add ZM_ENABLE_CSRF_MAGIC toggle

pull/1822/head
Andy Bauer 2017-03-28 17:29:36 -05:00
parent d38bae72ae
commit 4e16ae6d19
3 changed files with 26 additions and 1 deletions

View File

@ -345,6 +345,26 @@ our @options = (
type => $types{boolean},
category => "system",
},
{
name => "ZM_ENABLE_CSRF_MAGIC",
default => "no",
description => "Enable csrf-magic library",
help => qqq("
CSRF stands for Cross-Site Request Forgery which, under specific
circumstances, can allow an attacker to perform any task your
ZoneMinder user account has permission to perform. To accomplish
this, the attacker must write a very specific web page and get
you to navigate to it, while you are logged into the ZoneMinder
web console at the same time. Enabling ZM_ENABLE_CSRF_MAGIC will
help mitigate these kinds of attackes. Be warned this feature
is experimental and may cause problems, particularly with the API.
If you find a false positive and can document how to reproduce it,
then please report it. This feature defaults to OFF currently due to
its experimental nature.
"),
type => $types{boolean},
category => "system",
},
{
name => "ZM_OPT_USE_API",
default => "yes",

View File

@ -23,7 +23,7 @@
* a boolean false if the CSRF check failed. This allows for tighter integration
* with your system.
*/
$GLOBALS['csrf']['defer'] = false;
$GLOBALS['csrf']['defer'] = true;
/**
* This is the amount of seconds you wish to allow before any token becomes

View File

@ -170,6 +170,11 @@ if ( isset($_REQUEST['action']) )
foreach ( getSkinIncludes( 'skin.php' ) as $includeFile )
require_once $includeFile;
if ( ZM_ENABLE_CSRF_MAGIC && $action != 'login' ) {
Debug("Calling csrf_check with the following values: \$request = \"$request\", \$view = \"$view\", \$action = \"$action\"");
csrf_check();
}
require_once( 'includes/actions.php' );
# If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.