Home Explore Help
Sign In
yosoyhendrix
/
hestiacp
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: dfbbd959e2
Branches Tags
hestiacp
/
web
/
inc
/
prevent_csrf.php

prevent_csrf.php 2.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. <?php
    2. 

  2.     $check_csrf = true;
    3. 

  3.     
    4. 

  4.     if ( $_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web/inc/mail-wrapper.php '){ $check_csrf=false; } // execute only from CLI
    5. 

  5.     if ( $_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web/reset/mail/index.php '){ $check_csrf=false; } // Localhost only
    6. 

  6.     if ( $_SERVER['SCRIPT_FILENAME'] == '/usr/local/hestia/web/api/index.php' ){ $check_csrf=false; } // Own check
    7. 

  7.     if (substr($_SERVER['SCRIPT_FILENAME'], 0, 22)=='/usr/local/hestia/bin/' ){ $check_csrf=false; }
    8. 

  8.     
    9. 

  9.     function checkStrictness($level){
    10. 

  10.         if ($level >= $_SESSION['POLICY_CSRF_STRICTNESS']) {
    11. 

  11.             return true;
    12. 

  12.         }else{
    13. 

  13.             echo "<h1>Potential use CSRF detected</h1>\n".
    14. 

  14.             "<p>Please disable any plugins/add-ons inside your browser or contact your system administrator. If you are the system administrator you can run v-change-sys-config-value 'POLICY_CSRF_STRICTNESS' '0' as root to disable this check.<p>".
    15. 

  15.             "<p>If you folowed a bookmark or an static link <a href='/'>please click here</a>";
    16. 

  16.             die();
    17. 

  17.         }
    18. 

  18.     }
    19. 

  19.     function prevent_post_csrf(){
    20. 

  20.         if ($_SERVER['REQUEST_METHOD']=='POST') {
    21. 

  21.             $hostname = explode( ':', $_SERVER['HTTP_HOST']);
    22. 

  22.             $port=$hostname[1];
    23. 

  23.             $hostname=$hostname[0];
    24. 

  24.             if (strpos($_SERVER['HTTP_ORIGIN'],gethostname()) !== false  && in_array($port, array('443',$_SERVER['SERVER_PORT'])) ) { 
    25. 

  25.                 return checkStrictness(2);
    26. 

  26.             }else{
    27. 

  27.                 if (strpos($_SERVER['HTTP_ORIGIN'],$hostname) !== false && in_array($port, array('443',$_SERVER['SERVER_PORT'])) ){ 
    28. 

  28.                     return checkStrictness(1);
    29. 

  29.                 } else {
    30. 

  30.                     return checkStrictness(0);
    31. 

  31.                 }
    32. 

  32.             }
    33. 

  33.         }
    34. 

  34.     }
    35. 

  35.     
    36. 

  36.     function prevent_get_csrf(){
    37. 

  37.         if ($_SERVER['REQUEST_METHOD']=='GET') {
    38. 

  38.             $hostname = explode( ':', $_SERVER['HTTP_HOST']);
    39. 

  39.             $port=$hostname[1];
    40. 

  40.             $hostname=$hostname[0];
    41. 

  41.             //list of possible entries route and these should never be blocked
    42. 

  42.             if (in_array($_SERVER['DOCUMENT_URI'], array('/list/user/index.php', '/login/index.php','/list/web/index.php','/list/dns/index.php','/list/mail/index.php','/list/db/index.php','/list/cron/index.php','/list/backup/index.php','/reset/index.php'))){
    43. 

  43.                 return true;
    44. 

  44.             }
    45. 

  45.             if (strpos($_SERVER['HTTP_REFERER'],gethostname()) !== false  && in_array($port, array('443',$_SERVER['SERVER_PORT'])) ) { 
    46. 

  46.                 return checkStrictness(2);
    47. 

  47.             }else{
    48. 

  48.                 if (strpos($_SERVER['HTTP_REFERER'],$hostname) !== false && in_array($port, array('443',$_SERVER['SERVER_PORT'])) ){ 
    49. 

  49.                     return checkStrictness(1);
    50. 

  50.                 } else {
    51. 

  51.                     return checkStrictness(0);
    52. 

  52.                 }
    53. 

  53.             }
    54. 

  54.         }
    55. 

  55.     }
    56. 

  56.     
    57. 

  57.     if ( $check_csrf == true){
    58. 

  58.         prevent_post_csrf();
    59. 

  59.         prevent_get_csrf();
    60. 

  60.     }
    61.