Главная Обзор Помощь
Вход
yosoyhendrix
/
hestiacp
зеркало из https://github.com/hestiacp/hestiacp
1
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: 27e6dbedf9
Ветки Метки
hestiacp
/
web
/
inc
/
prevent_csrf.php

prevent_csrf.php 3.9 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151 
  1. <?php
    2. 

  2. 

  3. $check_csrf = true;
    4. 

  4. 

  5. if (
    6. 

  6. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/inc/mail-wrapper.php" ||
    7. 

  7. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia//web/inc/mail-wrapper.php"
    8. 

  8. ) {
    9. 

  9. 	$check_csrf = false;
    10. 

  10. } // execute only from CLI
    11. 

  11. if (
    12. 

  12. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/reset/mail/index.php" ||
    13. 

  13. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web//reset/mail/index.php"
    14. 

  14. ) {
    15. 

  15. 	$check_csrf = false;
    16. 

  16. } // Localhost only
    17. 

  17. if (
    18. 

  18. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/api/index.php" ||
    19. 

  19. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web//api/index.php"
    20. 

  20. ) {
    21. 

  21. 	$check_csrf = false;
    22. 

  22. } // Own check
    23. 

  23. if (substr($_SERVER["SCRIPT_FILENAME"], 0, 22) == "/usr/local/hestia/bin/") {
    24. 

  24. 	$check_csrf = false;
    25. 

  25. }
    26. 

  26. 

  27. function checkStrictness($level) {
    28. 

  28. 	if ($level >= $_SESSION["POLICY_CSRF_STRICTNESS"]) {
    29. 

  29. 		return true;
    30. 

  30. 	} else {
    31. 

  31. 		http_response_code(400);
    32. 

  32. 		echo "<h1>Potential CSRF use detected</h1>\n" .
    33. 

  33. 			"<p>Please disable any plugins/add-ons inside your browser or contact your system administrator. If you are the system administrator you can run v-change-sys-config-value 'POLICY_CSRF_STRICTNESS' '0' as root to disable this check.<p>" .
    34. 

  34. 			"<p>If you followed a bookmark or an static link please <a href='/'>navigate to root</a>";
    35. 

  35. 		die();
    36. 

  36. 	}
    37. 

  37. }
    38. 

  38. 

  39. function prevent_post_csrf() {
    40. 

  40. 	if (!empty($_SERVER["REQUEST_METHOD"])) {
    41. 

  41. 		if ($_SERVER["REQUEST_METHOD"] === "POST") {
    42. 

  42. 			if (!empty($_SERVER["HTTP_HOST"])) {
    43. 

  43. 				$hostname = preg_replace(
    44. 

  44. 					"/(\[?[^]]*\]?):([0-9]{1,5})$/",
    45. 

  45. 					"$1",
    46. 

  46. 					$_SERVER["HTTP_HOST"],
    47. 

  47. 				);
    48. 

  48. 				$port_is_defined = preg_match("/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"]);
    49. 

  49. 				if ($port_is_defined) {
    50. 

  50. 					$port = preg_replace(
    51. 

  51. 						"/(\[?[^]]*\]?):([0-9]{1,5})$/",
    52. 

  52. 						"$2",
    53. 

  53. 						$_SERVER["HTTP_HOST"],
    54. 

  54. 					);
    55. 

  55. 				} else {
    56. 

  56. 					$port = 443;
    57. 

  57. 				}
    58. 

  58. 			} else {
    59. 

  59. 				$hostname = gethostname();
    60. 

  60. 				$port = 443;
    61. 

  61. 			}
    62. 

  62. 			if (isset($_SERVER["HTTP_ORIGIN"])) {
    63. 

  63. 				$origin_host = parse_url($_SERVER["HTTP_ORIGIN"], PHP_URL_HOST);
    64. 

  64. 				if (
    65. 

  65. 					strcmp($origin_host, gethostname()) === 0 &&
    66. 

  66. 					in_array($port, ["443", $_SERVER["SERVER_PORT"]])
    67. 

  67. 				) {
    68. 

  68. 					return checkStrictness(2);
    69. 

  69. 				} else {
    70. 

  70. 					if (
    71. 

  71. 						strcmp($origin_host, $hostname) === 0 &&
    72. 

  72. 						in_array($port, ["443", $_SERVER["SERVER_PORT"]])
    73. 

  73. 					) {
    74. 

  74. 						return checkStrictness(1);
    75. 

  75. 					} else {
    76. 

  76. 						return checkStrictness(0);
    77. 

  77. 					}
    78. 

  78. 				}
    79. 

  79. 			}
    80. 

  80. 		}
    81. 

  81. 	}
    82. 

  82. }
    83. 

  83. 

  84. function prevent_get_csrf() {
    85. 

  85. 	if (!empty($_SERVER["REQUEST_METHOD"])) {
    86. 

  86. 		if ($_SERVER["REQUEST_METHOD"] === "GET") {
    87. 

  87. 			if (!empty($_SERVER["HTTP_HOST"])) {
    88. 

  88. 				$hostname = preg_replace(
    89. 

  89. 					"/(\[?[^]]*\]?):([0-9]{1,5})$/",
    90. 

  90. 					"$1",
    91. 

  91. 					$_SERVER["HTTP_HOST"],
    92. 

  92. 				);
    93. 

  93. 				$port_is_defined = preg_match("/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"]);
    94. 

  94. 				if ($port_is_defined) {
    95. 

  95. 					$port = preg_replace(
    96. 

  96. 						"/(\[?[^]]*\]?):([0-9]{1,5})$/",
    97. 

  97. 						"$2",
    98. 

  98. 						$_SERVER["HTTP_HOST"],
    99. 

  99. 					);
    100. 

  100. 				} else {
    101. 

  101. 					$port = 443;
    102. 

  102. 				}
    103. 

  103. 			} else {
    104. 

  104. 				$hostname = gethostname();
    105. 

  105. 				$port = 443;
    106. 

  106. 			}
    107. 

  107. 

  108. 			//list of possible entries route and these should never be blocked
    109. 

  109. 			if (
    110. 

  110. 				in_array($_SERVER["DOCUMENT_URI"], [
    111. 

  111. 					"/list/user/index.php",
    112. 

  112. 					"/login/index.php",
    113. 

  113. 					"/list/web/index.php",
    114. 

  114. 					"/list/dns/index.php",
    115. 

  115. 					"/list/mail/index.php",
    116. 

  116. 					"/list/db/index.php",
    117. 

  117. 					"/list/cron/index.php",
    118. 

  118. 					"/list/backup/index.php",
    119. 

  119. 					"/reset/index.php",
    120. 

  120. 				])
    121. 

  121. 			) {
    122. 

  122. 				return true;
    123. 

  123. 			}
    124. 

  124. 			if (isset($_SERVER["HTTP_REFERER"])) {
    125. 

  125. 				$referrer_host = parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST);
    126. 

  126. 				if (
    127. 

  127. 					strcmp($referrer_host, gethostname()) === 0 &&
    128. 

  128. 					in_array($port, ["443", $_SERVER["SERVER_PORT"]])
    129. 

  129. 				) {
    130. 

  130. 					return checkStrictness(2);
    131. 

  131. 				} else {
    132. 

  132. 					if (
    133. 

  133. 						strcmp($referrer_host, $hostname) === 0 &&
    134. 

  134. 						in_array($port, ["443", $_SERVER["SERVER_PORT"]])
    135. 

  135. 					) {
    136. 

  136. 						return checkStrictness(1);
    137. 

  137. 					} else {
    138. 

  138. 						return checkStrictness(0);
    139. 

  139. 					}
    140. 

  140. 				}
    141. 

  141. 			} else {
    142. 

  142. 				return checkStrictness(0);
    143. 

  143. 			}
    144. 

  144. 		}
    145. 

  145. 	}
    146. 

  146. }
    147. 

  147. 

  148. if ($check_csrf == true) {
    149. 

  149. 	prevent_post_csrf();
    150. 

  150. 	prevent_get_csrf();
    151. 

  151. }
    152.