From 52a7df2b3ac2cce37a3cb09e3db8d059e2cbe5ad Mon Sep 17 00:00:00 2001
From: Christian Boltz <postfixadmin@cboltz.de>
Date: Fri, 20 May 2016 20:42:04 +0000
Subject: [PATCH] Add CSRF protection for POST requests

Add the CSRF token to all forms, and validate it when those forms are
submitted.

https://sourceforge.net/p/postfixadmin/bugs/372/



git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1842 a1433add-5e2c-0410-b055-b7f2511e0802
---
 broadcast-message.php           | 2 ++
 edit.php                        | 1 +
 sendmail.php                    | 2 ++
 templates/broadcast-message.tpl | 1 +
 templates/editform.tpl          | 1 +
 templates/password.tpl          | 1 +
 templates/sendmail.tpl          | 1 +
 templates/users_edit-alias.tpl  | 1 +
 templates/vacation.tpl          | 1 +
 users/edit-alias.php            | 2 ++
 users/password.php              | 2 ++
 vacation.php                    | 2 ++
 12 files changed, 17 insertions(+)

diff --git a/broadcast-message.php b/broadcast-message.php
index 310ab2be..5b10e918 100644
--- a/broadcast-message.php
+++ b/broadcast-message.php
@@ -38,6 +38,8 @@ $smtp_from_email = smtp_get_admin_email();
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+   if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
    if (empty($_POST['subject']) || empty($_POST['message']) || empty($_POST['name']))
    {
       $error = 1;
diff --git a/edit.php b/edit.php
index d3044db6..b8c9544c 100644
--- a/edit.php
+++ b/edit.php
@@ -93,6 +93,7 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") {
 
 
 if ($_SERVER['REQUEST_METHOD'] == "POST") {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
     $inp_values = safepost('value', array() );
 
     foreach($form_fields as $key => $field) {
diff --git a/sendmail.php b/sendmail.php
index b3f5ad83..bb5e3e7c 100644
--- a/sendmail.php
+++ b/sendmail.php
@@ -39,6 +39,8 @@ $smtp_from_email = smtp_get_admin_email();
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+   if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
    $fTo = safepost('fTo');
    $fFrom = $smtp_from_email;
    $fSubject = safepost('fSubject');
diff --git a/templates/broadcast-message.tpl b/templates/broadcast-message.tpl
index a0969f87..68eeeb29 100644
--- a/templates/broadcast-message.tpl
+++ b/templates/broadcast-message.tpl
@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="broadcast-message" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="2">{$PALANG.pBroadcast_title}</th>
diff --git a/templates/editform.tpl b/templates/editform.tpl
index 01af0a47..b9cc84c2 100644
--- a/templates/editform.tpl
+++ b/templates/editform.tpl
@@ -1,6 +1,7 @@
 <div id="edit_form">
 <form name="edit_{$table}" method="post" action="">
 <input class="flat" type="hidden" name="table" value="{$table}" />
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 
 <table>
 	<tr>
diff --git a/templates/password.tpl b/templates/password.tpl
index 728345e0..8c815c95 100644
--- a/templates/password.tpl
+++ b/templates/password.tpl
@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="password" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pPassword_welcome}</th>
diff --git a/templates/sendmail.tpl b/templates/sendmail.tpl
index b33af3df..2c2e9d2c 100644
--- a/templates/sendmail.tpl
+++ b/templates/sendmail.tpl
@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="mailbox" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pSendmail_welcome}</th>
diff --git a/templates/users_edit-alias.tpl b/templates/users_edit-alias.tpl
index 1c959fa0..c6b5b1fb 100644
--- a/templates/users_edit-alias.tpl
+++ b/templates/users_edit-alias.tpl
@@ -1,5 +1,6 @@
 <div id="edit_form">
 <form name="alias" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pEdit_alias_welcome}<br /><em>{$PALANG.pEdit_alias_help}</em></th>
diff --git a/templates/vacation.tpl b/templates/vacation.tpl
index 3af2b555..6e1a51a4 100644
--- a/templates/vacation.tpl
+++ b/templates/vacation.tpl
@@ -3,6 +3,7 @@
 {/literal}
 <div id="edit_form">
 <form name="edit-vacation" method="post" action=''>
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table>
 	<tr>
 		<th colspan="3">{$PALANG.pUsersVacation_welcome}</th>
diff --git a/users/edit-alias.php b/users/edit-alias.php
index 099f63fa..fe685ca2 100644
--- a/users/edit-alias.php
+++ b/users/edit-alias.php
@@ -52,6 +52,8 @@ if ($_SERVER['REQUEST_METHOD'] == "GET")
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
     // user clicked on cancel button
     if(isset($_POST['fCancel'])) {
         header("Location: main.php");
diff --git a/users/password.php b/users/password.php
index f6976df8..b1ee8308 100644
--- a/users/password.php
+++ b/users/password.php
@@ -37,6 +37,8 @@ $pPassword_password_current_text = "";
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
     if(isset($_POST['fCancel'])) {
         header("Location: main.php");
         exit(0);
diff --git a/vacation.php b/vacation.php
index 331a8799..a4212d3c 100644
--- a/vacation.php
+++ b/vacation.php
@@ -103,6 +103,8 @@ if ($_SERVER['REQUEST_METHOD'] == "GET") {
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
     if(isset($_POST['fCancel'])) {
         header ("Location: $Return_url");
         exit(0);