From da69d3d768733edb9fe738f781f874c2f07b8655 Mon Sep 17 00:00:00 2001
From: glaszig <glaszig@gmail.com>
Date: Tue, 6 Aug 2019 21:34:58 +0200
Subject: [PATCH] send CSRF token in a response header, update the page's CSRF
 tokens with the new token from the response header, verify csrf token in ajax
 endpoints, initialize a session for every endpoint

---
 ajax/bandwidth/get_bandwidth.php        |  4 +++-
 ajax/bandwidth/get_bandwidth_hourly.php |  3 +++
 ajax/networking/gen_int_config.php      |  4 +++-
 ajax/networking/get_all_interfaces.php  |  3 +++
 ajax/networking/get_int_config.php      |  4 +++-
 ajax/networking/get_ip_summary.php      |  4 +++-
 ajax/networking/save_int_config.php     |  4 +++-
 includes/csrf.php                       | 11 +++++++++++
 includes/session.php                    |  5 +++++
 index.php                               |  8 +-------
 js/custom.js                            | 11 ++++++++++-
 11 files changed, 48 insertions(+), 13 deletions(-)
 create mode 100644 includes/csrf.php
 create mode 100644 includes/session.php

diff --git a/ajax/bandwidth/get_bandwidth.php b/ajax/bandwidth/get_bandwidth.php
index a784b4d7..1f11b556 100644
--- a/ajax/bandwidth/get_bandwidth.php
+++ b/ajax/bandwidth/get_bandwidth.php
@@ -1,8 +1,10 @@
 <?php
+
+require('includes/csrf.php');
+
 require_once '../../includes/config.php';
 require_once RASPI_CONFIG.'/raspap.php';
 
-session_start();
 header('X-Frame-Options: DENY');
 header("Content-Security-Policy: default-src 'none'; connect-src 'self'");
 require_once '../../includes/authenticate.php';
diff --git a/ajax/bandwidth/get_bandwidth_hourly.php b/ajax/bandwidth/get_bandwidth_hourly.php
index 5c8276df..e9875f73 100644
--- a/ajax/bandwidth/get_bandwidth_hourly.php
+++ b/ajax/bandwidth/get_bandwidth_hourly.php
@@ -1,4 +1,7 @@
 <?php 
+
+require('includes/csrf.php');
+
 if (filter_input(INPUT_GET, 'tu') == 'h') {
 
 	header('X-Content-Type-Options: nosniff');
diff --git a/ajax/networking/gen_int_config.php b/ajax/networking/gen_int_config.php
index 8d042991..2dd07089 100644
--- a/ajax/networking/gen_int_config.php
+++ b/ajax/networking/gen_int_config.php
@@ -1,5 +1,7 @@
 <?php
-session_start();
+
+require('includes/csrf.php');
+
 include_once('../../includes/config.php');
 include_once('../../includes/functions.php');
 
diff --git a/ajax/networking/get_all_interfaces.php b/ajax/networking/get_all_interfaces.php
index 432d0a5d..f76cc78e 100644
--- a/ajax/networking/get_all_interfaces.php
+++ b/ajax/networking/get_all_interfaces.php
@@ -1,4 +1,7 @@
 <?php
+
+    require('includes/csrf.php');
+
     exec("ls /sys/class/net | grep -v lo", $interfaces);
     echo json_encode($interfaces);
 ?>
diff --git a/ajax/networking/get_int_config.php b/ajax/networking/get_int_config.php
index d39f12b3..21f41ed6 100644
--- a/ajax/networking/get_int_config.php
+++ b/ajax/networking/get_int_config.php
@@ -1,5 +1,7 @@
 <?php
-session_start();
+
+require('includes/csrf.php');
+
 include_once('../../includes/config.php');
 include_once('../../includes/functions.php');
 
diff --git a/ajax/networking/get_ip_summary.php b/ajax/networking/get_ip_summary.php
index 3383337d..28d479e1 100644
--- a/ajax/networking/get_ip_summary.php
+++ b/ajax/networking/get_ip_summary.php
@@ -1,5 +1,7 @@
 <?php
-session_start();
+
+require('includes/csrf.php');
+
 include_once('../../includes/functions.php');
 
 if(isset($_POST['interface'])) {
diff --git a/ajax/networking/save_int_config.php b/ajax/networking/save_int_config.php
index e8b4f4d1..742304fb 100644
--- a/ajax/networking/save_int_config.php
+++ b/ajax/networking/save_int_config.php
@@ -1,5 +1,7 @@
 <?php
-    session_start();
+
+    require('includes/csrf.php');
+
     include_once('../../includes/config.php');
     include_once('../../includes/functions.php');
     if(isset($_POST['interface'])) {
diff --git a/includes/csrf.php b/includes/csrf.php
new file mode 100644
index 00000000..5acb047e
--- /dev/null
+++ b/includes/csrf.php
@@ -0,0 +1,11 @@
+<?php
+
+include_once('includes/functions.php');
+include_once('includes/session.php');
+
+if (csrfValidateRequest() && !CSRFValidate()) {
+  handleInvalidCSRFToken();
+}
+
+ensureCSRFSessionToken();
+header('X-CSRF-Token', $_SESSION['csrf_token']);
diff --git a/includes/session.php b/includes/session.php
new file mode 100644
index 00000000..c9c36595
--- /dev/null
+++ b/includes/session.php
@@ -0,0 +1,5 @@
+<?php
+
+if (session_status() == PHP_SESSION_NONE) {
+  session_start();
+}
diff --git a/index.php b/index.php
index ce91ea77..f9a9b14b 100755
--- a/index.php
+++ b/index.php
@@ -18,7 +18,7 @@
  * @see        http://sirlagz.net/2013/02/08/raspap-webgui/
  */
 
-session_start();
+require('includes/csrf.php');
 
 include_once('includes/config.php');
 include_once(RASPI_CONFIG.'/raspap.php');
@@ -39,12 +39,6 @@ include_once('includes/about.php');
 $output = $return = 0;
 $page = $_GET['page'];
 
-if (csrfValidateRequest() && !CSRFValidate()) {
-  handleInvalidCSRFToken();
-}
-
-ensureCSRFSessionToken();
-
 if (!isset($_COOKIE['theme'])) {
     $theme = "custom.css";
 } else {
diff --git a/js/custom.js b/js/custom.js
index 8cdcdcdd..ccc2a2d8 100644
--- a/js/custom.js
+++ b/js/custom.js
@@ -160,13 +160,22 @@ function setupBtns() {
     });
 }
 
+function updateCSRFToken(xhr, settings) {
+    var newToken = xhr.getResponseHeader("X-CSRF-Token");
+    if (newToken) {
+        $('meta[name=csrf_token]').attr('content', newToken);
+        $('[name=csrf_token]:input').attr('value', newToken);
+    }
+}
+
 $.ajaxSetup({
     beforeSend: function(xhr, settings) {
         var csrfToken = $('meta[name=csrf_token]').attr('content');
         if (/^(POST|PATCH|PUT|DELETE)$/i.test(settings.type)) {
             xhr.setRequestHeader("X-CSRF-Token", csrfToken);
         }
-    }
+    },
+    ajaxComplete: updateCSRFToken
 });
 
 $().ready(function(){