From 7668ee204064c2621f74648246bf23e575b85c0d Mon Sep 17 00:00:00 2001 From: Yasen Pramatarov Date: Mon, 7 Apr 2025 15:24:53 +0300 Subject: [PATCH] Adds CSRF protection to profile page --- app/pages/profile.php | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/app/pages/profile.php b/app/pages/profile.php index 6029ec3..c7f86a8 100644 --- a/app/pages/profile.php +++ b/app/pages/profile.php @@ -13,9 +13,18 @@ */ $action = $_REQUEST['action'] ?? ''; +$item = $_REQUEST['item'] ?? ''; // if a form is submitted, it's from the edit page if ($_SERVER['REQUEST_METHOD'] == 'POST') { + // Validate CSRF token + require_once '../app/helpers/security.php'; + $security = SecurityHelper::getInstance(); + if (!$security->verifyCsrfToken($_POST['csrf_token'] ?? '')) { + Feedback::flash('ERROR', 'DEFAULT', 'Invalid security token. Please try again.'); + header("Location: $app_root?page=profile"); + exit(); + } require_once '../app/classes/validator.php'; @@ -23,8 +32,6 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') { require_once '../app/includes/rate_limit_middleware.php'; checkRateLimit($dbWeb, 'profile', $user_id); - $item = $_REQUEST['item'] ?? ''; - // avatar removal if ($item === 'avatar' && $action === 'remove') { $validator = new Validator(['user_id' => $user_id]); @@ -136,8 +143,12 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') { $avatar = !empty($userDetails[0]['avatar']) ? $config['avatars_path'] . $userDetails[0]['avatar'] : $config['default_avatar']; $default_avatar = empty($userDetails[0]['avatar']) ? true : false; - switch ($action) { + // Generate CSRF token if not exists + require_once '../app/helpers/security.php'; + $security = SecurityHelper::getInstance(); + $security->generateCsrfToken(); + switch ($action) { case 'edit': $allRights = $userObject->getAllRights(); $allTimezones = timezone_identifiers_list();