experimental CSRF protection

[tt-rss.git] / backend.php

diff --git a/backend.php b/backend.php
index 1805ce360b9538d85616d47b17213b6b1254059f..2e4da500fe794a11440acde7c9d35235f7726394 100644 (file)
--- a/backend.php
+++ b/backend.php
@@ -1,5 +1,5 @@
 <?php
-       set_include_path(get_include_path() . PATH_SEPARATOR . 
+       set_include_path(get_include_path() . PATH_SEPARATOR .
                dirname(__FILE__) . "/include");
 
        /* remove ill effects of magic quotes */
@@ -20,6 +20,11 @@
        $op = $_REQUEST["op"];
        @$method = $_REQUEST['subop'] ? $_REQUEST['subop'] : $_REQUEST["method"];
 
+       if (!$method)
+               $method = 'index';
+       else
+               $method = strtolower($method);
+
        /* Public calls compatibility shim */
 
        $public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share",
@@ -30,6 +35,11 @@
                return;
        }
 
+       $csrf_token = $_REQUEST['csrf_token'];
+
+       if (!$csrf_token)
+               error_log("[$op/$method] CSRF: [$csrf_token]\n", 3, "/tmp/csrf.log");
+
        require_once "functions.php";
        require_once "sessions.php";
        require_once "sanity_check.php";
@@ -138,13 +148,17 @@
                $handler = new $op($link, $_REQUEST);
 
                if ($handler) {
-                       if ($handler->before($method)) {
-                               if ($method && method_exists($handler, $method)) {
-                                       $handler->$method();
-                               } else if (method_exists($handler, 'index')) {
-                                       $handler->index();
+                       if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
+                               if ($handler->before($method)) {
+                                       if ($method && method_exists($handler, $method)) {
+                                               $handler->$method();
+                                       }
+                                       $handler->after();
+                                       return;
                                }
-                               $handler->after();
+                       } else {
+                               header("Content-Type: text/plain");
+                               print json_encode(array("error" => array("code" => 6)));
                                return;
                        }
                }