
);
function __construct()
{
parent::__construct();
$this->var = new StdClass();
$csrf_protection = true;
$this->load->library('migration');
if ( ! $this->migration->current()) {
show_error($this->migration->error_string());
}
$old_path = getenv("PATH");
putenv("PATH=$old_path:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin");
mb_internal_encoding('UTF-8');
$this->load->helper(array('form', 'filebin'));
// TODO: proper accept header handling or is this enough?
if (isset($_SERVER["HTTP_ACCEPT"])) {
if ($_SERVER["HTTP_ACCEPT"] == "application/json") {
static_storage("response_type", "json");
}
}
// Allow for easier testing in browser
if ($this->input->get("json") !== false) {
static_storage("response_type", "json");
}
if (static_storage("response_type") == "json" && ! in_array($this->uri->rsegment(2), $this->json_enabled_functions)) {
show_error("Function not JSON enabled");
}
if ($this->input->post("apikey") !== false) {
/* This relies on the authentication code always verifying the supplied
* apikey. If the key is not verified/logged in an attacker could simply
* add an empty "apikey" field to the CSRF form to circumvent the
* protection. If we always log in if a key is supplied we can ensure
* that an attacker (and the victim since they get a cookie) can only
* access the attacker's account.
*/
$csrf_protection = false;
}
$uri_start = $this->uri->rsegment(1)."/".$this->uri->rsegment(2);
$csrf_whitelisted_handlers = array(
"always" => array(
/* Whitelist the upload pages because they don't cause harm and a user
* might keep the upload page open for more than csrf_expire seconds
* and we don't want to annoy them when they upload a big file and the
* CSRF check fails.
*/
"file/do_upload",
"file/do_paste",
),
"cli_client" => array(
"file/do_delete",
"file/delete",
"file/upload_history",
"user/create_apikey",
"file/get_max_size",
),
);
if (in_array($uri_start, $csrf_whitelisted_handlers["always"])) {
$csrf_protection = false;
}
if (is_cli_client() && in_array($uri_start, $csrf_whitelisted_handlers["cli_client"])) {
$csrf_protection = false;
}
if ($csrf_protection && !$this->input->is_cli_request()) {
// 2 functions for accessing config options, really?
$this->config->set_item('csrf_protection', true);
config_item("csrf_protection", true);
$this->security->__construct();
$this->security->csrf_verify();
}
if ($this->config->item("environment") == "development" && static_storage("response_type") != "json") {
$this->output->enable_profiler(true);
}
$this->data['title'] = "FileBin";
$this->load->model("muser");
$this->data["user_logged_in"] = $this->muser->logged_in();
}
}
|