Webmods: Only accept POST requests with a secret parameter

This is a first step against CSRF. Thanks to flakes for the idea.


git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1932 726aef4b-f618-498e-8847-2d620e286838

WebModules.cpp

@@ -518,6 +518,16 @@ void CWebSock::OnPageRequest(const CString& sURI) {
 }
 
 CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI, CString& sPageRet) {
+	// Check that they really POSTed from one our forms by checking if they
+	// know the "secret" CSRF check value. Don't do this for login since
+	// CSRF against the login form makes no sense and the login form does a
+	// cookies-enabled check which would break otherwise.
+	if (IsPost() && GetParam("_CSRF_Check") != GetCSRFCheck() && sURI != "/login") {
+		sPageRet = GetErrorPage(403, "Access denied", "POST requests need to send "
+				"a secret token to prevent cross-site request forgery attacks.");
+		return PAGE_PRINT;
+	}
+
 	SendCookie("SessionId", GetSession()->GetId());
 
 	if (GetSession()->IsLoggedIn()) {
@@ -714,6 +724,11 @@ CSmartPtr<CWebSession> CWebSock::GetSession() {
 	return spSession;
 }
 
+CString CWebSock::GetCSRFCheck() {
+	CSmartPtr<CWebSession> pSession = GetSession();
+	return pSession->GetId().MD5();
+}
+
 bool CWebSock::OnLogin(const CString& sUser, const CString& sPass) {
 	DEBUG("=================== CWebSock::OnLogin()");
 	m_spAuth = new CWebAuth(this, sUser, sPass);