Fix CSRF bugs

erikdubbelboer · erikdubbelboer · commit b57e3b0e2f23 · 2021-09-08T07:42:57.000Z
diff --git a/includes/header.inc.php b/includes/header.inc.php
@@ -35,5 +35,9 @@
 <script src="js/<?php echo $js; ?>.js?v<?=$version?>"></script>
 <?php } ?>
 
+<script>
+phpRedisAdmin_csrfToken = '<?php echo $csrfToken; ?>';
+</script>
+
 </head>
 <body>
diff --git a/index.php b/index.php
@@ -245,7 +245,7 @@ function getDbInfo($d, $info, $padding = '') {
 </p>
 <button id="selected_all_keys">Select all</button>
 <button id="operations">
-<a href="delete.php?s=<?php echo $server['id']?>&amp;d=<?php echo $server['db']?>&batch_del=1" class="batch_del">Delete selected<img src="images/delete.png" style="width: 1em;height: 1em;vertical-align: middle;" title="Delete selected" alt="[X]"></a>
+<a href="delete.php?s=<?php echo $server['id']?>&amp;d=<?php echo $server['db']?>&batch_del=1&csrf=<?php echo $csrfToken; ?>" class="batch_del">Delete selected<img src="images/delete.png" style="width: 1em;height: 1em;vertical-align: middle;" title="Delete selected" alt="[X]"></a>
 </button>
 </div>
 <div id="keys">
diff --git a/js/frame.js b/js/frame.js
@@ -18,7 +18,7 @@ $(function() {
       $.ajax({
         type: "POST",
         url: this.href,
-        data: 'post=1',
+        data: 'post=1&csrf=' + phpRedisAdmin_csrfToken,
         success: function(url) {
           top.location.href = top.location.pathname+url;
         }
diff --git a/js/index.js b/js/index.js
@@ -28,7 +28,7 @@ $(function() {
         $.ajax({
           type: "POST",
           url: this.href,
-          data: 'post=1&selected_keys=' + selected_keys,
+          data: 'post=1&selected_keys=' + selected_keys + '&csrf=' + phpRedisAdmin_csrfToken,
           success: function(url) {
             top.location.href = top.location.pathname+url;
           }
@@ -41,7 +41,7 @@ $(function() {
         $.ajax({
           type: "POST",
           url: this.href,
-          data: 'post=1',
+          data: 'post=1&csrf=' + phpRedisAdmin_csrfToken,
           success: function(url) {
             top.location.href = top.location.pathname+url;
           }
@@ -74,7 +74,7 @@ $(function() {
           $.ajax({
             type: "POST",
             url: href,
-            data: 'post=1',
+            data: 'post=1&csrf=' + phpRedisAdmin_csrfToken,
             success: function() {
               window.location.reload();
             }

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ $(function() {`
`18`	`18`	`$.ajax({`
`19`	`19`	`type: "POST",`
`20`	`20`	`url: this.href,`
`21`		`- data: 'post=1',`
	`21`	`+ data: 'post=1&csrf=' + phpRedisAdmin_csrfToken,`
`22`	`22`	`success: function(url) {`
`23`	`23`	`top.location.href = top.location.pathname+url;`
`24`	`24`	`}`