Added: CSRF token for Simbio Form Maker class

Added: CSRF token check for bibliography form and bibliographiy list
slims · Jun 29, 2017 · 2bc5e5e · 2bc5e5e
1 parent 17de4af
commit 2bc5e5e
Show file tree

Hide file tree

Showing 7 changed files with 102 additions and 18 deletions.
diff --git a/admin/modules/bibliography/index.php b/admin/modules/bibliography/index.php
@@ -90,6 +90,11 @@ function getimagesizefromstring($string_data)
 }
 /* RECORD OPERATION */
 if (isset($_POST['saveData']) AND $can_read AND $can_write) {
+  if (!simbio_form_maker::isTokenValid()) {
+    utility::jsAlert(__('Invalid form submission token!'));
+    utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'system', 'Invalid form submission token, might be a CSRF attack from '.$_SERVER['REMOTE_ADDR']);
+    exit();
+  }
   $title = trim(strip_tags($_POST['title']));
   // check form validity
   if (empty($title)) {
@@ -368,7 +373,7 @@ function getimagesizefromstring($string_data)
       }
 
       $end = $start + $total;
-      for ($b=$start; $b < $end; $b++) { 
+      for ($b=$start; $b < $end; $b++) {
         $len = strlen($b);
         $itemcode = $chars[0];
         if ($zeros > 0) {
@@ -390,6 +395,11 @@ function getimagesizefromstring($string_data)
   if (!($can_read AND $can_write)) {
     die();
   }
+  if (!simbio_form_maker::isTokenValid()) {
+    utility::jsAlert(__('Invalid form submission token!'));
+    utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'system', 'Invalid form submission token, might be a CSRF attack from '.$_SERVER['REMOTE_ADDR']);
+    exit();
+  }
   /* DATA DELETION PROCESS */
   // create sql op object
   $sql_op = new simbio_dbop($dbs);
@@ -429,7 +439,7 @@ function getimagesizefromstring($string_data)
         $sql_op->delete('biblio_attachment', "biblio_id=$itemID");
         $sql_op->delete('biblio_relation', "biblio_id=$itemID");
         $sql_op->delete('search_biblio', "biblio_id=$itemID");
-	      
+
         // delete serial data
         // check kardex if exist
         $_sql_serial_kardex_q = sprintf('SELECT b.title, COUNT(kardex_id),s.serial_id FROM biblio AS b
@@ -444,7 +454,7 @@ function getimagesizefromstring($string_data)
         }
         //delete serial data
           $sql_op->delete('serial', "biblio_id=$itemID");
-	      
+
         // add to http query for UCS delete
         $http_query .= "itemID[]=$itemID&";
       }

diff --git a/simbio2/simbio_DB/datagrid/simbio_dbgrid.inc.php b/simbio2/simbio_DB/datagrid/simbio_dbgrid.inc.php
@@ -363,7 +363,15 @@ protected function makeOutput($int_num2show = 30)
         }
         // if editable
         if ($this->editable) {
-            $_buffer .= '<form action="'.$this->chbox_form_URL.'" name="'.$this->table_name.'" id="'.$this->table_name.'" target="'.$_target.'" method="post" style="display: inline;">'."\n";
+            if (class_exists('simbio_form_maker')) {
+              $form_maker = new simbio_form_maker($this->table_name, $this->chbox_form_URL, $str_form_method = 'post', false);
+              $form_maker->submit_target = $_target;
+              $form_maker->add_form_attributes= 'style="display: inline;"';
+              $_buffer .= $form_maker->startForm();
+            } else {
+              $_buffer .= '<form action="'.$this->chbox_form_URL.'" name="'.$this->table_name.'" id="'.$this->table_name.'" target="'.$_target.'" method="post" style="display: inline;">'."\n";
+            }
+
 
             $_check_all = __('Check All');
             $_uncheck_all = __('Uncheck All');

diff --git a/simbio2/simbio_GUI/form_maker/simbio_form_maker.inc.php b/simbio2/simbio_GUI/form_maker/simbio_form_maker.inc.php
@@ -3,7 +3,7 @@
  * simbio_form_maker
  * Class for creating form with element based on simbio form elements
  *
- * Copyright (C) 2007,2008  Arie Nugraha (dicarve@yahoo.com)
+ * Copyright (C) 2017  Arie Nugraha (dicarve@gmail.com)
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -24,7 +24,7 @@
 // be sure that this file not accessed directly
 if (!defined('INDEX_AUTH')) {
   die("can not access this file directly");
-} elseif (INDEX_AUTH != 1) { 
+} elseif (INDEX_AUTH != 1) {
   die("can not access this file directly");
 }
 
@@ -47,13 +47,18 @@ public function out()
 class simbio_form_maker
 {
   public $submit_target = '_self';
+  public $add_form_attributes = '';
+  public $css_classes = 'simbio_form_maker';
   protected $elements = array();
   protected $hidden_elements = array();
   protected $form_name = '';
   protected $form_method = '';
   protected $form_action = '';
   protected $disable = '';
   protected $enable_upload = true;
+  protected $enable_token = true;
+  protected $submit_token = null;
+  protected $submit_token_name = null;
 
   /**
    * Class Constructor
@@ -71,16 +76,81 @@ public function __construct($str_form_name = 'mainForm', $str_form_action = '',
     $this->enable_upload = $bool_enable_upload;
   }
 
+  /**
+   * Static method to create random form submission token
+   *
+   * @param   int       $length
+   * @return  string
+   */
+  public static function genRandomToken($length = 32){
+    if(!isset($length) || intval($length) <= 8 ) {
+      $length = 32;
+    }
+    if (function_exists('random_bytes')) {
+      return bin2hex(random_bytes($length));
+    }
+    if (function_exists('mcrypt_create_iv')) {
+      return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM));
+    }
+    if (function_exists('openssl_random_pseudo_bytes')) {
+      return bin2hex(openssl_random_pseudo_bytes($length));
+    }
+  }
+
+
+  /**
+   * Static method check validaty of form submission token
+   *
+   * @return  boolean
+   */
+  public static function isTokenValid(){
+    if (isset($_SESSION['csrf_token']) && isset($_SESSION['csrf_token']) && isset($_POST['csrf_token'])) {
+      if ($_SESSION['csrf_token'] === $_POST['csrf_token']) {
+        // remove token session var
+        unset($_SESSION['csrf_token']);
+        return true;
+      } else {
+        // remove token session var
+        unset($_SESSION['csrf_token']);
+        return false;
+      }
+    }
+    return false;
+  }
+
+
+  /**
+   * Method to disable form submission token
+   * this method MUST BE called before startForm method call
+   *
+   * @return  void
+   */
+  public function disableSubmitToken()
+  {
+    $this->enable_token = false;
+  }
+
   /**
    * Method to start form
    *
    * @return  string
    */
   public function startForm()
   {
-    return '<form name="'.$this->form_name.'" id="'.$this->form_name.'" '.($this->disable?'class="disabled"':'')
+    if ($this->disable) {
+      $this->css_classes .= ' disabled';
+    }
+    $start_form = '<form name="'.$this->form_name.'" id="'.$this->form_name.'" class="'.$this->css_classes.'" '
       .'method="'.$this->form_method.'" '
-      .'action="'.$this->form_action.'" target="'.$this->submit_target.'"'.($this->enable_upload?' enctype="multipart/form-data"':'').'>';
+      .'action="'.$this->form_action.'" target="'.$this->submit_target.'"'.($this->enable_upload?' enctype="multipart/form-data"':' ').$this->add_form_attributes.'>';
+    if ($this->enable_token) {
+      $this->submit_token = self::genRandomToken();
+      $start_form .= '<input type="hidden" name="csrf_token" value="'.$this->submit_token.'" />';
+      if (isset($_SESSION)) {
+        $_SESSION['csrf_token'] = $this->submit_token;
+      }
+    }
+    return $start_form;
   }
 
 

diff --git a/simbio2/simbio_UTILS/simbio_date.inc.php b/simbio2/simbio_UTILS/simbio_date.inc.php
@@ -24,7 +24,7 @@
 // be sure that this file not accessed directly
 if (!defined('INDEX_AUTH')) {
     die("can not access this file directly");
-} elseif (INDEX_AUTH != 1) { 
+} elseif (INDEX_AUTH != 1) {
     die("can not access this file directly");
 }
 
@@ -187,7 +187,7 @@ public static function getNextDateNotHoliday($str_date, $array_holiday_dayname =
         if (!$array_holiday_dayname AND !$array_holiday_date) {
             return $str_date;
         }
-		
+
         // check date array first
         $d = false;
 		$_str_date_next = $str_date;
@@ -210,7 +210,7 @@ public static function getNextDateNotHoliday($str_date, $array_holiday_dayname =
 			$n = true;
             $_str_date_next = self::getNextDate(1, $_str_date_next);
         }
-		
+
         //looping break
         if (!$d and !$n) {
             return $_str_date_next;
@@ -282,4 +282,3 @@ public static function generateCalendar($mix_year, $mix_month, $arr_date_data =
         return $_calendar;
     }
 }
-?>
diff --git a/simbio2/simbio_UTILS/simbio_qparser.inc.php b/simbio2/simbio_UTILS/simbio_qparser.inc.php
@@ -24,7 +24,7 @@
 // be sure that this file not accessed directly
 if (!defined('INDEX_AUTH')) {
     die("can not access this file directly");
-} elseif (INDEX_AUTH != 1) { 
+} elseif (INDEX_AUTH != 1) {
     die("can not access this file directly");
 }
 
@@ -240,4 +240,3 @@ public function setExactMatchFields($arr_fields)
         $this->exact_match_fields = $arr_fields;
     }
 }
-?>
diff --git a/simbio2/simbio_UTILS/simbio_security.inc.php b/simbio2/simbio_UTILS/simbio_security.inc.php
@@ -24,7 +24,7 @@
 // be sure that this file not accessed directly
 if (!defined('INDEX_AUTH')) {
     die("can not access this file directly");
-} elseif (INDEX_AUTH != 1) { 
+} elseif (INDEX_AUTH != 1) {
     die("can not access this file directly");
 }
 
@@ -71,4 +71,3 @@ public static function destroySessionCookie($str_msg, $str_session_name = '', $s
         }
     }
 }
-?>
diff --git a/simbio2/simbio_UTILS/simbio_tokenizecql.v2.inc.php b/simbio2/simbio_UTILS/simbio_tokenizecql.v2.inc.php
@@ -24,7 +24,7 @@
 // be sure that this file not accessed directly
 if (!defined('INDEX_AUTH')) {
     die("can not access this file directly");
-} elseif (INDEX_AUTH != 1) { 
+} elseif (INDEX_AUTH != 1) {
     die("can not access this file directly");
 }
 
@@ -136,4 +136,3 @@ function simbio_tokenizeCQL($str_query, $arr_searcheable_fields, $arr_stop_words
     $_array_queries[] = array('f' => 'cql_end');
     return $_array_queries;
 }
-?>