From 1b4eeb386a313c858f95b08bcfd099358c9e3407 Mon Sep 17 00:00:00 2001 From: Alejandro Romero Herrera Date: Mon, 24 Aug 2020 23:15:29 +0300 Subject: [PATCH 1/2] Fix Cross Site Request Forgery on theme selection by using token --- bl-kernel/admin/controllers/install-theme.php | 19 ++++++++++++++++--- bl-kernel/admin/views/themes.php | 4 ++-- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/bl-kernel/admin/controllers/install-theme.php b/bl-kernel/admin/controllers/install-theme.php index f6b69bf2..91657e84 100644 --- a/bl-kernel/admin/controllers/install-theme.php +++ b/bl-kernel/admin/controllers/install-theme.php @@ -21,10 +21,23 @@ checkRole(array('admin')); // ============================================================================ // Main after POST // ============================================================================ -$themeDirectory = $layout['parameters']; +$parameters = explode("/", $layout['parameters']); +if(count($parameters)==2) { + $themeDirectory = $parameters[0]; -// Activate theme -activateTheme($themeDirectory); + // Verify CSRF Token + $token = Sanitize::html($parameters[1]); + if (!$security->validateTokenCSRF($token)) { + Log::set(__FILE__.LOG_SEP.'Error occurred when trying to validate the tokenCSRF.', ALERT_STATUS_FAIL); + Log::set(__FILE__.LOG_SEP.'Token in install theme ['.$token.']', ALERT_STATUS_FAIL); + + Session::destroy(); + Redirect::page('login'); + } else { + // Activate theme + activateTheme($themeDirectory); + } +} // Redirect Redirect::page('themes'); diff --git a/bl-kernel/admin/views/themes.php b/bl-kernel/admin/views/themes.php index 95393b89..f00cab5b 100644 --- a/bl-kernel/admin/views/themes.php +++ b/bl-kernel/admin/views/themes.php @@ -24,7 +24,7 @@ foreach ($themes as $theme) { '; if ($theme['dirname']!=$site->theme()) { - echo ''.$L->g('Activate').''; + echo ''.$L->g('Activate').''; } echo ' @@ -50,4 +50,4 @@ foreach ($themes as $theme) { echo ' -'; \ No newline at end of file +'; From ca0d973a249c464b4d40b27f7e452dd860102cc7 Mon Sep 17 00:00:00 2001 From: Alejandro Romero Herrera Date: Mon, 24 Aug 2020 23:25:08 +0300 Subject: [PATCH 2/2] Logout in case no CSRF token provided while trying to change theme --- bl-kernel/admin/controllers/install-theme.php | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/bl-kernel/admin/controllers/install-theme.php b/bl-kernel/admin/controllers/install-theme.php index 91657e84..2bfa6c91 100644 --- a/bl-kernel/admin/controllers/install-theme.php +++ b/bl-kernel/admin/controllers/install-theme.php @@ -21,23 +21,25 @@ checkRole(array('admin')); // ============================================================================ // Main after POST // ============================================================================ +$token = ""; $parameters = explode("/", $layout['parameters']); if(count($parameters)==2) { $themeDirectory = $parameters[0]; // Verify CSRF Token $token = Sanitize::html($parameters[1]); - if (!$security->validateTokenCSRF($token)) { - Log::set(__FILE__.LOG_SEP.'Error occurred when trying to validate the tokenCSRF.', ALERT_STATUS_FAIL); - Log::set(__FILE__.LOG_SEP.'Token in install theme ['.$token.']', ALERT_STATUS_FAIL); - - Session::destroy(); - Redirect::page('login'); - } else { + if ($security->validateTokenCSRF($token)) { // Activate theme activateTheme($themeDirectory); + + // Redirect + Redirect::page('themes'); } } -// Redirect -Redirect::page('themes'); +Log::set(__FILE__.LOG_SEP.'Error occurred when trying to validate the tokenCSRF.', ALERT_STATUS_FAIL); +Log::set(__FILE__.LOG_SEP.'Token in install theme ['.$token.']', ALERT_STATUS_FAIL); + +Session::destroy(); +Redirect::page('login'); +