From 5c2492e78599760b256f6f3958e5e30ff40bf54f Mon Sep 17 00:00:00 2001
From: Joe Haig <josephhaig@gmail.com>
Date: Fri, 24 Jun 2016 22:39:39 +0100
Subject: [PATCH] Add CSRF token to password change page

---
 includes/admin.php     | 39 ++++++++++++++++++++++-----------------
 includes/functions.php | 20 ++++++++++++++++++++
 index.php              | 10 ++++++++++
 3 files changed, 52 insertions(+), 17 deletions(-)

diff --git a/includes/admin.php b/includes/admin.php
index a13f9bb..513473e 100755
--- a/includes/admin.php
+++ b/includes/admin.php
@@ -13,26 +13,30 @@ function Status($message, $level='success', $dismissable=true) {
 function DisplayAuthConfig($username, $password){
   $status = '';
   if (isset($_POST['UpdateAdminPassword'])) {
-		if (password_verify($_POST['oldpass'], $password)) {
-			$new_username=trim($_POST['username']);
-			if ($_POST['newpass'] != $_POST['newpassagain']) {
-				$status = Status('New passwords do not match', 'danger');
-			} else if ($new_username == '') {
-				$status = Status('Username must not be empty', 'danger');
-			} else {
-				if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
-					fwrite($auth_file, $new_username.PHP_EOL);
-					fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
-					fclose($auth_file);
-					$username = $new_username;
-					$status = Status('Admin password updated');
+    if (CSRFValidate()) {
+      if (password_verify($_POST['oldpass'], $password)) {
+				$new_username=trim($_POST['username']);
+				if ($_POST['newpass'] != $_POST['newpassagain']) {
+					$status = Status('New passwords do not match', 'danger');
+				} else if ($new_username == '') {
+					$status = Status('Username must not be empty', 'danger');
 				} else {
-					$status = Status('Failed to update admin password', 'danger');
+					if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
+						fwrite($auth_file, $new_username.PHP_EOL);
+						fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
+						fclose($auth_file);
+						$username = $new_username;
+						$status = Status('Admin password updated');
+					} else {
+						$status = Status('Failed to update admin password', 'danger');
+					}
 				}
+			} else {
+				$status = Status('Old password does not match', 'danger');
 			}
-		} else {
-			$status = Status('Old password does not match', 'danger');
-		}
+    } else {
+      // Log something
+    }
   }
 ?>
 	<div class="row">
@@ -42,6 +46,7 @@ function DisplayAuthConfig($username, $password){
 				<div class="panel-body">
 					<p><?php echo $status; ?></p>
 					<form role="form" action="/?page=admin_conf" method="POST">
+            <?php CSRFToken() ?>
 						<div class="row">
 							<div class="form-group col-md-4">
 								<label for="username">Username</label>
diff --git a/includes/functions.php b/includes/functions.php
index 0edc493..72abadc 100755
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -1,5 +1,25 @@
 <?php
 
+/**
+*
+* Add CSRF Token to form
+*
+*/
+function CSRFToken() {
+?>
+<input type="hidden" name="csrf_token" value="<?php echo $csrf_token; ?>" />
+<?php
+}
+
+/**
+*
+* Validate CSRF Token
+*
+*/
+function CSRFValidate() {
+  return hash_equals($_POST['csrf_token'], $_SESSION['csrf_token']);
+}
+
 /**
 *
 * @param string $input
diff --git a/index.php b/index.php
index bf20423..535663e 100755
--- a/index.php
+++ b/index.php
@@ -44,6 +44,16 @@ include_once( 'includes/functions.php' );
 
 $output = $return = 0;
 $page = $_GET['page'];
+
+session_start();
+if (empty($_SESSION['csrf_token'])) {
+    if (function_exists('mcrypt_create_iv')) {
+        $_SESSION['csrf_token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
+    } else {
+        $_SESSION['csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
+    }
+}
+$csrf_token = $_SESSION['csrf_token'];
 ?>
 
 <!DOCTYPE html>