add ZM_ENABLE_CSRF_MAGIC toggle
parent
d38bae72ae
commit
4e16ae6d19
|
@ -345,6 +345,26 @@ our @options = (
|
|||
type => $types{boolean},
|
||||
category => "system",
|
||||
},
|
||||
{
|
||||
name => "ZM_ENABLE_CSRF_MAGIC",
|
||||
default => "no",
|
||||
description => "Enable csrf-magic library",
|
||||
help => qqq("
|
||||
CSRF stands for Cross-Site Request Forgery which, under specific
|
||||
circumstances, can allow an attacker to perform any task your
|
||||
ZoneMinder user account has permission to perform. To accomplish
|
||||
this, the attacker must write a very specific web page and get
|
||||
you to navigate to it, while you are logged into the ZoneMinder
|
||||
web console at the same time. Enabling ZM_ENABLE_CSRF_MAGIC will
|
||||
help mitigate these kinds of attackes. Be warned this feature
|
||||
is experimental and may cause problems, particularly with the API.
|
||||
If you find a false positive and can document how to reproduce it,
|
||||
then please report it. This feature defaults to OFF currently due to
|
||||
its experimental nature.
|
||||
"),
|
||||
type => $types{boolean},
|
||||
category => "system",
|
||||
},
|
||||
{
|
||||
name => "ZM_OPT_USE_API",
|
||||
default => "yes",
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
* a boolean false if the CSRF check failed. This allows for tighter integration
|
||||
* with your system.
|
||||
*/
|
||||
$GLOBALS['csrf']['defer'] = false;
|
||||
$GLOBALS['csrf']['defer'] = true;
|
||||
|
||||
/**
|
||||
* This is the amount of seconds you wish to allow before any token becomes
|
||||
|
|
|
@ -170,6 +170,11 @@ if ( isset($_REQUEST['action']) )
|
|||
foreach ( getSkinIncludes( 'skin.php' ) as $includeFile )
|
||||
require_once $includeFile;
|
||||
|
||||
if ( ZM_ENABLE_CSRF_MAGIC && $action != 'login' ) {
|
||||
Debug("Calling csrf_check with the following values: \$request = \"$request\", \$view = \"$view\", \$action = \"$action\"");
|
||||
csrf_check();
|
||||
}
|
||||
|
||||
require_once( 'includes/actions.php' );
|
||||
|
||||
# If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
|
||||
|
|
Loading…
Reference in New Issue