Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix logins from WHMCS by disabling CSRF token on login page for trusted 

origins
This commit is contained in:
Albert Santoni 2014-11-20 19:33:11 -05:00
parent ca7d0688e7
commit a62e98beb4
2 changed files with 31 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
airtime_mvc/application/common/CORSHelper.php
View File

@ -11,17 +11,19 @@ class CORSHelper
$response = $response->setHeader('Access-Control-Allow-Origin', '*'); $response = $response->setHeader('Access-Control-Allow-Origin', '*');
$origin = $request->getHeader('Origin'); $origin = $request->getHeader('Origin');
if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") && if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
(!in_array($origin, (!in_array($origin, self::getAllowedOrigins())))
array("http://www.airtime.pro",
"https://www.airtime.pro",
"https://account.sourcefabric.com",
"http://" . $_SERVER['SERVER_NAME'],
"https://" . $_SERVER['SERVER_NAME']
))
))
{ {
//Don't allow CORS from other domains to prevent XSS. //Don't allow CORS from other domains to prevent XSS.
throw new Zend_Controller_Action_Exception('Forbidden', 403); throw new Zend_Controller_Action_Exception('Forbidden', 403);
} }
} }
public static function getAllowedOrigins()
{
return array("http://www.airtime.pro",
"https://www.airtime.pro",
"https://account.sourcefabric.com",
"http://" . $_SERVER['SERVER_NAME'],
"https://" . $_SERVER['SERVER_NAME']);
}
} }

24
airtime_mvc/application/forms/Login.php
View File

@ -1,5 +1,7 @@
<?php <?php
include('../library/phing/util/StringHelper.php');
class Application_Form_Login extends Zend_Form class Application_Form_Login extends Zend_Form
{ {
@ -10,9 +12,25 @@ class Application_Form_Login extends Zend_Form
// Set the method for the display form to POST // Set the method for the display form to POST
$this->setMethod('post'); $this->setMethod('post');
$this->addElement('hash', 'csrf', array( //If the request comes from an origin we consider safe, we disable the CSRF
'salt' => 'unique' //token checking ONLY for the login page. We do this to allow logins from WHMCS to work.
)); $request = Zend_Controller_Front::getInstance()->getRequest();
if ($request) {
$refererUrl = $request->getHeader('referer');
$originIsSafe = false;
foreach (CORSHelper::getAllowedOrigins() as $safeOrigin) {
if (StringHelper::startsWith($safeOrigin, $refererUrl)) {
$originIsSafe = true;
break;
}
}
}
if (!$originIsSafe) {
$this->addElement('hash', 'csrf', array(
'salt' => 'unique'
));
}
$this->setDecorators(array( $this->setDecorators(array(
array('ViewScript', array('viewScript' => 'form/login.phtml')) array('ViewScript', array('viewScript' => 'form/login.phtml'))