From bc1e8cb0a2ef634949ae520c6aedab435eaf5b80 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Wed, 13 Jun 2012 17:35:42 +0200
Subject: [PATCH] Contacts: implemented CSRF prevention.

---
 apps/contacts/ajax/activation.php          |  1 +
 apps/contacts/ajax/addcontact.php          |  1 +
 apps/contacts/ajax/addproperty.php         | 10 ++++++++++
 apps/contacts/ajax/createaddressbook.php   |  1 +
 apps/contacts/ajax/cropphoto.php           |  2 ++
 apps/contacts/ajax/deletebook.php          |  1 +
 apps/contacts/ajax/deletecard.php          | 11 +++++++++++
 apps/contacts/ajax/deleteproperty.php      |  1 +
 apps/contacts/ajax/savecrop.php            |  1 +
 apps/contacts/ajax/saveproperty.php        | 19 +++++++++++++++----
 apps/contacts/ajax/uploadphoto.php         |  2 ++
 apps/contacts/js/contacts.js               |  4 ++--
 apps/contacts/templates/part.contact.php   |  2 ++
 apps/contacts/templates/part.cropphoto.php |  2 ++
 14 files changed, 52 insertions(+), 6 deletions(-)

diff --git a/apps/contacts/ajax/activation.php b/apps/contacts/ajax/activation.php
index 388a3b5438..74cb738ab8 100644
--- a/apps/contacts/ajax/activation.php
+++ b/apps/contacts/ajax/activation.php
@@ -10,6 +10,7 @@
  
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $bookid = $_POST['bookid'];
 $book = OC_Contacts_App::getAddressbook($bookid);// is owner access check
diff --git a/apps/contacts/ajax/addcontact.php b/apps/contacts/ajax/addcontact.php
index af9b2bbcc0..e45072c954 100644
--- a/apps/contacts/ajax/addcontact.php
+++ b/apps/contacts/ajax/addcontact.php
@@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $aid = isset($_POST['aid'])?$_POST['aid']:null;
 if(!$aid) {
diff --git a/apps/contacts/ajax/addproperty.php b/apps/contacts/ajax/addproperty.php
index 94e09bac19..c1fca9abea 100644
--- a/apps/contacts/ajax/addproperty.php
+++ b/apps/contacts/ajax/addproperty.php
@@ -23,6 +23,16 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+foreach($_SERVER as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+foreach($_POST as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+foreach($_GET as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+OCP\JSON::callCheck();
 
 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));
diff --git a/apps/contacts/ajax/createaddressbook.php b/apps/contacts/ajax/createaddressbook.php
index af7c19eef5..616766bb1a 100644
--- a/apps/contacts/ajax/createaddressbook.php
+++ b/apps/contacts/ajax/createaddressbook.php
@@ -11,6 +11,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $userid = OCP\USER::getUser();
 $name = trim(strip_tags($_POST['name']));
diff --git a/apps/contacts/ajax/cropphoto.php b/apps/contacts/ajax/cropphoto.php
index caba7c8c4e..eb9f1fcdb5 100644
--- a/apps/contacts/ajax/cropphoto.php
+++ b/apps/contacts/ajax/cropphoto.php
@@ -25,10 +25,12 @@ OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
 
 $tmpkey = $_GET['tmpkey'];
+$requesttoken = $_GET['requesttoken'];
 $id = $_GET['id'];
 $tmpl = new OCP\Template("contacts", "part.cropphoto");
 $tmpl->assign('tmpkey', $tmpkey);
 $tmpl->assign('id', $id);
+$tmpl->assign('requesttoken', $requesttoken);
 $page = $tmpl->fetchPage();
 
 OCP\JSON::success(array('data' => array( 'page' => $page )));
diff --git a/apps/contacts/ajax/deletebook.php b/apps/contacts/ajax/deletebook.php
index fe582daa00..1b86ecf223 100644
--- a/apps/contacts/ajax/deletebook.php
+++ b/apps/contacts/ajax/deletebook.php
@@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 //$id = $_GET['id'];
 $id = $_POST['id'];
diff --git a/apps/contacts/ajax/deletecard.php b/apps/contacts/ajax/deletecard.php
index e6d0405a24..2a6bd277d1 100644
--- a/apps/contacts/ajax/deletecard.php
+++ b/apps/contacts/ajax/deletecard.php
@@ -28,6 +28,17 @@ function bailOut($msg) {
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
+
+// foreach($_SERVER as $key=>$value) {
+// 	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _SERVER: '.$key.'=>'.$value, OCP\Util::DEBUG);
+// }
+foreach($_POST as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _POST: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
+foreach($_GET as $key=>$value) {
+	OCP\Util::writeLog('contacts','ajax/saveproperty.php: _GET: '.$key.'=>'.print_r($value, true), OCP\Util::DEBUG);
+}
 
 $id = isset($_POST['id'])?$_POST['id']:null;
 if(!$id) {
diff --git a/apps/contacts/ajax/deleteproperty.php b/apps/contacts/ajax/deleteproperty.php
index e6c2bd9f80..55f7e32308 100644
--- a/apps/contacts/ajax/deleteproperty.php
+++ b/apps/contacts/ajax/deleteproperty.php
@@ -23,6 +23,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 $checksum = $_POST['checksum'];
diff --git a/apps/contacts/ajax/savecrop.php b/apps/contacts/ajax/savecrop.php
index b3aab6a881..6faf6a173d 100644
--- a/apps/contacts/ajax/savecrop.php
+++ b/apps/contacts/ajax/savecrop.php
@@ -22,6 +22,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
 
 // Firefox and Konqueror tries to download application/json for me.  --Arthur
 OCP\JSON::setContentTypeHeader('text/plain');
diff --git a/apps/contacts/ajax/saveproperty.php b/apps/contacts/ajax/saveproperty.php
index d840073471..c779c49611 100644
--- a/apps/contacts/ajax/saveproperty.php
+++ b/apps/contacts/ajax/saveproperty.php
@@ -20,10 +20,6 @@
  *
  */
 
-// Check if we are a user
-OCP\JSON::checkLoggedIn();
-OCP\JSON::checkAppEnabled('contacts');
-
 function bailOut($msg) {
 	OCP\JSON::error(array('data' => array('message' => $msg)));
 	OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG);
@@ -33,6 +29,21 @@ function debug($msg) {
 	OCP\Util::writeLog('contacts','ajax/saveproperty.php: '.$msg, OCP\Util::DEBUG);
 }
 
+// Check if we are a user
+OCP\JSON::checkLoggedIn();
+OCP\JSON::checkAppEnabled('contacts');
+
+foreach($_SERVER as $key=>$value) {
+	debug('_SERVER: '.$key.'=>'.print_r($value, true));
+}
+foreach($_POST as $key=>$value) {
+	debug('_POST: '.$key.'=>'.print_r($value, true));
+}
+foreach($_GET as $key=>$value) {
+	debug('_GET: '.$key.'=>'.print_r($value, true));
+}
+OCP\JSON::callCheck();
+
 $id = isset($_POST['id'])?$_POST['id']:null;
 $name = isset($_POST['name'])?$_POST['name']:null;
 $value = isset($_POST['value'])?$_POST['value']:null;
diff --git a/apps/contacts/ajax/uploadphoto.php b/apps/contacts/ajax/uploadphoto.php
index 32abc6c285..889de6a1f8 100644
--- a/apps/contacts/ajax/uploadphoto.php
+++ b/apps/contacts/ajax/uploadphoto.php
@@ -23,6 +23,8 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('contacts');
+OCP\JSON::callCheck();
+
 // Firefox and Konqueror tries to download application/json for me.  --Arthur
 OCP\JSON::setContentTypeHeader('text/plain');
 function bailOut($msg) {
diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js
index 6b83504c9c..45509a7f9d 100644
--- a/apps/contacts/js/contacts.js
+++ b/apps/contacts/js/contacts.js
@@ -622,7 +622,7 @@ Contacts={
 				q = q + '&id=' + this.id + '&name=' + name;
 				if(checksum != undefined && checksum != '') { // save
 					q = q + '&checksum=' + checksum;
-					//console.log('Saving: ' + q);
+					console.log('Saving: ' + q);
 					$(obj).attr('disabled', 'disabled');
 					$.post(OC.filePath('contacts', 'ajax', 'saveproperty.php'),q,function(jsondata){
 						if(jsondata.status == 'success'){
@@ -640,7 +640,7 @@ Contacts={
 						}
 					},'json');
 				} else { // add
-					//console.log('Adding: ' + q);
+					console.log('Adding: ' + q);
 					$(obj).attr('disabled', 'disabled');
 					$.post(OC.filePath('contacts', 'ajax', 'addproperty.php'),q,function(jsondata){
 						if(jsondata.status == 'success'){
diff --git a/apps/contacts/templates/part.contact.php b/apps/contacts/templates/part.contact.php
index c1ba1ccdc2..ca682baaf8 100644
--- a/apps/contacts/templates/part.contact.php
+++ b/apps/contacts/templates/part.contact.php
@@ -3,6 +3,7 @@ $id = isset($_['id']) ? $_['id'] : '';
 ?>
 <div id="card">
 	<form class="float" id="file_upload_form" action="<?php echo OCP\Util::linkTo('contacts', 'ajax/uploadphoto.php'); ?>" method="post" enctype="multipart/form-data" target="file_upload_target">
+		<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
 		<input type="hidden" name="id" value="<?php echo $_['id'] ?>">
 		<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $_['uploadMaxFilesize'] ?>" id="max_upload">
 		<input type="hidden" class="max_human_file_size" value="(max <?php echo $_['uploadMaxHumanFilesize']; ?>)">
@@ -23,6 +24,7 @@ $id = isset($_['id']) ? $_['id'] : '';
 	<div id="contact_identity" class="contactsection">
 	<form method="post">
 	<input type="hidden" name="id" value="<?php echo $_['id'] ?>">
+	<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
 	<fieldset id="ident" class="contactpart">
 	<span class="propertycontainer" data-element="N"><input type="hidden" id="n" class="contacts_property" name="value" value="" /></span>
 	<span id="name" class="propertycontainer" data-element="FN">
diff --git a/apps/contacts/templates/part.cropphoto.php b/apps/contacts/templates/part.cropphoto.php
index d7f0efc57d..1e025ef4e0 100644
--- a/apps/contacts/templates/part.cropphoto.php
+++ b/apps/contacts/templates/part.cropphoto.php
@@ -1,6 +1,7 @@
 <?php 
 $id = $_['id'];
 $tmpkey = $_['tmpkey'];
+$csrf_token = $_GET['csrf_token'];
 OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey, OCP\Util::DEBUG);
 ?>
 <script language="Javascript">
@@ -48,6 +49,7 @@ OCP\Util::writeLog('contacts','templates/part.cropphoto.php: tmpkey: '.$tmpkey,
 	action="<?php echo OCP\Util::linkToAbsolute('contacts', 'ajax/savecrop.php'); ?>">
 
 	<input type="hidden" id="id" name="id" value="<?php echo $id; ?>" />
+	<input type="hidden" name="requesttoken" value="<?php echo $csrf_token; ?>">
 	<input type="hidden" id="tmpkey" name="tmpkey" value="<?php echo $tmpkey; ?>" />
 	<fieldset id="coords">
 	<input type="hidden" id="x1" name="x1" value="" />
-- 
GitLab