WebSVN – ALCASAR – Path Comparison – / – /web/acc/ Rev 3134 and /web/acc/ Rev 3135

Ignore whitespace Rev 3134 → Rev 3135

 /web/acc/manager/htdocs/activity.php
 ,6 → 28,8
 }
 fclose($file_conf);
+$csrf_key = "";
+$csrf_token = hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'].$_SERVER['REQUEST_URI'].$csrf_key);
 $tmp = explode("/",$conf["PRIVATE_IP"]);
 $private_ip=$tmp[0];
 $intif = $conf["INTIF"];
 ,8 → 115,8
 }
 if (isset($_POST['action'])){
-        if (filter_var(trim($_POST['mac_addr']), FILTER_VALIDATE_MAC) !== false){
-                $mac= trim($_POST['mac_addr']);
+        $mac= trim($_POST['mac_addr']);
+        if ((filter_var($mac, FILTER_VALIDATE_MAC) !== false) && (trim($_POST['post_csrf_token']) == $csrf_token)){
                 switch ($_POST['action']){
                         case "$l_disconnect" :
                                 exec("sudo /usr/sbin/chilli_query logout ".$mac);
 ,6 → 142,7
                                 exec('sudo /usr/local/bin/alcasar-iot_capture.sh -k '.$mac.' &>/dev/null &');
                         break;
                 }
         }
         unset($_POST['mac_addr']);
 }
 ,6 → 226,7
                                                 echo "</td><td>";
                                                 echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"POST\">";
                                                 echo "<input type=\"hidden\" name=\"mac_addr\" value=\"$detail[0]\">";
+                                                echo "<input type=\"hidden\" name=\"post_csrf_token\" value=\"$csrf_token\">";
                                                 if($IoT_capture == "on"){
                                                         if(exec('sudo /usr/local/bin/alcasar-iot_capture.sh -i '.$detail[0]) == "CaptureON"){
                                                                 echo "<input type=\"submit\" onClick=\"document.getElementById('ldoverlay').style.display='block';\" name=\"action\" value=\"$l_stop_capture_disconnect\">";
 ,6 → 251,7
                                         echo "<td>";
                                         echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"POST\">";
                                         echo "<input type=\"hidden\" name=\"mac_addr\" value=\"$detail[0]\">";
+                                        echo "<input type=\"hidden\" name=\"post_csrf_token\" value=\"$csrf_token\">";
                                         echo "<input type=\"submit\" onClick=\"document.getElementById('ldoverlay').style.display='block';\" name=\"action\" value=\"$l_disconnect\">";
                                         echo "</form></td>";
                                 }
 ,6 → 269,7
                                 echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"POST\">";
                                 # Dissociate user (... or other) who is not connected yet
                                 echo "<input type=\"hidden\" name=\"mac_addr\" value=\"$detail[0]\">";
+                                echo "<input type=\"hidden\" name=\"post_csrf_token\" value=\"$csrf_token\">";
                                 exec ("grep $detail[0] /usr/local/etc/alcasar-ethers-info", $mac_in_ether_file);
                                 if (empty($mac_in_ether_file[1])){
                                         echo "<input type=\"submit\" onClick=\"document.getElementById('ldoverlay').style.display='block';\" name=\"action\" value=\"$l_dissociate\">"; // Dissociate only MAC not in ether file (dhcp)

Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 3134 → Rev 3135