diff options
author | Aaron Parecki <aaron@parecki.com> | 2017-02-12 20:18:34 -0800 |
---|---|---|
committer | Aaron Parecki <aaron@parecki.com> | 2017-02-12 20:18:34 -0800 |
commit | 43e8a1ef8d7586422b5d164204a57bdd5938a6d1 (patch) | |
tree | 2f832ca21f0a4cca330a763463db6c733246ae84 | |
parent | 2c8387b1e08bff38895c2ce8a840a13a1fed1932 (diff) |
fix autosubmit vulnerability for "favorite" bookmarklet
closes #69
-rw-r--r-- | controllers/controllers.php | 22 | ||||
-rw-r--r-- | views/new-favorite.php | 21 | ||||
-rw-r--r-- | views/partials/favorite-bookmarklet.php | 2 |
3 files changed, 24 insertions, 21 deletions
diff --git a/controllers/controllers.php b/controllers/controllers.php index 4b19879..10dd9a1 100644 --- a/controllers/controllers.php +++ b/controllers/controllers.php @@ -34,12 +34,12 @@ function require_login(&$app, $redirect=true) { } } -function generate_login_token() { - return JWT::encode(array( +function generate_login_token($opts=[]) { + return JWT::encode(array_merge([ 'user_id' => $_SESSION['user_id'], 'me' => $_SESSION['me'], 'created_at' => time() - ), Config::$jwtSecret); + ], $opts), Config::$jwtSecret); } $app->get('/dashboard', function() use($app) { @@ -130,11 +130,23 @@ $app->get('/favorite', function() use($app) { if(array_key_exists('url', $params)) $url = $params['url']; + // Check if there was a login token in the query string and whether it has autosubmit=true + $autosubmit = false; + + if(array_key_exists('token', $params)) { + try { + $data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']); + $autosubmit = isset($data->autosubmit) && $data->autosubmit; + } catch(Exception $e) { + } + } + render('new-favorite', array( 'title' => 'New Favorite', 'url' => $url, - 'token' => generate_login_token(), - 'authorizing' => false + 'token' => generate_login_token(['autosubmit'=>true]), + 'authorizing' => false, + 'autosubmit' => $autosubmit )); } }); diff --git a/views/new-favorite.php b/views/new-favorite.php index 9977d69..9f191e8 100644 --- a/views/new-favorite.php +++ b/views/new-favorite.php @@ -31,12 +31,6 @@ <script> $(function(){ - var autosubmit = window.location.search.match('autosubmit=true'); - - if(autosubmit) { - $(".footer, #bookmarklet").hide(); - } - $("#btn_post").click(function(){ $("#btn_post").addClass("loading disabled").text("Working..."); @@ -50,13 +44,9 @@ $(function(){ }, function(response){ if(response.location != false) { - if(autosubmit) { - $("#btn_post").hide(); - } else { - $("#test_success").removeClass('hidden'); - $("#test_error").addClass('hidden'); - $("#post_href").attr("href", response.location); - } + $("#test_success").removeClass('hidden'); + $("#test_error").addClass('hidden'); + $("#post_href").attr("href", response.location); window.location = response.location; } else { @@ -69,9 +59,10 @@ $(function(){ return false; }); - if(autosubmit) { + <? if($this->autosubmit): ?> + $(".footer, #bookmarklet").hide(); $("#btn_post").click(); - } + <? endif ?> bind_syndication_buttons(); }); diff --git a/views/partials/favorite-bookmarklet.php b/views/partials/favorite-bookmarklet.php index bdee851..df68802 100644 --- a/views/partials/favorite-bookmarklet.php +++ b/views/partials/favorite-bookmarklet.php @@ -1,3 +1,3 @@ (function(){ - window.open("<?= Config::$base_url ?>favorite?url="+encodeURIComponent(window.location.href)+"&autosubmit=true&token=<?= $this->token ?>"); + window.open("<?= Config::$base_url ?>favorite?url="+encodeURIComponent(window.location.href)+"&token=<?= $this->token ?>"); })(); |