Faille CSRF, blocage delete edit user

2019-01-15 13:47:32 +01:00 · 2019-01-15 13:47:32 +01:00 · 4864d62780
commit 4864d62780
parent 9a98847f7b
1 changed files with 23 additions and 9 deletions
--- a/core/module/user/user.php
+++ b/core/module/user/user.php
@ -88,11 +88,10 @@ class user extends common {
 	 * Suppression
 	 */
 	public function delete() {
-		$url = explode('&',$this->getUrl(2));	
 		// Accès refusé
 		if(
 			// L'utilisateur n'existe pas
-			$this->getData(['user', $url[0]]) === null
+			$this->getData(['user', $this->getUrl(2)]) === null
 			// Groupe insuffisant
 			AND ($this->getUrl('group') < self::GROUP_MODERATOR)
 		) {
@ -102,14 +101,14 @@ class user extends common {
 			]);
 		}
 		// Jeton incorrect
-		elseif(!isset($_GET['csrf'])) {
+		elseif(!$this->getUrl(3)) {
 			// Valeurs en sortie
 			$this->addOutput([
 				'redirect' => helper::baseUrl() . 'user',
 				'notification' => 'Jeton invalide'
 			]);
 		}
-		elseif ($_GET['csrf'] !== $_SESSION['csrf']) {
+		elseif ($this->getUrl(3) !== $_SESSION['csrf']) {
 			// Valeurs en sortie
 			$this->addOutput([
 				'redirect' => helper::baseUrl() . 'user',
@ -117,7 +116,7 @@ class user extends common {
 			]);
 		}		
 		// Bloque la suppression de son propre compte
-		elseif($this->getUser('id') === $url[0]) {
+		elseif($this->getUser('id') === $this->getUrl(2)) {
 			// Valeurs en sortie
 			$this->addOutput([
 				'redirect' => helper::baseUrl() . 'user',
@ -126,7 +125,7 @@ class user extends common {
 		}
 		// Suppression
 		else {
-			$this->deleteData(['user', $url[0]]);
+			$this->deleteData(['user', $this->getUrl(2)]);
 			// Valeurs en sortie
 			$this->addOutput([
 				'redirect' => helper::baseUrl() . 'user',
@ -160,6 +159,21 @@ class user extends common {
 				'access' => false
 			]);
 		}
+		// Jeton incorrect
+		if(!$this->getUrl(4)) {
+			// Valeurs en sortie
+			$this->addOutput([
+				'redirect' => helper::baseUrl() . 'user',
+				'notification' => 'Jeton invalide'
+			]);
+		}
+		elseif ($this->getUrl(4) !== $_SESSION['csrf']) {
+			// Valeurs en sortie
+			$this->addOutput([
+				'redirect' => helper::baseUrl() . 'user',
+				'notification' => 'Suppression non autorisée'
+			]);
+		}		
 		// Accès autorisé
 		else {
 			// Soumission du formulaire
@ -291,12 +305,12 @@ class user extends common {
 				$userFirstname . ' ' . $this->getData(['user', $userId, 'lastname']),
 				self::$groups[$this->getData(['user', $userId, 'group'])],
 				template::button('userEdit' . $userId, [
-					'href' => helper::baseUrl() . 'user/edit/' . $userId . '/back',
+					'href' => helper::baseUrl() . 'user/edit/' . $userId . '/back/'. $_SESSION['csrf'],
 					'value' => template::ico('pencil')
 				]),
 				template::button('userDelete' . $userId, [
 					'class' => 'userDelete buttonRed',
-					'href' => helper::baseUrl() . 'user/delete/' . $userId. '&csrf=' . $_SESSION['csrf'],
+					'href' => helper::baseUrl() . 'user/delete/' . $userId. '/' . $_SESSION['csrf'],
 					'value' => template::ico('cancel')
 				])
 			];