From 764b1125bd3739b77b1f98a99d2b05e2d41ce66b Mon Sep 17 00:00:00 2001
From: fermin831 <fermin.hernandez@artica.es>
Date: Thu, 13 Sep 2018 15:19:08 +0200
Subject: [PATCH] Generate session csrf code to avoid attacks in user edition

---
 .../godmode/users/configure_user.php          | 15 ++++++------
 pandora_console/include/functions.php         | 23 +++++++++++++++++++
 pandora_console/include/functions_html.php    | 20 ++++++++++++++++
 pandora_console/operation/users/user_edit.php |  3 +++
 4 files changed, 54 insertions(+), 7 deletions(-)

diff --git a/pandora_console/godmode/users/configure_user.php b/pandora_console/godmode/users/configure_user.php
index 080b90a120..f5b7fdc5bc 100644
--- a/pandora_console/godmode/users/configure_user.php
+++ b/pandora_console/godmode/users/configure_user.php
@@ -152,7 +152,8 @@ if ($create_user) {
 		ui_print_error_message (__('The current authentication scheme doesn\'t support creating users on %s', get_product_name()));
 		return;
 	}
-	
+	if (html_print_csrf_error()) return;
+
 	$values = array ();
 	$values['id_user'] = (string) get_parameter ('id_user');
 	$values['fullname'] = (string) get_parameter ('fullname');
@@ -279,6 +280,8 @@ if ($create_user) {
 }
 
 if ($update_user) {
+	if (html_print_csrf_error()) return;
+
 	$values = array ();
 	$values['id_user'] = (string) get_parameter ('id_user');
 	$values['fullname'] = (string) get_parameter ('fullname');
@@ -705,14 +708,12 @@ echo '<form method="post" autocomplete="off">';
 html_print_table ($table);
 
 echo '<div style="width: '.$table->width.'" class="action-buttons">';
-if ($new_user) {
-	if ($config['admin_can_add_user']) {
+if ($config['admin_can_add_user']) {
+	html_print_csrf_hidden();
+	if ($new_user) {
 		html_print_input_hidden ('create_user', 1);
 		html_print_submit_button (__('Create'), 'crtbutton', false, 'class="sub wand"');
-	}
-}
-else {
-	if ($config['user_can_update_info']) {
+	} else {
 		html_print_input_hidden ('update_user', 1);
 		html_print_submit_button (__('Update'), 'uptbutton', false, 'class="sub upd"');
 	}
diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php
index be0cb70178..e2c5c742a3 100644
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@@ -3344,4 +3344,27 @@ function get_copyright_notice () {
 	return $stored_name;
 }
 
+/**
+ * Generate a random code to prevent cross site request fogery attacks
+ *
+ * @return string Generated code
+ */
+function generate_csrf_code() {
+	// Start session to make this var permanent
+	session_start();
+	$_SESSION['csrf_code'] = md5(uniqid(mt_rand(), true));
+	session_write_close();
+	return $_SESSION['csrf_code'];
+}
+
+/**
+ * Validate the CSRF code
+ *
+ * @return bool True if code is valid
+ */
+function validate_csrf_code() {
+	$code = get_parameter('csrf_code');
+	return isset($code) && isset($_SESSION['csrf_code'])
+		&& $_SESSION['csrf_code'] == $code;
+}
 ?>
diff --git a/pandora_console/include/functions_html.php b/pandora_console/include/functions_html.php
index 83e49c5b43..783f1a9cab 100644
--- a/pandora_console/include/functions_html.php
+++ b/pandora_console/include/functions_html.php
@@ -2504,4 +2504,24 @@ function html_print_sort_arrows ($params, $order_tag, $up = 'up', $down = 'down'
 		'</a>'
 	;
 }
+
+/**
+ * Print an input hidden with a new csrf token generated
+ */
+function html_print_csrf_hidden () {
+	html_print_input_hidden('csrf_code', generate_csrf_code());
+}
+
+/**
+ * Print an error if csrf is incorrect
+ */
+function html_print_csrf_error () {
+	if (validate_csrf_code()) return false;
+
+	ui_print_error_message (
+		__('%s cannot verify the origin of the request. Try again, please.',
+			get_product_name())
+	);
+	return true;
+}
 ?>
diff --git a/pandora_console/operation/users/user_edit.php b/pandora_console/operation/users/user_edit.php
index 80826864f4..83b69c85d2 100644
--- a/pandora_console/operation/users/user_edit.php
+++ b/pandora_console/operation/users/user_edit.php
@@ -66,6 +66,8 @@ else {
 
 // Update user info
 if (isset ($_GET["modified"]) && !$view_mode) {
+	if (html_print_csrf_error()) return;
+
 	$upd_info = array ();
 	$upd_info["fullname"] = get_parameter_post ("fullname", $user_info["fullname"]);
 	$upd_info["firstname"] = get_parameter_post ("firstname", $user_info["firstname"]);
@@ -490,6 +492,7 @@ if (!$config["user_can_update_info"]) {
 	echo '<i>'.__('You can not change your user info under the current authentication scheme').'</i>';
 }
 else {
+	html_print_csrf_hidden();
 	html_print_submit_button (__('Update'), 'uptbutton', $view_mode, 'class="sub upd"');
 }
 echo '</div></form>';