Главная Обзор Помощь
Вход
yosoyhendrix
/
hestiacp
зеркало из https://github.com/hestiacp/hestiacp
1
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: f48bed1ec4
Ветки Метки
hestiacp
/
web
/
inc
/
prevent_csrf.php

prevent_csrf.php 3.4 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129 
  1. <?php
    2. 

  2. 

  3. $check_csrf = true;
    4. 

  4. 

  5. if (
    6. 

  6. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/inc/mail-wrapper.php" ||
    7. 

  7. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia//web/inc/mail-wrapper.php"
    8. 

  8. ) {
    9. 

  9. 	$check_csrf = false;
    10. 

  10. } // execute only from CLI
    11. 

  11. if (
    12. 

  12. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/reset/mail/index.php" ||
    13. 

  13. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web//reset/mail/index.php"
    14. 

  14. ) {
    15. 

  15. 	$check_csrf = false;
    16. 

  16. } // Localhost only
    17. 

  17. if (
    18. 

  18. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/api/index.php" ||
    19. 

  19. 	$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web//api/index.php"
    20. 

  20. ) {
    21. 

  21. 	$check_csrf = false;
    22. 

  22. } // Own check
    23. 

  23. if (substr($_SERVER["SCRIPT_FILENAME"], 0, 22) == "/usr/local/hestia/bin/") {
    24. 

  24. 	$check_csrf = false;
    25. 

  25. }
    26. 

  26. 

  27. function checkStrictness($level) {
    28. 

  28. 	if ($level >= $_SESSION["POLICY_CSRF_STRICTNESS"]) {
    29. 

  29. 		return true;
    30. 

  30. 	} else {
    31. 

  31. 		http_response_code(400);
    32. 

  32. 		echo "<h1>Potential use CSRF detected</h1>\n" .
    33. 

  33. 			"<p>Please disable any plugins/add-ons inside your browser or contact your system administrator. If you are the system administrator you can run v-change-sys-config-value 'POLICY_CSRF_STRICTNESS' '0' as root to disable this check.<p>" .
    34. 

  34. 			"<p>If you followed a bookmark or an static link <a href='/'>please click here</a>";
    35. 

  35. 		die();
    36. 

  36. 	}
    37. 

  37. }
    38. 

  38. 

  39. function prevent_post_csrf() {
    40. 

  40. 	if (!empty($_SERVER["REQUEST_METHOD"])) {
    41. 

  41. 		if ($_SERVER["REQUEST_METHOD"] === "POST") {
    42. 

  42. 			if (!empty($_SERVER["HTTP_HOST"])) {
    43. 

  43. 				[$hostname, $port] = explode(":", $_SERVER["HTTP_HOST"] . ":");
    44. 

  44. 				if (empty($port)) {
    45. 

  45. 					$port = 443;
    46. 

  46. 				}
    47. 

  47. 			} else {
    48. 

  48. 				$hostname = gethostname();
    49. 

  49. 				$port = 443;
    50. 

  50. 			}
    51. 

  51. 			if (isset($_SERVER["HTTP_ORIGIN"])) {
    52. 

  52. 				$origin_host = parse_url($_SERVER["HTTP_ORIGIN"], PHP_URL_HOST);
    53. 

  53. 				if (
    54. 

  54. 					strcmp($origin_host, gethostname()) === 0 &&
    55. 

  55. 					in_array($port, ["443", $_SERVER["SERVER_PORT"]])
    56. 

  56. 				) {
    57. 

  57. 					return checkStrictness(2);
    58. 

  58. 				} else {
    59. 

  59. 					if (
    60. 

  60. 						strcmp($origin_host, $hostname) === 0 &&
    61. 

  61. 						in_array($port, ["443", $_SERVER["SERVER_PORT"]])
    62. 

  62. 					) {
    63. 

  63. 						return checkStrictness(1);
    64. 

  64. 					} else {
    65. 

  65. 						return checkStrictness(0);
    66. 

  66. 					}
    67. 

  67. 				}
    68. 

  68. 			}
    69. 

  69. 		}
    70. 

  70. 	}
    71. 

  71. }
    72. 

  72. 

  73. function prevent_get_csrf() {
    74. 

  74. 	if (!empty($_SERVER["REQUEST_METHOD"])) {
    75. 

  75. 		if ($_SERVER["REQUEST_METHOD"] === "GET") {
    76. 

  76. 			if (!empty($_SERVER["HTTP_HOST"])) {
    77. 

  77. 				[$hostname, $port] = explode(":", $_SERVER["HTTP_HOST"] . ":");
    78. 

  78. 				if (empty($port)) {
    79. 

  79. 					$port = 443;
    80. 

  80. 				}
    81. 

  81. 			} else {
    82. 

  82. 				$hostname = gethostname();
    83. 

  83. 				$port = 443;
    84. 

  84. 			}
    85. 

  85. 

  86. 			//list of possible entries route and these should never be blocked
    87. 

  87. 			if (
    88. 

  88. 				in_array($_SERVER["DOCUMENT_URI"], [
    89. 

  89. 					"/list/user/index.php",
    90. 

  90. 					"/login/index.php",
    91. 

  91. 					"/list/web/index.php",
    92. 

  92. 					"/list/dns/index.php",
    93. 

  93. 					"/list/mail/index.php",
    94. 

  94. 					"/list/db/index.php",
    95. 

  95. 					"/list/cron/index.php",
    96. 

  96. 					"/list/backup/index.php",
    97. 

  97. 					"/reset/index.php",
    98. 

  98. 				])
    99. 

  99. 			) {
    100. 

  100. 				return true;
    101. 

  101. 			}
    102. 

  102. 			if (isset($_SERVER["HTTP_REFERER"])) {
    103. 

  103. 				$referrer_host = parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST);
    104. 

  104. 				if (
    105. 

  105. 					strcmp($referrer_host, gethostname()) === 0 &&
    106. 

  106. 					in_array($port, ["443", $_SERVER["SERVER_PORT"]])
    107. 

  107. 				) {
    108. 

  108. 					return checkStrictness(2);
    109. 

  109. 				} else {
    110. 

  110. 					if (
    111. 

  111. 						strcmp($referrer_host, $hostname) === 0 &&
    112. 

  112. 						in_array($port, ["443", $_SERVER["SERVER_PORT"]])
    113. 

  113. 					) {
    114. 

  114. 						return checkStrictness(1);
    115. 

  115. 					} else {
    116. 

  116. 						return checkStrictness(0);
    117. 

  117. 					}
    118. 

  118. 				}
    119. 

  119. 			} else {
    120. 

  120. 				return checkStrictness(0);
    121. 

  121. 			}
    122. 

  122. 		}
    123. 

  123. 	}
    124. 

  124. }
    125. 

  125. 

  126. if ($check_csrf == true) {
    127. 

  127. 	prevent_post_csrf();
    128. 

  128. 	prevent_get_csrf();
    129. 

  129. }
    130.