summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAaron Parecki <aaron@parecki.com>2017-02-12 20:18:34 -0800
committerAaron Parecki <aaron@parecki.com>2017-02-12 20:18:34 -0800
commit43e8a1ef8d7586422b5d164204a57bdd5938a6d1 (patch)
tree2f832ca21f0a4cca330a763463db6c733246ae84
parent2c8387b1e08bff38895c2ce8a840a13a1fed1932 (diff)
fix autosubmit vulnerability for "favorite" bookmarklet
closes #69
-rw-r--r--controllers/controllers.php22
-rw-r--r--views/new-favorite.php21
-rw-r--r--views/partials/favorite-bookmarklet.php2
3 files changed, 24 insertions, 21 deletions
diff --git a/controllers/controllers.php b/controllers/controllers.php
index 4b19879..10dd9a1 100644
--- a/controllers/controllers.php
+++ b/controllers/controllers.php
@@ -34,12 +34,12 @@ function require_login(&$app, $redirect=true) {
}
}
-function generate_login_token() {
- return JWT::encode(array(
+function generate_login_token($opts=[]) {
+ return JWT::encode(array_merge([
'user_id' => $_SESSION['user_id'],
'me' => $_SESSION['me'],
'created_at' => time()
- ), Config::$jwtSecret);
+ ], $opts), Config::$jwtSecret);
}
$app->get('/dashboard', function() use($app) {
@@ -130,11 +130,23 @@ $app->get('/favorite', function() use($app) {
if(array_key_exists('url', $params))
$url = $params['url'];
+ // Check if there was a login token in the query string and whether it has autosubmit=true
+ $autosubmit = false;
+
+ if(array_key_exists('token', $params)) {
+ try {
+ $data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']);
+ $autosubmit = isset($data->autosubmit) && $data->autosubmit;
+ } catch(Exception $e) {
+ }
+ }
+
render('new-favorite', array(
'title' => 'New Favorite',
'url' => $url,
- 'token' => generate_login_token(),
- 'authorizing' => false
+ 'token' => generate_login_token(['autosubmit'=>true]),
+ 'authorizing' => false,
+ 'autosubmit' => $autosubmit
));
}
});
diff --git a/views/new-favorite.php b/views/new-favorite.php
index 9977d69..9f191e8 100644
--- a/views/new-favorite.php
+++ b/views/new-favorite.php
@@ -31,12 +31,6 @@
<script>
$(function(){
- var autosubmit = window.location.search.match('autosubmit=true');
-
- if(autosubmit) {
- $(".footer, #bookmarklet").hide();
- }
-
$("#btn_post").click(function(){
$("#btn_post").addClass("loading disabled").text("Working...");
@@ -50,13 +44,9 @@ $(function(){
}, function(response){
if(response.location != false) {
- if(autosubmit) {
- $("#btn_post").hide();
- } else {
- $("#test_success").removeClass('hidden');
- $("#test_error").addClass('hidden');
- $("#post_href").attr("href", response.location);
- }
+ $("#test_success").removeClass('hidden');
+ $("#test_error").addClass('hidden');
+ $("#post_href").attr("href", response.location);
window.location = response.location;
} else {
@@ -69,9 +59,10 @@ $(function(){
return false;
});
- if(autosubmit) {
+ <? if($this->autosubmit): ?>
+ $(".footer, #bookmarklet").hide();
$("#btn_post").click();
- }
+ <? endif ?>
bind_syndication_buttons();
});
diff --git a/views/partials/favorite-bookmarklet.php b/views/partials/favorite-bookmarklet.php
index bdee851..df68802 100644
--- a/views/partials/favorite-bookmarklet.php
+++ b/views/partials/favorite-bookmarklet.php
@@ -1,3 +1,3 @@
(function(){
- window.open("<?= Config::$base_url ?>favorite?url="+encodeURIComponent(window.location.href)+"&autosubmit=true&token=<?= $this->token ?>");
+ window.open("<?= Config::$base_url ?>favorite?url="+encodeURIComponent(window.location.href)+"&token=<?= $this->token ?>");
})();