Fixed opendocman#241 - csrf protection

soewarsono · Dec 19, 2015 · 162c084 · 162c084
1 parent 2e76cd8
commit 162c084
Show file tree

Hide file tree

Showing 7 changed files with 107 additions and 6 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,4 @@
 Thumbs.db
 /nbproject
 config.php
+vendor
diff --git a/README b/README
@@ -33,16 +33,17 @@ Check the docs folder for further documentation
 
   ex.  $>mkdir /usr/local/opendocman/data
 
- 4. Load the opendocman page in your web browser
+ 4. Run composer: "./composer.phar install"
+ 5. Load the opendocman page in your web browser
 (ex. http://www.example.com/opendocman/ ) and follow the prompts.
 
- 5. Login as "admin" (with the password you set during the installation). 
+ 6. Login as "admin" (with the password you set during the installation). 
 
- 6. Edit your site settings at Admin->Site Settings
+ 7. Edit your site settings at Admin->Site Settings
 
- 7. Add departments, categories, users, etc.
+ 8. Add departments, categories, users, etc.
 
- 8. Enjoy!
+ 9. Enjoy!
 
 1.3 New Installation (Manual)
 
@@ -68,4 +69,6 @@ Check the docs folder for further documentation
     Change those to reflect the correct locations.
  7. Import your database.sql file into your database
 
- 8. Visit the URL for your installation and login as admin (no password)
+ 8. Run composer: "./composer.phar install"
+
+ 9. Visit the URL for your installation and login as admin (no password)
diff --git a/composer.json b/composer.json
@@ -0,0 +1,11 @@
+{
+  "require": {
+    "owasp/csrf-protector-php": "dev-issue34-config-file-location"
+  },
+  "repositories": [
+    {
+      "type": "vcs",
+      "url": "https://github.com/stephenlawrence/CSRF-Protector-PHP"
+    }
+  ]
+}
diff --git a/composer.lock b/composer.lock
diff --git a/composer.phar b/composer.phar
diff --git a/config/csrf_config.php b/config/csrf_config.php
@@ -0,0 +1,26 @@
+<?php
+/**
+ * Configuration file for CSRF Protector
+ * Necessary configurations are (library would throw exception otherwise)
+ * ---- logDirectory
+ * ---- failedAuthAction
+ * ---- jsPath
+ * ---- jsUrl
+ * ---- tokenLength
+ */
+return array(
+    "CSRFP_TOKEN" => "",
+    "logDirectory" => "../log",
+    "failedAuthAction" => array(
+        "GET" => 0,
+        "POST" => 0),
+    "errorRedirectionPage" => "",
+    "customErrorMessage" => "",
+    "jsPath" => "vendor/owasp/csrf-protector-php/js/csrfprotector.js",
+    "jsUrl" => "http://192.168.99.100/vendor/owasp/csrf-protector-php/js/csrfprotector.js",
+    "tokenLength" => 10,
+    "disabledJavascriptMessage" => "This site attempts to protect users against <a href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\">
+	Cross-Site Request Forgeries </a> attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you.
+	 See details of your web browser for how to enable JavaScript.",
+    "verifyGetFor" => array()
+);
diff --git a/odm-init.php b/odm-init.php
@@ -26,6 +26,12 @@
 Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
  */
 
+require __DIR__ . '/vendor/autoload.php';
+
+include_once __DIR__ .'/vendor/owasp/csrf-protector-php/libs/csrf/csrfprotector.php';
+
+csrfProtector::init();
+
 /*
  * Connect to Database
  */