Add csrf token in forms (#599, #597)

This commit is contained in:
jekkos
2016-07-04 17:33:39 +02:00
parent 0ba5cadbb7
commit 806c1b9986
9 changed files with 198 additions and 28 deletions

View File

@@ -463,7 +463,7 @@ $config['global_xss_filtering'] = FALSE;
| 'csrf_regenerate' = Regenerate token on every submission
| 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
*/
$config['csrf_protection'] = FALSE;
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_ospos_v3';
$config['csrf_cookie_name'] = 'csrf_cookie_ospos_v3';
$config['csrf_expire'] = 7200;

View File

@@ -217,9 +217,9 @@ function get_supplier_data_row($supplier, $controller)
'email' => empty($supplier->email) ? '' : mailto($supplier->email, $supplier->email),
'phone_number' => $supplier->phone_number,
'messages' => empty($supplier->phone_number) ? '' : anchor("Messages/view/$supplier->person_id", '<span class="glyphicon glyphicon-phone"></span>',
array('class'=>'modal-dlg', 'data-btn-submit' => $CI->lang->line('common_submit'), 'title' => $CI->lang->line('messages_sms_send'))),
array('class'=>"modal-dlg", 'data-btn-submit' => $CI->lang->line('common_submit'), 'title'=>$CI->lang->line('messages_sms_send'))),
'edit' => anchor($controller_name."/view/$supplier->person_id", '<span class="glyphicon glyphicon-edit"></span>',
array('class'=>'modal-dlg', 'data-btn-submit' => $CI->lang->line('common_submit'), 'title' => $CI->lang->line($controller_name.'_update')))
array('class'=>"modal-dlg", 'data-btn-submit' => $CI->lang->line('common_submit'), 'title'=>$CI->lang->line($controller_name.'_update'))
);
}

View File

@@ -6,7 +6,7 @@
<title>Open Source Point Of Sale <?php echo $this->lang->line('login_login'); ?></title>
<link rel="shortcut icon" type="image/x-icon" href="images/favicon.ico">
<!-- start css template tags -->
<link rel="stylesheet" type="text/css" href="dist/bootstrap.min.css?rel=50ab19585f"/>
<link rel="stylesheet" type="text/css" href="dist/bootstrap.min.css?rel=9ed20b1ee8"/>
<link rel="stylesheet" type="text/css" href="css/login.css"/>
<!-- end css template tags -->

View File

@@ -66,12 +66,12 @@
<link rel="stylesheet" media="print" href="css/print.css" type="text/css" />
<![endif]-->
<!-- start mincss template tags -->
<link rel="stylesheet" type="text/css" href="dist/bootstrap.min.css?rel=50ab19585f"/>
<link rel="stylesheet" type="text/css" href="dist/bootstrap.min.css?rel=9ed20b1ee8"/>
<link rel="stylesheet" type="text/css" href="dist/jquery-ui.css"/>
<link rel="stylesheet" type="text/css" href="dist/opensourcepos.min.css?rel=6565b523f9"/>
<link rel="stylesheet" type="text/css" href="dist/opensourcepos.min.css?rel=f8daa2f957"/>
<!-- end mincss template tags -->
<!-- start minjs template tags -->
<script type="text/javascript" src="dist/opensourcepos.min.js?rel=991a3d5557"></script>
<script type="text/javascript" src="dist/opensourcepos.min.js?rel=75d94393ed"></script>
<!-- end minjs template tags -->
<?php endif; ?>
@@ -79,14 +79,14 @@
<script type="text/javascript">
// live clock
var clockTick = function clockTick() {
setInterval('updateClock();', 1000);
var clock_tick = function clock_tick() {
setInterval('update_clock();', 1000);
}
// start the clock immediatly
clockTick();
clock_tick();
function updateClock() {
var update_clock = function update_clock() {
document.getElementById('liveclock').innerHTML = moment().format("<?php echo dateformat_momentjs($this->config->item('dateformat').' '.$this->config->item('timeformat'))?>");
}
@@ -94,6 +94,23 @@
align: '<?php echo $this->config->item('config_notify_horizontal_position'); ?>',
from: '<?php echo $this->config->item('config_notify_vertical_position'); ?>'
}});
var post = $.post;
$.post = function() {
post.call(this, arguments[0], $.extend(arguments[1], {
<?php echo $this->security->get_csrf_token_name(); ?> : Cookies.get('<?php echo $this->config->item('csrf_cookie_name'); ?>')
}));
};
var setup_csrf = function() {
var csrf_cookie_val = Cookies.get('<?php echo $this->config->item('csrf_cookie_name'); ?>');
$('input[name="<?php echo $this->security->get_csrf_token_name(); ?>"]').val(csrf_cookie_val);
};
setup_csrf();
$(document).ajaxComplete(setup_csrf);
</script>
<style type="text/css">

View File

File diff suppressed because one or more lines are too long

156
dist/opensourcepos.js vendored
View File

@@ -42713,6 +42713,7 @@ $.extend($.fn, {
this.validateDelegate( ":submit", "click", function( event ) {
if ( validator.settings.submitHandler ) {
validator.submitButton = event.target;
}
// allow suppressing validation by adding a cancel class to the submit button
@@ -44034,6 +44035,158 @@ $.extend($.fn, {
});
}));
/*!
* JavaScript Cookie v2.1.2
* https://github.com/js-cookie/js-cookie
*
* Copyright 2006, 2015 Klaus Hartl & Fagner Brack
* Released under the MIT license
*/
;(function (factory) {
if (typeof define === 'function' && define.amd) {
define(factory);
} else if (typeof exports === 'object') {
module.exports = factory();
} else {
var OldCookies = window.Cookies;
var api = window.Cookies = factory();
api.noConflict = function () {
window.Cookies = OldCookies;
return api;
};
}
}(function () {
function extend () {
var i = 0;
var result = {};
for (; i < arguments.length; i++) {
var attributes = arguments[ i ];
for (var key in attributes) {
result[key] = attributes[key];
}
}
return result;
}
function init (converter) {
function api (key, value, attributes) {
var result;
if (typeof document === 'undefined') {
return;
}
// Write
if (arguments.length > 1) {
attributes = extend({
path: '/'
}, api.defaults, attributes);
if (typeof attributes.expires === 'number') {
var expires = new Date();
expires.setMilliseconds(expires.getMilliseconds() + attributes.expires * 864e+5);
attributes.expires = expires;
}
try {
result = JSON.stringify(value);
if (/^[\{\[]/.test(result)) {
value = result;
}
} catch (e) {}
if (!converter.write) {
value = encodeURIComponent(String(value))
.replace(/%(23|24|26|2B|3A|3C|3E|3D|2F|3F|40|5B|5D|5E|60|7B|7D|7C)/g, decodeURIComponent);
} else {
value = converter.write(value, key);
}
key = encodeURIComponent(String(key));
key = key.replace(/%(23|24|26|2B|5E|60|7C)/g, decodeURIComponent);
key = key.replace(/[\(\)]/g, escape);
return (document.cookie = [
key, '=', value,
attributes.expires && '; expires=' + attributes.expires.toUTCString(), // use expires attribute, max-age is not supported by IE
attributes.path && '; path=' + attributes.path,
attributes.domain && '; domain=' + attributes.domain,
attributes.secure ? '; secure' : ''
].join(''));
}
// Read
if (!key) {
result = {};
}
// To prevent the for loop in the first place assign an empty array
// in case there are no cookies at all. Also prevents odd result when
// calling "get()"
var cookies = document.cookie ? document.cookie.split('; ') : [];
var rdecode = /(%[0-9A-Z]{2})+/g;
var i = 0;
for (; i < cookies.length; i++) {
var parts = cookies[i].split('=');
var cookie = parts.slice(1).join('=');
if (cookie.charAt(0) === '"') {
cookie = cookie.slice(1, -1);
}
try {
var name = parts[0].replace(rdecode, decodeURIComponent);
cookie = converter.read ?
converter.read(cookie, name) : converter(cookie, name) ||
cookie.replace(rdecode, decodeURIComponent);
if (this.json) {
try {
cookie = JSON.parse(cookie);
} catch (e) {}
}
if (key === name) {
result = cookie;
break;
}
if (!key) {
result[name] = cookie;
}
} catch (e) {}
}
return result;
}
api.set = api;
api.get = function (key) {
return api(key);
};
api.getJSON = function () {
return api.apply({
json: true
}, [].slice.call(arguments));
};
api.defaults = {};
api.remove = function (key, attributes) {
api(key, '', extend(attributes, {
expires: -1
}));
};
api.withConverter = init;
return api;
}
return init(function () {});
}));
/*
* Project: Bootstrap Notify = v3.1.3
* Description: Turns standard Bootstrap alerts into "Growl-like" notifications.
@@ -44242,7 +44395,7 @@ $.extend($.fn, {
hasAnimation = false,
settings = this.settings;
$('[data-notify-position="' + this.settings.placement.from + '-' + this.settings.placement.align + '"]:not([data-closing="true"])').each(function() {
$('[data-notify-position="' + this.settings.placement.from + '-' + this.settings.placement.align + '"]:not([data-closing="true"])').each(function() {
return offsetAmt = Math.max(offsetAmt, parseInt($(this).css(settings.placement.from)) + parseInt($(this).outerHeight()) + parseInt(settings.spacing));
});
if (this.settings.newest_on_top == true) {
@@ -44352,6 +44505,7 @@ $.extend($.fn, {
}
}
}, 600);
},
reposition: function(posX) {
var self = this,

View File

File diff suppressed because one or more lines are too long

View File

@@ -6,7 +6,7 @@
<title>Open Source Point Of Sale <?php echo $this->lang->line('login_login'); ?></title>
<link rel="shortcut icon" type="image/x-icon" href="images/favicon.ico">
<!-- start css template tags -->
<link rel="stylesheet" type="text/css" href="templates/spacelab/css/bootstrap.min.css?rel=50ab19585f"/>
<link rel="stylesheet" type="text/css" href="templates/spacelab/css/bootstrap.min.css?rel=9ed20b1ee8"/>
<link rel="stylesheet" type="text/css" href="css/login.css"/>
<link rel="stylesheet" type="text/css" href="templates/spacelab/css/style.css"/>
<!-- end css template tags -->

View File

@@ -65,14 +65,14 @@
<!--[if lte IE 8]>
<link rel="stylesheet" media="print" href="css/print.css" type="text/css" />
<![endif]-->
<link rel="stylesheet" type="text/css" href="templates/spacelab/css/bootstrap.min.css?rel=50ab19585f"/>
<link rel="stylesheet" type="text/css" href="templates/spacelab/css/bootstrap.min.css?rel=9ed20b1ee8"/>
<!-- start mincss template tags -->
<link rel="stylesheet" type="text/css" href="dist/jquery-ui.css"/>
<link rel="stylesheet" type="text/css" href="dist/opensourcepos.min.css?rel=6565b523f9"/>
<link rel="stylesheet" type="text/css" href="dist/opensourcepos.min.css?rel=f8daa2f957"/>
<!-- end mincss template tags -->
<link rel="stylesheet" type="text/css" href="templates/spacelab/css/style.css"/>
<!-- start minjs template tags -->
<script type="text/javascript" src="dist/opensourcepos.min.js?rel=991a3d5557"></script>
<script type="text/javascript" src="dist/opensourcepos.min.js?rel=75d94393ed" language="javascript"></script>
<!-- end minjs template tags -->
<?php endif; ?>