From 8484ce22584b8714622833adcc7ebfe3ef9cf90e Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Mon, 26 Dec 2011 12:02:52 +0400
Subject: experimental CSRF protection

---
 classes/article.php        | 6 ++++++
 classes/feeds.php          | 6 ++++++
 classes/handler.php        | 4 ++++
 classes/pref_feeds.php     | 7 +++++++
 classes/pref_filters.php   | 6 ++++++
 classes/pref_instances.php | 6 ++++++
 classes/pref_labels.php    | 6 ++++++
 classes/pref_prefs.php     | 6 ++++++
 classes/pref_users.php     | 7 ++++++-
 classes/rpc.php            | 6 ++++++
 10 files changed, 59 insertions(+), 1 deletion(-)

(limited to 'classes')

diff --git a/classes/article.php b/classes/article.php
index 90ca129b9..30f0c7d10 100644
--- a/classes/article.php
+++ b/classes/article.php
@@ -1,6 +1,12 @@
 <?php
 class Article extends Protected_Handler {
 
+	function csrf_ignore($method) {
+		$csrf_ignored = array("redirect");
+
+		return array_search($method, $csrf_ignored) !== false;
+	}
+
 	function redirect() {
 		$id = db_escape_string($_REQUEST['id']);
 
diff --git a/classes/feeds.php b/classes/feeds.php
index 3626e9fbc..6b498ac00 100644
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -1,6 +1,12 @@
 <?php
 class Feeds extends Protected_Handler {
 
+	function csrf_ignore($method) {
+		$csrf_ignored = array("index");
+
+		return array_search($method, $csrf_ignored) !== false;
+	}
+
 	private function feedlist_init_cat($cat_id, $hidden = false) {
 		$obj = array();
 		$cat_id = (int) $cat_id;
diff --git a/classes/handler.php b/classes/handler.php
index 53b52ea03..404b8306b 100644
--- a/classes/handler.php
+++ b/classes/handler.php
@@ -8,6 +8,10 @@ class Handler {
 		$this->args = $args;
 	}
 
+	function csrf_ignore($method) {
+		return true;
+	}
+
 	function before() {
 		return true;
 	}
diff --git a/classes/pref_feeds.php b/classes/pref_feeds.php
index 5df5eb939..b83abd789 100644
--- a/classes/pref_feeds.php
+++ b/classes/pref_feeds.php
@@ -1,5 +1,12 @@
 <?php
 class Pref_Feeds extends Protected_Handler {
+
+	function csrf_ignore($method) {
+		$csrf_ignored = array("index", "getfeedtree", "add", "editcats", "editfeed");
+
+		return array_search($method, $csrf_ignored) !== false;
+	}
+
 	function batch_edit_cbox($elem, $label = false) {
 		print "<input type=\"checkbox\" title=\"".__("Check to enable field")."\"
 			onchange=\"dijit.byId('feedEditDlg').toggleField(this, '$elem', '$label')\">";
diff --git a/classes/pref_filters.php b/classes/pref_filters.php
index d953a8d1d..4ab12410f 100644
--- a/classes/pref_filters.php
+++ b/classes/pref_filters.php
@@ -1,6 +1,12 @@
 <?php
 class Pref_Filters extends Protected_Handler {
 
+	function csrf_ignore($method) {
+		$csrf_ignored = array("index", "getfiltertree", "edit");
+
+		return array_search($method, $csrf_ignored) !== false;
+	}
+
 	function filter_test($filter_type, $reg_exp,
 			$action_id, $action_param, $filter_param, $inverse, $feed_id) {
 
diff --git a/classes/pref_instances.php b/classes/pref_instances.php
index 893d2b6bf..aae5bbafb 100644
--- a/classes/pref_instances.php
+++ b/classes/pref_instances.php
@@ -1,6 +1,12 @@
 <?php
 class Pref_Instances extends Protected_Handler {
 
+	function csrf_ignore($method) {
+		$csrf_ignored = array("index", "edit");
+
+		return array_search($method, $csrf_ignored) !== false;
+	}
+
 	function before() {
 		if (parent::before()) {
 			if ($_SESSION["access_level"] < 10) {
diff --git a/classes/pref_labels.php b/classes/pref_labels.php
index 0d60731f3..951ae45ed 100644
--- a/classes/pref_labels.php
+++ b/classes/pref_labels.php
@@ -1,6 +1,12 @@
 <?php
 class Pref_Labels extends Protected_Handler {
 
+	function csrf_ignore($method) {
+		$csrf_ignored = array("index", "getlabeltree", "edit");
+
+		return array_search($method, $csrf_ignored) !== false;
+	}
+
 	function edit() {
 		$label_id = db_escape_string($_REQUEST['id']);
 
diff --git a/classes/pref_prefs.php b/classes/pref_prefs.php
index 5a216d2b1..03e39caa5 100644
--- a/classes/pref_prefs.php
+++ b/classes/pref_prefs.php
@@ -1,6 +1,12 @@
 <?php
 class Pref_Prefs extends Protected_Handler {
 
+	function csrf_ignore($method) {
+		$csrf_ignored = array("index");
+
+		return array_search($method, $csrf_ignored) !== false;
+	}
+
 	function changepassword() {
 
 		$old_pw = $_POST["old_password"];
diff --git a/classes/pref_users.php b/classes/pref_users.php
index b9d162fd2..fe32ce14c 100644
--- a/classes/pref_users.php
+++ b/classes/pref_users.php
@@ -1,6 +1,5 @@
 <?php
 class Pref_Users extends Protected_Handler {
-
 		function before() {
 			if (parent::before()) {
 				if ($_SESSION["access_level"] < 10) {
@@ -12,6 +11,12 @@ class Pref_Users extends Protected_Handler {
 			return false;
 		}
 
+		function csrf_ignore($method) {
+			$csrf_ignored = array("index");
+
+			return array_search($method, $csrf_ignored) !== false;
+		}
+
 		function userdetails() {
 
 			header("Content-Type: text/xml");
diff --git a/classes/rpc.php b/classes/rpc.php
index 8145b0407..4cdaef935 100644
--- a/classes/rpc.php
+++ b/classes/rpc.php
@@ -1,6 +1,12 @@
 <?php
 class RPC extends Protected_Handler {
 
+	function csrf_ignore($method) {
+		$csrf_ignored = array("sanitycheck", "buttonplugin");
+
+		return array_search($method, $csrf_ignored) !== false;
+	}
+
 	function setprofile() {
 		$id = db_escape_string($_REQUEST["id"]);
 
-- 
cgit v1.2.3