Add CSRF protection for POST requests

Add the CSRF token to all forms, and validate it when those forms are
submitted.

https://sourceforge.net/p/postfixadmin/bugs/372/



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1842 a1433add-5e2c-0410-b055-b7f2511e0802

broadcast-message.php

@@ -38,6 +38,8 @@ $smtp_from_email = smtp_get_admin_email();
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+   if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
    if (empty($_POST['subject']) || empty($_POST['message']) || empty($_POST['name']))
    {
       $error = 1;

edit.php

@@ -93,6 +93,7 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") {
 
 
 if ($_SERVER['REQUEST_METHOD'] == "POST") {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
     $inp_values = safepost('value', array() );
 
     foreach($form_fields as $key => $field) {

sendmail.php

@@ -39,6 +39,8 @@ $smtp_from_email = smtp_get_admin_email();
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+   if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
    $fTo = safepost('fTo');
    $fFrom = $smtp_from_email;
    $fSubject = safepost('fSubject');

templates/broadcast-message.tpl

@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="broadcast-message" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="2">{$PALANG.pBroadcast_title}</th>

templates/editform.tpl

@@ -1,6 +1,7 @@
 <div id="edit_form">
 <form name="edit_{$table}" method="post" action="">
 <input class="flat" type="hidden" name="table" value="{$table}" />
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 
 <table>
 	<tr>

templates/password.tpl

@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="password" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pPassword_welcome}</th>

templates/sendmail.tpl

@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="mailbox" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pSendmail_welcome}</th>

templates/users_edit-alias.tpl

@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="alias" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pEdit_alias_welcome}<br /><em>{$PALANG.pEdit_alias_help}</em></th>

templates/vacation.tpl

@@ -3,6 +3,7 @@
 {/literal}
 <div id="edit_form">
 <form name="edit-vacation" method="post" action=''>
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pUsersVacation_welcome}</th>

users/edit-alias.php

@@ -52,6 +52,8 @@ if ($_SERVER['REQUEST_METHOD'] == "GET")
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
     // user clicked on cancel button
     if(isset($_POST['fCancel'])) {
         header("Location: main.php");

users/password.php

@@ -37,6 +37,8 @@ $pPassword_password_current_text = "";
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
     if(isset($_POST['fCancel'])) {
         header("Location: main.php");
         exit(0);

vacation.php

@@ -103,6 +103,8 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") {
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
     if(isset($_POST['fCancel'])) {
         header ("Location: $Return_url");
         exit(0);