From 26426c1bfa0886cf4820a39d5cd3eddc31dda72b Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Thu, 15 Dec 2022 08:48:48 +0100 Subject: [PATCH] fixed csrf --- pandora_console/godmode/setup/setup_auth.php | 3 +++ pandora_console/include/functions_config.php | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/pandora_console/godmode/setup/setup_auth.php b/pandora_console/godmode/setup/setup_auth.php index 0a93a36da2..8bb5619796 100644 --- a/pandora_console/godmode/setup/setup_auth.php +++ b/pandora_console/godmode/setup/setup_auth.php @@ -77,6 +77,7 @@ if (is_ajax()) { true ).'  '; $table->data['autocreate_remote_users'] = $row; + $table->data['csrf_token'] = html_print_csrf_hidden(); add_enterprise_auth_autocreate_profiles($table, $type_auth); } @@ -475,6 +476,8 @@ if (!is_metaconsole()) { html_print_input_hidden('hash_save_config', md5('save'.$config['dbpass'])); } +html_print_csrf_hidden(); + html_print_table($table); echo '
'; echo '
'; diff --git a/pandora_console/include/functions_config.php b/pandora_console/include/functions_config.php index 5c4184d81e..dbbd3877d7 100644 --- a/pandora_console/include/functions_config.php +++ b/pandora_console/include/functions_config.php @@ -523,6 +523,15 @@ function config_update_config() break; case 'auth': + $validatedCSRF = validate_csrf_code(); + + // CSRF Validation. + if ($validatedCSRF === false) { + include_once 'general/login_page.php'; + // Finish the execution. + exit(''); + } + // AUTHENTICATION SETUP. if (config_update_value('auth', get_parameter('auth'), true) === false) { $error_update[] = __('Authentication method');