Fix CSRF for setup modules

VINADES.,JSC · vuthao · commit e9e889065c3f · 2020-05-30T17:57:02.000+07:00
diff --git a/admin/modules/change_act.php b/admin/modules/change_act.php
@@ -7,47 +7,46 @@
  * @License GNU/GPL version 2 or any later version
  * @Createdate 2-10-2010 19:49
  */
-
-if (! defined('NV_IS_FILE_MODULES')) {
+if (!defined('NV_IS_FILE_MODULES')) {
     die('Stop!!!');
 }
 
 $mod = $nv_Request->get_title('mod', 'post');
 
-if (empty($mod) or ! preg_match($global_config['check_module'], $mod)) {
+if (empty($mod) or !preg_match($global_config['check_module'], $mod)) {
     die('NO_' . $mod);
 }
+if (md5(NV_CHECK_SESSION . '_' . $module_name . '_change_act_' . $mod) == $nv_Request->get_string('checkss', 'post')) {
+    $sth = $db->prepare('SELECT act, module_file FROM ' . NV_MODULES_TABLE . ' WHERE title= :title');
+    $sth->bindParam(':title', $mod, PDO::PARAM_STR);
+    $sth->execute();
+    $row = $sth->fetch();
+    if (empty($row)) {
+        die('NO_' . $mod);
+    }
 
-$sth = $db->prepare('SELECT act, module_file FROM ' . NV_MODULES_TABLE . ' WHERE title= :title');
-$sth->bindParam(':title', $mod, PDO::PARAM_STR);
-$sth->execute();
-$row = $sth->fetch();
-if (empty($row)) {
-    die('NO_' . $mod);
-}
+    $act = intval($row['act']);
 
-$act = intval($row['act']);
+    if ($act == 2) {
+        if (!is_dir(NV_ROOTDIR . '/modules/' . $row['module_file'])) {
+            die('NO_' . $mod);
+        }
+    }
 
-if ($act == 2) {
-    if (! is_dir(NV_ROOTDIR . '/modules/' . $row['module_file'])) {
+    $act = ($act != 1) ? 1 : 0;
+    if ($act == 0 and $mod == $global_config['site_home_module']) {
         die('NO_' . $mod);
     }
-}
-
-$act = ($act != 1) ? 1 : 0;
-if ($act == 0 and $mod == $global_config['site_home_module']) {
-    die('NO_' . $mod);
-}
-
-$sth = $db->prepare('UPDATE ' . NV_MODULES_TABLE . ' SET act=' . $act . ' WHERE title= :title');
-$sth->bindParam(':title', $mod, PDO::PARAM_STR);
-$sth->execute();
 
-$nv_Cache->delMod('modules');
+    $sth = $db->prepare('UPDATE ' . NV_MODULES_TABLE . ' SET act=' . $act . ' WHERE title= :title');
+    $sth->bindParam(':title', $mod, PDO::PARAM_STR);
+    $sth->execute();
 
-$temp = ($act == 1) ? $lang_global['yes'] : $lang_global['no'];
-nv_insert_logs(NV_LANG_DATA, $module_name, $lang_global['activate'] . ' module "' . $mod . '"', $temp, $admin_info['userid']);
+    $nv_Cache->delMod('modules');
 
+    $temp = ($act == 1) ? $lang_global['yes'] : $lang_global['no'];
+    nv_insert_logs(NV_LANG_DATA, $module_name, $lang_global['activate'] . ' module "' . $mod . '"', $temp, $admin_info['userid']);
+}
 include NV_ROOTDIR . '/includes/header.php';
 echo 'OK_' . $mod;
 include NV_ROOTDIR . '/includes/footer.php';
diff --git a/admin/modules/check_sample_data.php b/admin/modules/check_sample_data.php
@@ -13,43 +13,46 @@
 }
 
 if ($nv_Request->isset_request('module', 'post')) {
-    $module_name = $nv_Request->get_title('module', 'post');
+    $modname = $nv_Request->get_title('module', 'post');
     $is_setup = $nv_Request->get_int('setup', 'post', 0);
 
     $contents = array(
         'status' => 'error',
-        'module' => $module_name,
-        'message' => array( 0 => 'Module not exists' ),
+        'module' => $modname,
+        'message' => array(
+            0 => 'Module not exists'
+        ),
+        'checkss' => md5(NV_CHECK_SESSION . '_' . $module_name . '_setup_mod_' . $modname),
         'code' => 0
     );
 
-    if (! empty($module_name) and preg_match($global_config['check_module'], $module_name)) {
+    if (! empty($modname) and preg_match($global_config['check_module'], $modname)) {
         $sth = $db->prepare('SELECT module_file FROM ' . $db_config['prefix'] . '_' . NV_LANG_DATA . '_modules WHERE title= :title');
-        $sth->bindParam(':title', $module_name, PDO::PARAM_STR);
+        $sth->bindParam(':title', $modname, PDO::PARAM_STR);
         $sth->execute();
-        list($module_file) = $sth->fetch(3);
+        list($modfile) = $sth->fetch(3);
 
-        if (empty($module_file)) {
+        if (empty($modfile)) {
             $sth = $db->prepare('SELECT basename FROM ' . $db_config['prefix'] . '_setup_extensions WHERE title=:title AND type=\'module\'');
-            $sth->bindParam(':title', $module_name, PDO::PARAM_STR);
+            $sth->bindParam(':title', $modname, PDO::PARAM_STR);
             $sth->execute();
-            list($module_file) = $sth->fetch(3);
+            list($modfile) = $sth->fetch(3);
 
-            if (empty($module_file) and file_exists(NV_ROOTDIR . '/modules/' . $module_name . '/version.php')) {
-                $module_file = $module_name;
+            if (empty($modfile) and file_exists(NV_ROOTDIR . '/modules/' . $modname . '/version.php')) {
+                $modfile = $modname;
             }
         }
 
-        if (! empty($module_file)) {
+        if (! empty($modfile)) {
             $contents['status'] = 'success';
             $contents['message'][0] = $lang_module['reinstall_note1'];
 
             // Check sample data file
-            if (file_exists(NV_ROOTDIR . '/modules/' . $module_file . '/language/data_' . NV_LANG_DATA . '.php')) {
+            if (file_exists(NV_ROOTDIR . '/modules/' . $modfile . '/language/data_' . NV_LANG_DATA . '.php')) {
                 $contents['message'][1] = $lang_module['reinstall_note2'];
                 $contents['message'][2] = $lang_module['reinstall_note3'];
                 $contents['code'] = 1;
-            } elseif (file_exists(NV_ROOTDIR . '/modules/' . $module_file . '/language/data_en.php')) {
+            } elseif (file_exists(NV_ROOTDIR . '/modules/' . $modfile . '/language/data_en.php')) {
                 $contents['message'][1] = $lang_module['reinstall_note2'];
                 $contents['message'][2] = $lang_module['reinstall_note4'];
                 $contents['code'] = 1;
@@ -60,4 +63,4 @@
     nv_jsonOutput($contents);
 }
 
-nv_redirect_location(NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name);
+nv_redirect_location(NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $modname);
diff --git a/admin/modules/del.php b/admin/modules/del.php
@@ -15,7 +15,7 @@
 $modname = $nv_Request->get_title('mod', 'post');
 $contents = 'NO_' . $modname;
 
-if (! empty($modname) and preg_match($global_config['check_module'], $modname)) {
+if (!empty($modname) and preg_match($global_config['check_module'], $modname) and md5(NV_CHECK_SESSION . '_' . $module_name . '_del_' . $modname) == $nv_Request->get_string('checkss', 'post')) {
     $sth = $db->prepare('SELECT is_sys, basename FROM ' . $db_config['prefix'] . '_setup_extensions WHERE title= :title AND type=\'module\'');
     $sth->bindParam(':title', $modname, PDO::PARAM_STR);
     $sth->execute();
diff --git a/admin/modules/edit.php b/admin/modules/edit.php
@@ -72,7 +72,8 @@
 
 $groups_list = nv_groups_list();
 
-if ($nv_Request->get_int('save', 'post') == '1') {
+$checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $admin_info['userid']);
+if ($checkss == $nv_Request->get_string('checkss', 'post')) {
     $custom_title = $nv_Request->get_title('custom_title', 'post', '', 1);
     $site_title = $nv_Request->get_title('site_title', 'post', '');
     $admin_title = $nv_Request->get_title('admin_title', 'post', '', 1);
@@ -274,7 +275,7 @@
 $data['keywords'] = $keywords;
 $data['mod_name'] = $mod;
 $data['module_theme'] = $module_theme;
-
+$data['checkss'] = $checkss;
 if ($mod != $global_config['site_home_module']) {
     $data['groups_view'] = [$lang_global['groups_view'], $groups_list, $groups_view];
 } else {
diff --git a/admin/modules/list.php b/admin/modules/list.php
@@ -83,10 +83,13 @@
     $mod['version'] = preg_replace_callback('/^([0-9a-zA-Z]+\.[0-9a-zA-Z]+\.[0-9a-zA-Z]+)\s+(\d+)$/', 'nv_parse_vers', $row['version']);
     $mod['custom_title'] = $row['custom_title'];
     $mod['weight'] = array( $row['weight'], "nv_chang_weight('" . $row['title'] . "');" );
-    $mod['act'] = array( $row['act'], "nv_chang_act('" . $row['title'] . "');" );
+    $mod['act'] = array(
+        $row['act'],
+        "nv_chang_act('" . $row['title'] . "', '" . md5(NV_CHECK_SESSION . '_' . $module_name . '_change_act_' . $row['title']) . "');"
+    );
 
     $mod['edit'] = array( NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&amp;' . NV_NAME_VARIABLE . '=' . $module_name . '&amp;' . NV_OP_VARIABLE . '=edit&amp;mod=' . $row['title'], $lang_global['edit'] );
-    $mod['del'] = ($row['is_sys'] == 0 or $row['title'] != $row['module_file']) ? array( "nv_mod_del('" . $row['title'] . "');", $lang_global['delete'] ) : array();
+    $mod['del'] = ($row['is_sys'] == 0 or $row['title'] != $row['module_file']) ? array( "nv_mod_del('" . $row['title'] . "', '" . md5(NV_CHECK_SESSION . '_' . $module_name . '_del_' . $row['title']) . "');", $lang_global['delete'] ) : array();
 
     if ($row['title'] == $global_config['site_home_module']) {
         $row['is_sys'] = 1;
diff --git a/admin/modules/recreate_mod.php b/admin/modules/recreate_mod.php
@@ -16,7 +16,7 @@
 $modname = $nv_Request->get_title('mod', 'post');
 $sample = $nv_Request->get_int('sample', 'post', 0);
 
-if (! empty($modname) and preg_match($global_config['check_module'], $modname)) {
+if (! empty($modname) and preg_match($global_config['check_module'], $modname) and md5(NV_CHECK_SESSION . '_' . $module_name . '_setup_mod_' . $modname) == $nv_Request->get_string('checkss', 'post')) {
     nv_insert_logs(NV_LANG_DATA, $module_name, $lang_global['recreate'] . ' module "' . $modname . '"', '', $admin_info['userid']);
     $contents = nv_setup_data_module(NV_LANG_DATA, $modname, $sample);
 }
diff --git a/themes/admin_default/js/modules.js b/themes/admin_default/js/modules.js
@@ -45,10 +45,10 @@ function nv_chang_weight(modname) {
 	return;
 }
 
-function nv_chang_act(modname) {
+function nv_chang_act(modname, checkss) {
 	if (confirm(nv_is_change_act_confirm[0])) {
 		var nv_timer = nv_settimeout_disable('change_act_' + modname, 5000);
-		$.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=change_act&nocache=' + new Date().getTime(), 'mod=' + modname, function(res) {
+		$.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=change_act&nocache=' + new Date().getTime(), 'mod=' + modname + '&checkss=' + checkss, function(res) {
 			var r_split = res.split("_");
 			if (r_split[0] != 'OK') {
 				alert(nv_is_change_act_confirm[2]);
@@ -63,9 +63,9 @@ function nv_chang_act(modname) {
 	return;
 }
 
-function nv_mod_del(modname) {
+function nv_mod_del(modname, checkss) {
 	if (confirm(nv_is_del_confirm[0])) {
-		$.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=del&nocache=' + new Date().getTime(), 'mod=' + modname, function(res) {
+        	$.post(script_name + '?' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=del&nocache=' + new Date().getTime(), 'mod=' + modname + '&checkss=' + checkss, function(res) {
 			var r_split = res.split("_");
 			if (r_split[0] == 'OK') {
 				window.location.href = script_name + '?' + nv_name_variable + '=modules&' + nv_randomPassword(6) + '=' + nv_randomPassword(8);
@@ -240,6 +240,7 @@ $(document).ready(function(){
 			dataType: 'json',
 			success: function(e){
 				if( e.status == 'success' ){
+				    $("input[name='checkss']").val(e.checkss);
 					var option = $this.find('option');
 					option.removeClass('hidden');
 					option.prop('selected', false);
@@ -269,7 +270,7 @@ $(document).ready(function(){
 			type: 'POST',
 			cache: false,
 			url: script_name + '?' + nv_lang_variable + '=' + nv_lang_data + '&' + nv_name_variable + '=' + nv_module_name + '&' + nv_fc_variable + '=recreate_mod&nocache=' + new Date().getTime(),
-			data: 'mod=' + $container.data('title') + '&sample=' + $container.find('.option').val(),
+            data : 'mod=' + $container.data('title') + '&checkss=' + $('input[name=checkss]').val() + '&sample=' + $container.find('.option').val(),
 			success: function(e){
 				$container.modal('hide');
 				var r_split = e.split("_");
diff --git a/themes/admin_default/modules/modules/edit.tpl b/themes/admin_default/modules/modules/edit.tpl
@@ -8,7 +8,7 @@
             <tfoot>
                 <tr>
                     <td colspan="2" class="text-center">
-                        <input name="save" id="save" type="hidden" value="1" />
+                        <input type="hidden" name="checkss" value="{DATA.checkss}" />
                         <input name="module_theme" type="hidden" value="{DATA.module_theme}" />
                         <input name="go_add" type="submit" value="{DATA.submit}" class="btn btn-primary" />
                     </td>
diff --git a/themes/admin_default/modules/modules/main.tpl b/themes/admin_default/modules/modules/main.tpl
@@ -31,6 +31,7 @@
 				</div>
 			</div>
 			<div class="modal-footer">
+                <input type="hidden" name="checkss" value="" />
 				<button type="button" class="btn btn-primary submit">{GLANG.submit}</button>
 				<button type="button" class="btn btn-default" data-dismiss="modal">{GLANG.cancel}</button>
 			</div>

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`$modname = $nv_Request->get_title('mod', 'post');`
`17`	`17`	`$sample = $nv_Request->get_int('sample', 'post', 0);`
`18`	`18`
`19`		`-if (! empty($modname) and preg_match($global_config['check_module'], $modname)) {`
	`19`	`+if (! empty($modname) and preg_match($global_config['check_module'], $modname) and md5(NV_CHECK_SESSION . '_' . $module_name . '_setup_mod_' . $modname) == $nv_Request->get_string('checkss', 'post')) {`
`20`	`20`	`nv_insert_logs(NV_LANG_DATA, $module_name, $lang_global['recreate'] . ' module "' . $modname . '"', '', $admin_info['userid']);`
`21`	`21`	`$contents = nv_setup_data_module(NV_LANG_DATA, $modname, $sample);`
`22`	`22`	`}`