From 8827fc527a97ffe15a84a23874cd7d7707f3bb92 Mon Sep 17 00:00:00 2001
From: Vincent Zanotti <vincent.zanotti@polytechnique.org>
Date: Mon, 30 Jun 2008 02:29:30 +0200
Subject: [PATCH] Adds XSRF protection to the Profile module.

Signed-off-by: Vincent Zanotti <vincent.zanotti@polytechnique.org>
---
 classes/plwizard.php                 |  2 ++
 modules/profile.php                  | 17 ++++++++++++++++-
 templates/profile/admin_trombino.tpl |  3 ++-
 templates/profile/base.tpl           |  1 +
 templates/profile/nomusage.tpl       |  1 +
 templates/profile/orange.tpl         |  1 +
 templates/profile/trombino.tpl       |  1 +
 7 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/classes/plwizard.php b/classes/plwizard.php
index 3667268..fecf881 100644
--- a/classes/plwizard.php
+++ b/classes/plwizard.php
@@ -151,6 +151,8 @@ class PlWizard
 
         // Process the previous page
         if (Post::has('valid_page')) {
+            S::assert_xsrf_token();
+
             $page = $this->getPage(Post::i('valid_page'));
             $curpage = Post::i('valid_page');
             $next = $page->process();
diff --git a/modules/profile.php b/modules/profile.php
index cbe11bb..f663dc1 100644
--- a/modules/profile.php
+++ b/modules/profile.php
@@ -133,6 +133,8 @@ class ProfileModule extends PLModule
                     .'/'.S::v('forlife').'.jpg';
 
         if (Env::has('upload')) {
+            S::assert_xsrf_token();
+
             $upload = new PlUpload(S::v('forlife'), 'photo');
             if (!$upload->upload($_FILES['userfile']) && !$upload->download(Env::v('photo'))) {
                 $page->trigError('Une erreur est survenue lors du téléchargement du fichier');
@@ -143,6 +145,8 @@ class ProfileModule extends PLModule
                 }
             }
         } elseif (Env::has('trombi')) {
+            S::assert_xsrf_token();
+
             $upload = new PlUpload(S::v('forlife'), 'photo');
             if ($upload->copyFrom($trombi_x)) {
                 $myphoto = new PhotoReq(S::v('uid'), $upload);
@@ -152,6 +156,8 @@ class ProfileModule extends PLModule
                 }
             }
         } elseif (Env::v('suppr')) {
+            S::assert_xsrf_token();
+
             XDB::execute('DELETE FROM  photo
                                 WHERE  uid = {?}',
                          S::v('uid'));
@@ -160,6 +166,8 @@ class ProfileModule extends PLModule
                          S::v('uid'));
             update_NbValid();
         } elseif (Env::v('cancel')) {
+            S::assert_xsrf_token();
+
             $sql = XDB::query('DELETE FROM  requests
                                      WHERE  user_id={?} AND type="photo"',
                               S::v('uid'));
@@ -460,6 +468,8 @@ class ProfileModule extends PLModule
 
         if (!Env::has('promo_sortie')) {
             return;
+        } else {
+            S::assert_xsrf_token();
         }
 
         $promo_sortie = Env::i('promo_sortie');
@@ -663,6 +673,8 @@ class ProfileModule extends PLModule
         $page->assign('usage_req', $nom_usage);
 
         if (Env::has('submit') && ($nom_usage != $usage_old)) {
+            S::assert_xsrf_token();
+
             // on vient de recevoir une requete, differente de l'ancien nom d'usage
             if ($nom_usage == $nom) {
                 $page->assign('same', true);
@@ -723,7 +735,6 @@ class ProfileModule extends PLModule
         list($forlife, $promo) = $q->fetchOneRow();
 
         switch ($action) {
-
             case "original":
                 header("Content-type: image/jpeg");
         	readfile("/home/web/trombino/photos".$promo."/".$forlife.".jpg");
@@ -731,6 +742,8 @@ class ProfileModule extends PLModule
         	break;
 
             case "new":
+                S::assert_xsrf_token();
+
                 $data = file_get_contents($_FILES['userfile']['tmp_name']);
             	list($x, $y) = getimagesize($_FILES['userfile']['tmp_name']);
             	$mimetype = substr($_FILES['userfile']['type'], 6);
@@ -741,6 +754,8 @@ class ProfileModule extends PLModule
             	break;
 
             case "delete":
+                S::assert_xsrf_token();
+
                 XDB::execute('DELETE FROM photo WHERE uid = {?}', $uid);
                 break;
         }
diff --git a/templates/profile/admin_trombino.tpl b/templates/profile/admin_trombino.tpl
index c3c29c8..15180f4 100644
--- a/templates/profile/admin_trombino.tpl
+++ b/templates/profile/admin_trombino.tpl
@@ -33,7 +33,7 @@ Photo actuelle de {$forlife}
 <br />
 
 <p>
-<a href="admin/trombino/{$uid}/delete">Supprimer cette photo</a>
+<a href="admin/trombino/{$uid}/delete?token={xsrf_token}">Supprimer cette photo</a>
 </p>
 
 <p>
@@ -41,6 +41,7 @@ Photo actuelle de {$forlife}
 </p>
 
 <form action="admin/trombino/{$uid}/new" method="post" enctype="multipart/form-data">
+  {xsrf_token_field}
   <div>
     <input name="userfile" type="file" size="20" maxlength="150" />
     <input type="submit" value="Envoyer" />
diff --git a/templates/profile/base.tpl b/templates/profile/base.tpl
index dba4c05..bfd56f1 100644
--- a/templates/profile/base.tpl
+++ b/templates/profile/base.tpl
@@ -21,6 +21,7 @@
 {**************************************************************************}
 
 <form action="{$wiz_baseurl}/{$lookup[$current]}" method="post" id="prof_annu">
+  {xsrf_token_field}
   <div>
     {icon name=information title="Voir ma fiche"} Tu peux consulter ta fiche telle que la
     voient <a class="popup2" href="profile/{$smarty.session.forlife}?view=public">n'importe quel internaute</a>,
diff --git a/templates/profile/nomusage.tpl b/templates/profile/nomusage.tpl
index 9b813df..58f4f8f 100644
--- a/templates/profile/nomusage.tpl
+++ b/templates/profile/nomusage.tpl
@@ -92,6 +92,7 @@ utiliser une adresse personnalisée, il faut se tourner vers
   return false;
 ">
 {/literal}
+    {xsrf_token_field}
     <table class="bicol" cellpadding="4" summary="Nom d'usage">
       <tr>
         <th>Nom d'usage</th>
diff --git a/templates/profile/orange.tpl b/templates/profile/orange.tpl
index fac9b52..b057cc0 100644
--- a/templates/profile/orange.tpl
+++ b/templates/profile/orange.tpl
@@ -41,6 +41,7 @@
 <br />
 
 <form action="profile/orange" method="post">
+  {xsrf_token_field}
   <table class="bicol" cellpadding="4" summary="Année de sortie">
     <tr>
       <th>Année de sortie</th>
diff --git a/templates/profile/trombino.tpl b/templates/profile/trombino.tpl
index 3b23f6b..877b2fc 100644
--- a/templates/profile/trombino.tpl
+++ b/templates/profile/trombino.tpl
@@ -24,6 +24,7 @@
 <h1>Trombinoscope</h1>
 
 <form enctype="multipart/form-data" action="photo/change" method="post">
+  {xsrf_token_field}
   {if ($session.promo ge 1995) || ($session.promo le 2002)}
   <p>
   Si tu n'as pas encore fourni de photo, c'est celle du trombinoscope de l'X qui est
-- 
2.1.4