From 769a05b682662ddee56314ab784455fa6422d5c5 Mon Sep 17 00:00:00 2001
From: Noah van der Aa <44026893+NoahvdAa@users.noreply.github.com>
Date: Wed, 23 Jan 2019 17:48:54 +0100
Subject: [PATCH] Added CSRF protection to file manager.

---
 var/www/html/files.php | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/var/www/html/files.php b/var/www/html/files.php
index 2ea093d..6212b5b 100644
--- a/var/www/html/files.php
+++ b/var/www/html/files.php
@@ -125,10 +125,18 @@ if(@!ftp_chdir($ftp, $dir)){
 }
 
 if(!empty($_POST['mkdir']) && !empty($_POST['name'])){
+	if(empty($_POST['csrf_token']) || $_POST['csrf_token'] != $_SESSION['csrf_token']){
+		echo 'Invalid CSRF token, please try again.';
+		exit;
+	}
 		ftp_mkdir($ftp, $_POST['name']);
 }
 
 if(!empty($_POST['mkfile']) && !empty($_POST['name'])){
+	if(empty($_POST['csrf_token']) || $_POST['csrf_token'] != $_SESSION['csrf_token']){
+		echo 'Invalid CSRF token, please try again.';
+		exit;
+	}
 		$tmpfile='/tmp/'.uniqid();
 		touch($tmpfile);
 		ftp_put($ftp, $_POST['name'], $tmpfile, FTP_BINARY);
@@ -136,23 +144,39 @@ if(!empty($_POST['mkfile']) && !empty($_POST['name'])){
 }
 
 if(!empty($_POST['delete']) && !empty($_POST['files'])){
+	if(empty($_POST['csrf_token']) || $_POST['csrf_token'] != $_SESSION['csrf_token']){
+		echo 'Invalid CSRF token, please try again.';
+		exit;
+	}
 	foreach($_POST['files'] as $file){
 		ftp_recursive_delete($ftp, $file);
 	}
 }
 
 if(!empty($_POST['rename_2']) && !empty($_POST['files'])){
+	if(empty($_POST['csrf_token']) || $_POST['csrf_token'] != $_SESSION['csrf_token']){
+		echo 'Invalid CSRF token, please try again.';
+		exit;
+	}
 	foreach($_POST['files'] as $old=>$new){
 		ftp_rename($ftp, $old, $new);
 	}
 }
 
 if(!empty($_POST['rename']) && !empty($_POST['files'])){
+	if(empty($_POST['csrf_token']) || $_POST['csrf_token'] != $_SESSION['csrf_token']){
+		echo 'Invalid CSRF token, please try again.';
+		exit;
+	}
 	send_rename($dir);
 	exit;
 }
 
 if(!empty($_POST['edit_2']) && !empty($_POST['files'])){
+	if(empty($_POST['csrf_token']) || $_POST['csrf_token'] != $_SESSION['csrf_token']){
+		echo 'Invalid CSRF token, please try again.';
+		exit;
+	}
 	$tmpfile='/tmp/'.uniqid();
 	foreach($_POST['files'] as $name=>$content){
 		file_put_contents($tmpfile, $content);
@@ -167,6 +191,10 @@ if(!empty($_POST['edit']) && !empty($_POST['files'])){
 }
 
 if(!empty($_POST['unzip']) && !empty($_POST['files'])){
+	if(empty($_POST['csrf_token']) || $_POST['csrf_token'] != $_SESSION['csrf_token']){
+		echo 'Invalid CSRF token, please try again.';
+		exit;
+	}
 	$zip = new ZipArchive();
 	foreach($_POST['files'] as $file){
 		if(!preg_match('/\.zip$/', $file)){
@@ -202,6 +230,10 @@ if(!empty($_POST['unzip']) && !empty($_POST['files'])){
 
 
 if(!empty($_FILES['files'])){
+	if(empty($_POST['csrf_token']) || $_POST['csrf_token'] != $_SESSION['csrf_token']){
+		echo 'Invalid CSRF token, please try again.';
+		exit;
+	}
 	$c=count($_FILES['files']['name']);
 	for($i=0; $i<$c; ++$i){
 		if($_FILES['files']['error'][$i]===UPLOAD_ERR_OK){
@@ -276,7 +308,7 @@ $dir=htmlspecialchars($dir);
 </head><body>
 <h1>Index of <?php echo $dir; ?></h1>
 <?php if($dir!=='/'){ ?>
-<p>Upload up to 1GB and up to 100 files at once <form action="files.php" enctype="multipart/form-data" method="post"><input name="files[]" type="file" multiple><input type="hidden" name="path" value="<?php echo $dir; ?>"><input type="submit" value="Upload"></form></p><br>
+<p>Upload up to 1GB and up to 100 files at once <form action="files.php" enctype="multipart/form-data" method="post"><input type="hidden" name="csrf-token" value="<?= $_SESSION['csrf_token'] ?>"><input name="files[]" type="file" multiple><input type="hidden" name="path" value="<?php echo $dir; ?>"><input type="submit" value="Upload"></form></p><br>
 <?php
 }
 $fileurl='A';
@@ -294,6 +326,7 @@ if($order==='A'){
 }
 ?>
 <form action="files.php" method="post">
+<input type="hidden" name="csrf-token" value="<?= $_SESSION['csrf_token'] ?>">
 <input type="submit" name="mkdir" value="Create directory">
 <input type="submit" name="mkfile" value="Create file">
 <input type="text" name="name"><br><br>
@@ -420,6 +453,7 @@ function send_rename($dir){
 	echo '<meta name=viewport content="width=device-width, initial-scale=1">';
 	echo '</head><body>';
 	echo '<form action="files.php" method="post">';
+	echo '<input type="hidden" name="csrf-token" value="<'.$_SESSION['csrf_token'].'">';
 	echo '<input type="hidden" name="path" value="'.htmlspecialchars($dir).'">';
 	echo '<table>';
 	foreach($_POST['files'] as $file){
@@ -438,6 +472,7 @@ function send_edit($ftp, $dir){
 	echo '<meta name=viewport content="width=device-width, initial-scale=1">';
 	echo '</head><body>';
 	echo '<form action="files.php" method="post">';
+	echo '<input type="hidden" name="csrf-token" value="<'.$_SESSION['csrf_token'].'">';
 	echo '<input type="hidden" name="path" value="'.htmlspecialchars($dir).'">';
 	echo '<table>';
 	$tmpfile='/tmp/'.uniqid();