Browse Source

fix autosubmit vulnerability for "favorite" bookmarklet

closes #69
pull/82/head
Aaron Parecki 8 years ago
parent
commit
43e8a1ef8d
No known key found for this signature in database GPG Key ID: 276C2817346D6056
  1. 22
      controllers/controllers.php
  2. 21
      views/new-favorite.php
  3. 2
      views/partials/favorite-bookmarklet.php

22
controllers/controllers.php

@ -34,12 +34,12 @@ function require_login(&$app, $redirect=true) {
}
}
function generate_login_token() {
return JWT::encode(array(
function generate_login_token($opts=[]) {
return JWT::encode(array_merge([
'user_id' => $_SESSION['user_id'],
'me' => $_SESSION['me'],
'created_at' => time()
), Config::$jwtSecret);
], $opts), Config::$jwtSecret);
}
$app->get('/dashboard', function() use($app) {
@ -130,11 +130,23 @@ $app->get('/favorite', function() use($app) {
if(array_key_exists('url', $params))
$url = $params['url'];
// Check if there was a login token in the query string and whether it has autosubmit=true
$autosubmit = false;
if(array_key_exists('token', $params)) {
try {
$data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']);
$autosubmit = isset($data->autosubmit) && $data->autosubmit;
} catch(Exception $e) {
}
}
render('new-favorite', array(
'title' => 'New Favorite',
'url' => $url,
'token' => generate_login_token(),
'authorizing' => false
'token' => generate_login_token(['autosubmit'=>true]),
'authorizing' => false,
'autosubmit' => $autosubmit
));
}
});

21
views/new-favorite.php

@ -31,12 +31,6 @@
<script>
$(function(){
var autosubmit = window.location.search.match('autosubmit=true');
if(autosubmit) {
$(".footer, #bookmarklet").hide();
}
$("#btn_post").click(function(){
$("#btn_post").addClass("loading disabled").text("Working...");
@ -50,13 +44,9 @@ $(function(){
}, function(response){
if(response.location != false) {
if(autosubmit) {
$("#btn_post").hide();
} else {
$("#test_success").removeClass('hidden');
$("#test_error").addClass('hidden');
$("#post_href").attr("href", response.location);
}
$("#test_success").removeClass('hidden');
$("#test_error").addClass('hidden');
$("#post_href").attr("href", response.location);
window.location = response.location;
} else {
@ -69,9 +59,10 @@ $(function(){
return false;
});
if(autosubmit) {
<? if($this->autosubmit): ?>
$(".footer, #bookmarklet").hide();
$("#btn_post").click();
}
<? endif ?>
bind_syndication_buttons();
});

2
views/partials/favorite-bookmarklet.php

@ -1,3 +1,3 @@
(function(){
window.open("<?= Config::$base_url ?>favorite?url="+encodeURIComponent(window.location.href)+"&autosubmit=true&token=<?= $this->token ?>");
window.open("<?= Config::$base_url ?>favorite?url="+encodeURIComponent(window.location.href)+"&token=<?= $this->token ?>");
})();
Loading…
Cancel
Save