fix autosubmit vulnerability for "favorite" bookmarklet

closes #69
7 years ago · 43e8a1ef8d
3 changed files with 24 additions and 21 deletions
--- a/controllers/controllers.php
+++ b/controllers/controllers.php
@ -34,12 +34,12 @@ function require_login(&$app, $redirect=true) {
  }
 }

-function generate_login_token() {
-  return JWT::encode(array(
+function generate_login_token($opts=[]) {
+  return JWT::encode(array_merge([
    'user_id' => $_SESSION['user_id'],
    'me' => $_SESSION['me'],
    'created_at' => time()
-  ), Config::$jwtSecret);
+  ], $opts), Config::$jwtSecret);
 }

 $app->get('/dashboard', function() use($app) {
@ -130,11 +130,23 @@ $app->get('/favorite', function() use($app) {
    if(array_key_exists('url', $params))
      $url = $params['url'];

+    // Check if there was a login token in the query string and whether it has autosubmit=true
+    $autosubmit = false;
+
+    if(array_key_exists('token', $params)) {
+      try {
+        $data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']);
+        $autosubmit = isset($data->autosubmit) && $data->autosubmit;
+      } catch(Exception $e) {
+      }
+    }
+
    render('new-favorite', array(
      'title' => 'New Favorite',
      'url' => $url,
-      'token' => generate_login_token(),
-      'authorizing' => false
+      'token' => generate_login_token(['autosubmit'=>true]),
+      'authorizing' => false,
+      'autosubmit' => $autosubmit
    ));
  }
 });
--- a/views/new-favorite.php
+++ b/views/new-favorite.php
@ -31,12 +31,6 @@
 <script>
 $(function(){

-  var autosubmit = window.location.search.match('autosubmit=true');
-
-  if(autosubmit) {
-    $(".footer, #bookmarklet").hide();
-  }
-
  $("#btn_post").click(function(){
    $("#btn_post").addClass("loading disabled").text("Working...");

@ -50,13 +44,9 @@ $(function(){
    }, function(response){
      if(response.location != false) {

-        if(autosubmit) {
-          $("#btn_post").hide();
-        } else {
-          $("#test_success").removeClass('hidden');
-          $("#test_error").addClass('hidden');
-          $("#post_href").attr("href", response.location);
-        }
+        $("#test_success").removeClass('hidden');
+        $("#test_error").addClass('hidden');
+        $("#post_href").attr("href", response.location);

        window.location = response.location;
      } else {
@ -69,9 +59,10 @@ $(function(){
    return false;
  });

-  if(autosubmit) {
+  <? if($this->autosubmit): ?>
+    $(".footer, #bookmarklet").hide();
    $("#btn_post").click();
-  }
+  <? endif ?>

  bind_syndication_buttons();
 });
--- a/views/partials/favorite-bookmarklet.php
+++ b/views/partials/favorite-bookmarklet.php
@ -1,3 +1,3 @@
 (function(){
-  window.open("<?= Config::$base_url ?>favorite?url="+encodeURIComponent(window.location.href)+"&autosubmit=true&token=<?= $this->token ?>");
+  window.open("<?= Config::$base_url ?>favorite?url="+encodeURIComponent(window.location.href)+"&token=<?= $this->token ?>");
 })();