Главная Обзор Помощь
Вход
yosoyhendrix
/
hestiacp
зеркало из https://github.com/hestiacp/hestiacp
1
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: 00e4250c56
Ветки Метки
hestiacp
/
web
/
inc
/
prevent_csrf.php

prevent_csrf.php 4.3 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. <?php
    2. 

  2. 

  3.     $check_csrf = true;
    4. 

  4. 

  5.     if ($_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web/inc/mail-wrapper.php' || $_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia//web/inc/mail-wrapper.php') {
    6. 

  6.         $check_csrf=false;
    7. 

  7.     } // execute only from CLI
    8. 

  8.     if ($_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web/reset/mail/index.php' || $_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web//reset/mail/index.php') {
    9. 

  9.         $check_csrf=false;
    10. 

  10.     } // Localhost only
    11. 

  11.     if ($_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web/api/index.php' || $_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web//api/index.php') {
    12. 

  12.         $check_csrf=false;
    13. 

  13.     } // Own check
    14. 

  14.     if (substr($_SERVER['SCRIPT_FILENAME'], 0, 22)=='/usr/local/hestia/bin/') {
    15. 

  15.         $check_csrf=false;
    16. 

  16.     }
    17. 

  17. 

  18.     function checkStrictness($level)
    19. 

  19.     {
    20. 

  20.         if ($level >= $_SESSION['POLICY_CSRF_STRICTNESS']) {
    21. 

  21.             return true;
    22. 

  22.         } else {
    23. 

  23.             http_response_code(400);
    24. 

  24.             echo "<h1>Potential use CSRF detected</h1>\n".
    25. 

  25.             "<p>Please disable any plugins/add-ons inside your browser or contact your system administrator. If you are the system administrator you can run v-change-sys-config-value 'POLICY_CSRF_STRICTNESS' '0' as root to disable this check.<p>".
    26. 

  26.             "<p>If you followed a bookmark or an static link <a href='/'>please click here</a>";
    27. 

  27.             die();
    28. 

  28.         }
    29. 

  29.     }
    30. 

  30. 

  31.     function prevent_post_csrf()
    32. 

  32.     {
    33. 

  33.         if (!empty($_SERVER['REQUEST_METHOD'])) {
    34. 

  34.             if ($_SERVER['REQUEST_METHOD']==='POST') {
    35. 

  35.                 if(!empty($_SERVER["HTTP_HOST"])){
    36. 

  36.                     list($hostname, $port) = explode(':', $_SERVER["HTTP_HOST"].":");
    37. 

  37.                     if(empty($port)){
    38. 

  38.                         $port = 443;
    39. 

  39.                     }
    40. 

  40.                 }else{
    41. 

  41.                     $hostname = gethostname();
    42. 

  42.                     $port = 443;
    43. 

  43.                 }
    44. 

  44.                 if (isset($_SERVER['HTTP_ORIGIN'])) {
    45. 

  45.                     $origin_host = parse_url($_SERVER['HTTP_ORIGIN'], PHP_URL_HOST);
    46. 

  46.                     if (strcmp($origin_host, gethostname()) === 0 && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
    47. 

  47.                         return checkStrictness(2);
    48. 

  48.                     } else {
    49. 

  49.                         if (strcmp($origin_host, $hostname) === 0 && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
    50. 

  50.                             return checkStrictness(1);
    51. 

  51.                         } else {
    52. 

  52.                             return checkStrictness(0);
    53. 

  53.                         }
    54. 

  54.                     }
    55. 

  55.                 }
    56. 

  56.             }
    57. 

  57.         }
    58. 

  58.     }
    59. 

  59. 

  60.     function prevent_get_csrf()
    61. 

  61.     {
    62. 

  62.         if (!empty($_SERVER['REQUEST_METHOD'])) {
    63. 

  63.             if ($_SERVER['REQUEST_METHOD']==='GET') {
    64. 

  64.                 if(!empty($_SERVER["HTTP_HOST"])){
    65. 

  65.                     list($hostname, $port) = explode(':', $_SERVER["HTTP_HOST"].":");
    66. 

  66.                     if(empty($port)){
    67. 

  67.                         $port = 443;
    68. 

  68.                     }
    69. 

  69.                 }else{
    70. 

  70.                     $hostname = gethostname();
    71. 

  71.                     $port = 443;
    72. 

  72.                 }
    73. 

  73. 

  74.                 //list of possible entries route and these should never be blocked
    75. 

  75.                 if (in_array($_SERVER['DOCUMENT_URI'], array('/list/user/index.php', '/login/index.php','/list/web/index.php','/list/dns/index.php','/list/mail/index.php','/list/db/index.php','/list/cron/index.php','/list/backup/index.php','/reset/index.php'))) {
    76. 

  76.                     return true;
    77. 

  77.                 }
    78. 

  78.                 if (isset($_SERVER['HTTP_REFERER'])) {
    79. 

  79.                     $referrer_host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
    80. 

  80.                     if (strcmp($referrer_host, gethostname()) === 0 && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
    81. 

  81.                         return checkStrictness(2);
    82. 

  82.                     } else {
    83. 

  83.                         if (strcmp($referrer_host, $hostname) === 0 && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
    84. 

  84.                             return checkStrictness(1);
    85. 

  85.                         } else {
    86. 

  86.                             return checkStrictness(0);
    87. 

  87.                         }
    88. 

  88.                     }
    89. 

  89.                 } else {
    90. 

  90.                     return checkStrictness(0);
    91. 

  91.                 }
    92. 

  92.             }
    93. 

  93.         }
    94. 

  94.     }
    95. 

  95. 

  96.     if ($check_csrf == true) {
    97. 

  97.         prevent_post_csrf();
    98. 

  98.         prevent_get_csrf();
    99. 

  99.     }
    100.