From: garvinhicking Date: Mon, 26 Sep 2005 15:57:03 +0000 (+0000) Subject: Try to do some XSRF detection based on HTTP-Referrers. X-Git-Tag: 0.9~122 X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=fabec674b3ff02c7102dc3f8f2618e60add97180;p=s9y.git Try to do some XSRF detection based on HTTP-Referrers. NEEDS TESTING before it can be safely backported. --- diff --git a/docs/NEWS b/docs/NEWS index 7cceab5..d92d479 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -3,6 +3,8 @@ Version 0.9 () ------------------------------------------------------------------------ + * Try to detect XSRF based on HTTP-Referrer. (garvinhicking) + * Fix not showing thumbnail images in media database when thumbSuffix is empty. Thanks to Brian J. France! @@ -26,7 +28,7 @@ Version 0.9 () (garvinhicking) * Inserting links via the Serendipity Toolbar over the entry area - now also asks for a link tooltipe/title. + now also asks for a link tooltip/title. * Plugin API no longer queries the filename of a plugin if it is internal (increases performance because of less SQL queries) (garvinhicking) diff --git a/include/functions_config.inc.php b/include/functions_config.inc.php index 8de289d..1782168 100644 --- a/include/functions_config.inc.php +++ b/include/functions_config.inc.php @@ -1099,4 +1099,53 @@ function serendipity_ACL_SQL(&$cond, $append_category = false) { return false; } +function serendipity_checkXSRF() { + global $serendipity; + + // If no module was requested, the user has just logged in and no action will be performed. + if (empty($serendipity['GET']['adminModule'])) { + return false; + } + + // The referrer was empty. Deny access. + if (empty($_SERVER['HTTP_REFERER'])) { + echo serendipity_reportXSRF(1); + return false; + } + + // Parse the Referrer host. Abort if not parseable. + $hostinfo = @parse_url($_SERVER['HTTP_REFERER']); + if (!is_array($hostinfo)) { + echo serendipity_reportXSRF(2); + return true; + } + + // Get the server against we will perform the XSRF check. + $server = ''; + if (empty($_SERVER['HTTP_HOST'])) { + $myhost = @parse_url($serendipity['baseURL']); + if (is_array($myhost)) { + $server = $myhost['host']; + } + } else { + $server = $_SERVER['HTTP_HOST']; + } + + // If the current server is different than the referred server, deny access. + if ($hostinfo['host'] != $server) { + echo serendipity_reportXSRF(3); + return true; + } + + return false; +} + +function serendipity_reportXSRF($type = 0) { + global $serendipity; + + $string = '
' . ERROR_XSRF . '
'; + $serendipity['GET']['adminModule'] = ''; + return $string; +} + /* vim: set sts=4 ts=4 expandtab : */ diff --git a/lang/UTF-8/serendipity_lang_bg.inc.php b/lang/UTF-8/serendipity_lang_bg.inc.php index fb8351e..f68cbe4 100644 --- a/lang/UTF-8/serendipity_lang_bg.inc.php +++ b/lang/UTF-8/serendipity_lang_bg.inc.php @@ -1,4 +1,4 @@ - @@ -769,3 +769,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_cn.inc.php b/lang/UTF-8/serendipity_lang_cn.inc.php index e7f85b0..85fa12c 100644 --- a/lang/UTF-8/serendipity_lang_cn.inc.php +++ b/lang/UTF-8/serendipity_lang_cn.inc.php @@ -1,4 +1,4 @@ - @@ -785,3 +785,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_cz.inc.php b/lang/UTF-8/serendipity_lang_cz.inc.php index 5fcc082..1f700b1 100644 --- a/lang/UTF-8/serendipity_lang_cz.inc.php +++ b/lang/UTF-8/serendipity_lang_cz.inc.php @@ -1,4 +1,4 @@ - @@ -785,3 +785,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_da.inc.php b/lang/UTF-8/serendipity_lang_da.inc.php index e10966f..397fe51 100644 --- a/lang/UTF-8/serendipity_lang_da.inc.php +++ b/lang/UTF-8/serendipity_lang_da.inc.php @@ -1,4 +1,4 @@ - @@ -784,3 +784,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_de.inc.php b/lang/UTF-8/serendipity_lang_de.inc.php index 7867e13..798edac 100644 --- a/lang/UTF-8/serendipity_lang_de.inc.php +++ b/lang/UTF-8/serendipity_lang_de.inc.php @@ -1,4 +1,4 @@ -, @@ -796,3 +796,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_fa.inc.php b/lang/UTF-8/serendipity_lang_fa.inc.php index b0d2e64..7600b11 100644 --- a/lang/UTF-8/serendipity_lang_fa.inc.php +++ b/lang/UTF-8/serendipity_lang_fa.inc.php @@ -1,4 +1,4 @@ - @@ -784,3 +784,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_fi.inc.php b/lang/UTF-8/serendipity_lang_fi.inc.php index 5bb9b6f..1fc4bc5 100644 --- a/lang/UTF-8/serendipity_lang_fi.inc.php +++ b/lang/UTF-8/serendipity_lang_fi.inc.php @@ -1,4 +1,4 @@ - @@ -789,3 +789,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_hu.inc.php b/lang/UTF-8/serendipity_lang_hu.inc.php index 3a57fbc..0eb97a1 100644 --- a/lang/UTF-8/serendipity_lang_hu.inc.php +++ b/lang/UTF-8/serendipity_lang_hu.inc.php @@ -783,3 +783,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_is.inc.php b/lang/UTF-8/serendipity_lang_is.inc.php index fc92cfe..f20ca93 100644 --- a/lang/UTF-8/serendipity_lang_is.inc.php +++ b/lang/UTF-8/serendipity_lang_is.inc.php @@ -1,4 +1,4 @@ - @@ -784,3 +784,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_ja.inc.php b/lang/UTF-8/serendipity_lang_ja.inc.php index 9c72f6c..ab93cb0 100644 --- a/lang/UTF-8/serendipity_lang_ja.inc.php +++ b/lang/UTF-8/serendipity_lang_ja.inc.php @@ -1,4 +1,4 @@ -, 2004-2005. @@ -180,7 +180,7 @@ @define('YES', 'はい'); @define('NO', 'いいえ'); @define('USE_DEFAULT', 'デフォルト'); -@define('CHECK_N_SAVE', 'チェックと保存'); +@define('CHECK_N_SAVE', '確認と保存をする'); @define('DIRECTORY_WRITE_ERROR', 'ディレクトリ %s の書き込みができませんでした。パーミッションを調べてください'); @define('DIRECTORY_CREATE_ERROR', 'ディレクトリ %s が存在しないか作成することができませんでした。手動でディレクトリを作成してください。'); @define('DIRECTORY_RUN_CMD', ' -> 実行 %s %s'); @@ -196,7 +196,7 @@ @define('DATABASE_ERROR', 'serendipity エラー: データベースに接続できませんでした - 終了します。'); @define('CREATE_DATABASE', 'デフォルトデータベースセットアップの作成中...'); @define('ATTEMPT_WRITE_FILE', 'ファイル %s の書き込みを試みます...'); -@define('WRITTEN_N_SAVED', '設定の書き込みと保存'); +@define('WRITTEN_N_SAVED', '設定の書き込みと保存をしました。'); @define('IMAGE_ALIGNMENT', '画像位置あわせ'); @define('ENTER_NEW_NAME', '新規名称の入力: '); @define('RESIZING', 'リサイズ中'); @@ -770,20 +770,20 @@ Serendipity のアップグレードステージを無視しました。正し @define('CATEGORIES_HIDE_PARALLEL', 'カテゴリツリーの一部ではないカテゴリを隠す'); @define('CATEGORIES_HIDE_PARALLEL_DESC', 'If you want to hide categories that are part of a different category tree, you need to enable this. This feature makes most sense if used in conjunction with a multi-blog using the "Properties/Tempaltes of categories" plugin.'); @define('PERMISSION_ADMINIMAGESVIEWOTHERS', 'adminImagesViewOthers: 他ユーザーのメディアファイルの閲覧'); -@define('PERMISSION_ADMINIMAGESVIEWOTHERS', 'adminImagesViewOthers: View other user\'s media files'); @define('CHARSET_NATIVE', 'ネイティブ'); @define('INSTALL_CHARSET', '文字コード選択'); @define('INSTALL_CHARSET_DESC', 'Here you can toggle UTF-8 or native (ISO, EUC, ...) charactersets. Some languages only have UTF-8 translations so that setting the charset to "Native" will have no effects. UTF-8 is suggested for new installations. Do not change this setting if you have already made entries with special characters - this may lead to corrupt characters. Be sure to read more on http://www.s9y.org/index.php?node=46 about this issue.'); @define('CALENDAR_ENABLE_EXTERNAL_EVENTS', 'プラグインの API フックを有効にする'); @define('CALENDAR_EXTEVENT_DESC', 'If enabled, plugins can hook into the calendar to display their own events highlighted. Only enable if you have installed plugins that need this, otherwise it just decreases performance.'); @define('XMLRPC_NO_LONGER_BUNDLED', 'The XML-RPC API Interface to Serendipity is no longer bundled because of ongoing security issues with this API and not many people using it. Thus you need to install the XML-RPC Plugin to use the XML-RPC API. The URL to use in your applications will NOT change - as soon as you have installed the plugin, you will again be able to use the API.'); -@define('PERM_READ', 'Read permission'); -@define('PERM_WRITE', 'Write permission'); +@define('PERM_READ', '読み込み権限'); +@define('PERM_WRITE', '書き込み権限'); -@define('PERM_DENIED', 'Permission denied.'); -@define('INSTALL_ACL', 'Apply read-permissions for categories'); +@define('PERM_DENIED', 'アクセス拒否です。'); +@define('INSTALL_ACL', 'カテゴリの読み込み権限を適用する'); @define('INSTALL_ACL_DESC', 'If enabled, the usergroup permission settings you setup for categories will be applied when logged-in users view your blog. If disabled, the read-permissions of the categories are NOT applied, but the positive effect is a little speedup on your blog. So if you don\'t need multi-user read permissions for your blog, disable this setting.'); @define('PLUGIN_API_VALIDATE_ERROR', 'Configuration syntax wrong for option "%s". Needs content of type "%s".'); -@define('USERCONF_CHECK_PASSWORD', 'Old Password'); +@define('USERCONF_CHECK_PASSWORD', '古いパスワード'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_ko.inc.php b/lang/UTF-8/serendipity_lang_ko.inc.php index 4d0595c..2fb943a 100644 --- a/lang/UTF-8/serendipity_lang_ko.inc.php +++ b/lang/UTF-8/serendipity_lang_ko.inc.php @@ -1,4 +1,4 @@ - @@ -785,3 +785,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_nl.inc.php b/lang/UTF-8/serendipity_lang_nl.inc.php index d742f19..bb9c21b 100644 --- a/lang/UTF-8/serendipity_lang_nl.inc.php +++ b/lang/UTF-8/serendipity_lang_nl.inc.php @@ -1,4 +1,4 @@ - @@ -785,3 +785,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_no.inc.php b/lang/UTF-8/serendipity_lang_no.inc.php index 04d29cb..51b1401 100644 --- a/lang/UTF-8/serendipity_lang_no.inc.php +++ b/lang/UTF-8/serendipity_lang_no.inc.php @@ -1,4 +1,4 @@ - @@ -785,3 +785,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_pt.inc.php b/lang/UTF-8/serendipity_lang_pt.inc.php index db56c1a..a6e129f 100644 --- a/lang/UTF-8/serendipity_lang_pt.inc.php +++ b/lang/UTF-8/serendipity_lang_pt.inc.php @@ -1,4 +1,4 @@ - @@ -787,3 +787,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_pt_PT.inc.php b/lang/UTF-8/serendipity_lang_pt_PT.inc.php index 599047e..e954902 100644 --- a/lang/UTF-8/serendipity_lang_pt_PT.inc.php +++ b/lang/UTF-8/serendipity_lang_pt_PT.inc.php @@ -786,3 +786,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_ro.inc.php b/lang/UTF-8/serendipity_lang_ro.inc.php index 4763721..edfa39d 100644 --- a/lang/UTF-8/serendipity_lang_ro.inc.php +++ b/lang/UTF-8/serendipity_lang_ro.inc.php @@ -782,3 +782,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_ru.inc.php b/lang/UTF-8/serendipity_lang_ru.inc.php index e6cda5a..7c1ea7b 100644 --- a/lang/UTF-8/serendipity_lang_ru.inc.php +++ b/lang/UTF-8/serendipity_lang_ru.inc.php @@ -1,4 +1,4 @@ - @@ -785,3 +785,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_tw.inc.php b/lang/UTF-8/serendipity_lang_tw.inc.php index d947deb..7c42326 100644 --- a/lang/UTF-8/serendipity_lang_tw.inc.php +++ b/lang/UTF-8/serendipity_lang_tw.inc.php @@ -1,4 +1,4 @@ - @@ -784,3 +784,4 @@ @define('USERCONF_CHECK_PASSWORD', 'Old Password'); @define('USERCONF_CHECK_PASSWORD_DESC', 'If you change the password in the field above, you need to enter the current user password into this field.'); @define('USERCONF_CHECK_PASSWORD_ERROR', 'You did not specify the right old password, and are not authorized to change the new password. Your settings were not saved.'); +@define('ERROR_XSRF', 'Your browser did not sent a valid HTTP-Referrer string. This may have either been caused by a misconfigured browser/proxy or by a Cross Site Request Forgery (XSRF) aimed at you. The action you requested could not be completed.'); diff --git a/lang/UTF-8/serendipity_lang_zh.inc.php b/lang/UTF-8/serendipity_lang_zh.inc.php index 75b2e16..87cbebb 100644 --- a/lang/UTF-8/serendipity_lang_zh.inc.php +++ b/lang/UTF-8/serendipity_lang_zh.inc.php @@ -1,4 +1,4 @@ -