From 43e8a1ef8d7586422b5d164204a57bdd5938a6d1 Mon Sep 17 00:00:00 2001
From: Aaron Parecki <aaron@parecki.com>
Date: Sun, 12 Feb 2017 20:18:34 -0800
Subject: fix autosubmit vulnerability for "favorite" bookmarklet

closes #69
---
 controllers/controllers.php | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

(limited to 'controllers/controllers.php')

diff --git a/controllers/controllers.php b/controllers/controllers.php
index 4b19879..10dd9a1 100644
--- a/controllers/controllers.php
+++ b/controllers/controllers.php
@@ -34,12 +34,12 @@ function require_login(&$app, $redirect=true) {
   }
 }
 
-function generate_login_token() {
-  return JWT::encode(array(
+function generate_login_token($opts=[]) {
+  return JWT::encode(array_merge([
     'user_id' => $_SESSION['user_id'],
     'me' => $_SESSION['me'],
     'created_at' => time()
-  ), Config::$jwtSecret);
+  ], $opts), Config::$jwtSecret);
 }
 
 $app->get('/dashboard', function() use($app) {
@@ -130,11 +130,23 @@ $app->get('/favorite', function() use($app) {
     if(array_key_exists('url', $params))
       $url = $params['url'];
 
+    // Check if there was a login token in the query string and whether it has autosubmit=true
+    $autosubmit = false;
+
+    if(array_key_exists('token', $params)) {
+      try {
+        $data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']);
+        $autosubmit = isset($data->autosubmit) && $data->autosubmit;
+      } catch(Exception $e) {
+      }
+    }
+
     render('new-favorite', array(
       'title' => 'New Favorite',
       'url' => $url,
-      'token' => generate_login_token(),
-      'authorizing' => false
+      'token' => generate_login_token(['autosubmit'=>true]),
+      'authorizing' => false,
+      'autosubmit' => $autosubmit
     ));
   }
 });
-- 
cgit v1.2.3