From d439685895d397581434b74a29713ebefa01e598 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Wed, 17 Feb 2021 14:05:12 +0300 Subject: [PATCH] pluginhandlers: post notice if pluginmethod is requested without CSRF token --- classes/pluginhandler.php | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php index 9682e440f..3fd823aa8 100644 --- a/classes/pluginhandler.php +++ b/classes/pluginhandler.php @@ -7,16 +7,22 @@ class PluginHandler extends Handler_Protected { function catchall($method) { $plugin_name = clean($_REQUEST["plugin"]); $plugin = PluginHost::getInstance()->get_plugin($plugin_name); + $csrf_token = ($_POST["csrf_token"] ?? ""); if ($plugin) { if (method_exists($plugin, $method)) { - $plugin->$method(); + if (validate_csrf($csrf_token)) { + $plugin->$method(); + } else { + user_error("Requested ${plugin_name}->${method}() with invalid CSRF token.", E_USER_DEPRECATED); + $plugin->$method(); + } } else { - user_error("PluginHandler: Requested unknown method '$method' of plugin '$plugin_name'.", E_USER_WARNING); + user_error("Rejected ${plugin_name}->${method}(): unknown method.", E_USER_WARNING); print error_json(13); } } else { - user_error("PluginHandler: Requested method '$method' of unknown plugin '$plugin_name'.", E_USER_WARNING); + user_error("Rejected ${plugin_name}->${method}(): unknown plugin.", E_USER_WARNING); print error_json(14); } }