From 298d7f09972141194374ee430dbad34e2977f907 Mon Sep 17 00:00:00 2001
From: cflakes <cflakes@726aef4b-f618-498e-8847-2d620e286838>
Date: Sun, 25 Apr 2010 13:35:06 +0000
Subject: [PATCH] WebMods: Following the last commit, this adds the CSRF check
 token to existing action="post" forms. Right now, we don't have much of a
 real protection against CSRF yet, but psychon is working on making that
 happen :)

git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1933 726aef4b-f618-498e-8847-2d620e286838
---
 WebModules.cpp                           | 1 +
 modules/www/notes/index.tmpl             | 1 +
 modules/www/stickychan/index.tmpl        | 1 +
 modules/www/webadmin/add_edit_chan.tmpl  | 1 +
 modules/www/webadmin/add_edit_user.tmpl  | 1 +
 modules/www/webadmin/settings.tmpl       | 1 +
 webskins/_default_/tmpl/_csrf_check.tmpl | 1 +
 7 files changed, 7 insertions(+)
 create mode 100644 webskins/_default_/tmpl/_csrf_check.tmpl

diff --git a/WebModules.cpp b/WebModules.cpp
index 7ea73271..fe2872a1 100644
--- a/WebModules.cpp
+++ b/WebModules.cpp
@@ -307,6 +307,7 @@ void CWebSock::SetVars() {
 	m_Template["SessionIP"] = GetRemoteIP();
 	m_Template["Tag"] = CZNC::GetTag(GetSession()->GetUser() != NULL);
 	m_Template["SkinName"] = GetSkinName();
+	m_Template["_CSRF_Check"] = GetCSRFCheck();
 
 	if (GetSession()->IsAdmin()) {
 		m_Template["IsAdmin"] = "true";
diff --git a/modules/www/notes/index.tmpl b/modules/www/notes/index.tmpl
index 3b62d547..fad56494 100644
--- a/modules/www/notes/index.tmpl
+++ b/modules/www/notes/index.tmpl
@@ -1,6 +1,7 @@
 <? INC Header.tmpl ?>
 
 <form method="post" action="/mods/notes/addnote">
+	<? INC _csrf_check.tmpl ?>
 	<div class="section">
 		<h3>Add A Note</h3>
 		<div class="sectionbg">
diff --git a/modules/www/stickychan/index.tmpl b/modules/www/stickychan/index.tmpl
index 238756ae..3fd383c5 100644
--- a/modules/www/stickychan/index.tmpl
+++ b/modules/www/stickychan/index.tmpl
@@ -1,6 +1,7 @@
 <? INC Header.tmpl ?>
 
 <form action="" method="post">
+	<? INC _csrf_check.tmpl ?>
 	<table class="data">
 		<thead>
 			<tr>
diff --git a/modules/www/webadmin/add_edit_chan.tmpl b/modules/www/webadmin/add_edit_chan.tmpl
index 5acc593d..9a665639 100644
--- a/modules/www/webadmin/add_edit_chan.tmpl
+++ b/modules/www/webadmin/add_edit_chan.tmpl
@@ -1,6 +1,7 @@
 <? INC Header.tmpl ?>
 
 <form action="<? IF Edit ?>editchan<? ELSE ?>addchan<? ENDIF ?>" method="post">
+	<? INC _csrf_check.tmpl ?>
 	<div class="section">
 		<input type="hidden" name="submitted" value="1" />
 		<input type="hidden" name="user" value="<? VAR User ?>" />
diff --git a/modules/www/webadmin/add_edit_user.tmpl b/modules/www/webadmin/add_edit_user.tmpl
index 57ac34eb..f06c6021 100644
--- a/modules/www/webadmin/add_edit_user.tmpl
+++ b/modules/www/webadmin/add_edit_user.tmpl
@@ -1,6 +1,7 @@
 <? INC Header.tmpl ?>
 
 <form action="<? IF Edit ?>edituser<? ELSE ?>adduser<? ENDIF ?>" method="post">
+	<? INC _csrf_check.tmpl ?>
 	<div class="section">
 		<input type="hidden" name="submitted" value="1" />
 
diff --git a/modules/www/webadmin/settings.tmpl b/modules/www/webadmin/settings.tmpl
index 82f05581..cadcda59 100644
--- a/modules/www/webadmin/settings.tmpl
+++ b/modules/www/webadmin/settings.tmpl
@@ -1,6 +1,7 @@
 <? INC Header.tmpl ?>
 
 <form action="settings" method="post">
+	<? INC _csrf_check.tmpl ?>
 	<div class="section">
 		<input type="hidden" name="submitted" value="1" />
 
diff --git a/webskins/_default_/tmpl/_csrf_check.tmpl b/webskins/_default_/tmpl/_csrf_check.tmpl
new file mode 100644
index 00000000..2ce56556
--- /dev/null
+++ b/webskins/_default_/tmpl/_csrf_check.tmpl
@@ -0,0 +1 @@
+<input type="hidden" name="_CSRF_Check" value="<? VAR _CSRF_Check TOP ?>" />