diff --git a/admin/modules/bibliography/index.php b/admin/modules/bibliography/index.php index ec405cec..c36292af 100755 --- a/admin/modules/bibliography/index.php +++ b/admin/modules/bibliography/index.php @@ -90,6 +90,11 @@ function getimagesizefromstring($string_data) } /* RECORD OPERATION */ if (isset($_POST['saveData']) AND $can_read AND $can_write) { + if (!simbio_form_maker::isTokenValid()) { + utility::jsAlert(__('Invalid form submission token!')); + utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'system', 'Invalid form submission token, might be a CSRF attack from '.$_SERVER['REMOTE_ADDR']); + exit(); + } $title = trim(strip_tags($_POST['title'])); // check form validity if (empty($title)) { @@ -368,7 +373,7 @@ function getimagesizefromstring($string_data) } $end = $start + $total; - for ($b=$start; $b < $end; $b++) { + for ($b=$start; $b < $end; $b++) { $len = strlen($b); $itemcode = $chars[0]; if ($zeros > 0) { @@ -390,6 +395,11 @@ function getimagesizefromstring($string_data) if (!($can_read AND $can_write)) { die(); } + if (!simbio_form_maker::isTokenValid()) { + utility::jsAlert(__('Invalid form submission token!')); + utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'system', 'Invalid form submission token, might be a CSRF attack from '.$_SERVER['REMOTE_ADDR']); + exit(); + } /* DATA DELETION PROCESS */ // create sql op object $sql_op = new simbio_dbop($dbs); @@ -429,7 +439,7 @@ function getimagesizefromstring($string_data) $sql_op->delete('biblio_attachment', "biblio_id=$itemID"); $sql_op->delete('biblio_relation', "biblio_id=$itemID"); $sql_op->delete('search_biblio', "biblio_id=$itemID"); - + // delete serial data // check kardex if exist $_sql_serial_kardex_q = sprintf('SELECT b.title, COUNT(kardex_id),s.serial_id FROM biblio AS b @@ -444,7 +454,7 @@ function getimagesizefromstring($string_data) } //delete serial data $sql_op->delete('serial', "biblio_id=$itemID"); - + // add to http query for UCS delete $http_query .= "itemID[]=$itemID&"; } diff --git a/simbio2/simbio_DB/datagrid/simbio_dbgrid.inc.php b/simbio2/simbio_DB/datagrid/simbio_dbgrid.inc.php index bf47d33b..2471c613 100755 --- a/simbio2/simbio_DB/datagrid/simbio_dbgrid.inc.php +++ b/simbio2/simbio_DB/datagrid/simbio_dbgrid.inc.php @@ -363,7 +363,15 @@ protected function makeOutput($int_num2show = 30) } // if editable if ($this->editable) { - $_buffer .= '
'."\n"; + if (class_exists('simbio_form_maker')) { + $form_maker = new simbio_form_maker($this->table_name, $this->chbox_form_URL, $str_form_method = 'post', false); + $form_maker->submit_target = $_target; + $form_maker->add_form_attributes= 'style="display: inline;"'; + $_buffer .= $form_maker->startForm(); + } else { + $_buffer .= ''."\n"; + } + $_check_all = __('Check All'); $_uncheck_all = __('Uncheck All'); diff --git a/simbio2/simbio_GUI/form_maker/simbio_form_maker.inc.php b/simbio2/simbio_GUI/form_maker/simbio_form_maker.inc.php index b390edd5..6ecbfd91 100755 --- a/simbio2/simbio_GUI/form_maker/simbio_form_maker.inc.php +++ b/simbio2/simbio_GUI/form_maker/simbio_form_maker.inc.php @@ -3,7 +3,7 @@ * simbio_form_maker * Class for creating form with element based on simbio form elements * - * Copyright (C) 2007,2008 Arie Nugraha (dicarve@yahoo.com) + * Copyright (C) 2017 Arie Nugraha (dicarve@gmail.com) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -24,7 +24,7 @@ // be sure that this file not accessed directly if (!defined('INDEX_AUTH')) { die("can not access this file directly"); -} elseif (INDEX_AUTH != 1) { +} elseif (INDEX_AUTH != 1) { die("can not access this file directly"); } @@ -47,6 +47,8 @@ public function out() class simbio_form_maker { public $submit_target = '_self'; + public $add_form_attributes = ''; + public $css_classes = 'simbio_form_maker'; protected $elements = array(); protected $hidden_elements = array(); protected $form_name = ''; @@ -54,6 +56,9 @@ class simbio_form_maker protected $form_action = ''; protected $disable = ''; protected $enable_upload = true; + protected $enable_token = true; + protected $submit_token = null; + protected $submit_token_name = null; /** * Class Constructor @@ -71,6 +76,60 @@ public function __construct($str_form_name = 'mainForm', $str_form_action = '', $this->enable_upload = $bool_enable_upload; } + /** + * Static method to create random form submission token + * + * @param int $length + * @return string + */ + public static function genRandomToken($length = 32){ + if(!isset($length) || intval($length) <= 8 ) { + $length = 32; + } + if (function_exists('random_bytes')) { + return bin2hex(random_bytes($length)); + } + if (function_exists('mcrypt_create_iv')) { + return bin2hex(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM)); + } + if (function_exists('openssl_random_pseudo_bytes')) { + return bin2hex(openssl_random_pseudo_bytes($length)); + } + } + + + /** + * Static method check validaty of form submission token + * + * @return boolean + */ + public static function isTokenValid(){ + if (isset($_SESSION['csrf_token']) && isset($_SESSION['csrf_token']) && isset($_POST['csrf_token'])) { + if ($_SESSION['csrf_token'] === $_POST['csrf_token']) { + // remove token session var + unset($_SESSION['csrf_token']); + return true; + } else { + // remove token session var + unset($_SESSION['csrf_token']); + return false; + } + } + return false; + } + + + /** + * Method to disable form submission token + * this method MUST BE called before startForm method call + * + * @return void + */ + public function disableSubmitToken() + { + $this->enable_token = false; + } + /** * Method to start form * @@ -78,9 +137,20 @@ public function __construct($str_form_name = 'mainForm', $str_form_action = '', */ public function startForm() { - return 'disable?'class="disabled"':'') + if ($this->disable) { + $this->css_classes .= ' disabled'; + } + $start_form = 'enable_upload?' enctype="multipart/form-data"':'').'>'; + .'action="'.$this->form_action.'" target="'.$this->submit_target.'"'.($this->enable_upload?' enctype="multipart/form-data"':' ').$this->add_form_attributes.'>'; + if ($this->enable_token) { + $this->submit_token = self::genRandomToken(); + $start_form .= ''; + if (isset($_SESSION)) { + $_SESSION['csrf_token'] = $this->submit_token; + } + } + return $start_form; } diff --git a/simbio2/simbio_UTILS/simbio_date.inc.php b/simbio2/simbio_UTILS/simbio_date.inc.php index 1be91a4a..86366671 100755 --- a/simbio2/simbio_UTILS/simbio_date.inc.php +++ b/simbio2/simbio_UTILS/simbio_date.inc.php @@ -24,7 +24,7 @@ // be sure that this file not accessed directly if (!defined('INDEX_AUTH')) { die("can not access this file directly"); -} elseif (INDEX_AUTH != 1) { +} elseif (INDEX_AUTH != 1) { die("can not access this file directly"); } @@ -187,7 +187,7 @@ public static function getNextDateNotHoliday($str_date, $array_holiday_dayname = if (!$array_holiday_dayname AND !$array_holiday_date) { return $str_date; } - + // check date array first $d = false; $_str_date_next = $str_date; @@ -210,7 +210,7 @@ public static function getNextDateNotHoliday($str_date, $array_holiday_dayname = $n = true; $_str_date_next = self::getNextDate(1, $_str_date_next); } - + //looping break if (!$d and !$n) { return $_str_date_next; @@ -282,4 +282,3 @@ public static function generateCalendar($mix_year, $mix_month, $arr_date_data = return $_calendar; } } -?> diff --git a/simbio2/simbio_UTILS/simbio_qparser.inc.php b/simbio2/simbio_UTILS/simbio_qparser.inc.php index f9bd7efc..437234cc 100755 --- a/simbio2/simbio_UTILS/simbio_qparser.inc.php +++ b/simbio2/simbio_UTILS/simbio_qparser.inc.php @@ -24,7 +24,7 @@ // be sure that this file not accessed directly if (!defined('INDEX_AUTH')) { die("can not access this file directly"); -} elseif (INDEX_AUTH != 1) { +} elseif (INDEX_AUTH != 1) { die("can not access this file directly"); } @@ -240,4 +240,3 @@ public function setExactMatchFields($arr_fields) $this->exact_match_fields = $arr_fields; } } -?> diff --git a/simbio2/simbio_UTILS/simbio_security.inc.php b/simbio2/simbio_UTILS/simbio_security.inc.php index dcd5f647..f9648931 100755 --- a/simbio2/simbio_UTILS/simbio_security.inc.php +++ b/simbio2/simbio_UTILS/simbio_security.inc.php @@ -24,7 +24,7 @@ // be sure that this file not accessed directly if (!defined('INDEX_AUTH')) { die("can not access this file directly"); -} elseif (INDEX_AUTH != 1) { +} elseif (INDEX_AUTH != 1) { die("can not access this file directly"); } @@ -71,4 +71,3 @@ public static function destroySessionCookie($str_msg, $str_session_name = '', $s } } } -?> diff --git a/simbio2/simbio_UTILS/simbio_tokenizecql.v2.inc.php b/simbio2/simbio_UTILS/simbio_tokenizecql.v2.inc.php index 3a57197a..d10f7cdd 100755 --- a/simbio2/simbio_UTILS/simbio_tokenizecql.v2.inc.php +++ b/simbio2/simbio_UTILS/simbio_tokenizecql.v2.inc.php @@ -24,7 +24,7 @@ // be sure that this file not accessed directly if (!defined('INDEX_AUTH')) { die("can not access this file directly"); -} elseif (INDEX_AUTH != 1) { +} elseif (INDEX_AUTH != 1) { die("can not access this file directly"); } @@ -136,4 +136,3 @@ function simbio_tokenizeCQL($str_query, $arr_searcheable_fields, $arr_stop_words $_array_queries[] = array('f' => 'cql_end'); return $_array_queries; } -?>