"doctrine/annotations": "^1.8",
"laminas/laminas-servicemanager": "3.7",
"symfony/polyfill-php80": "^1.23",
- "ezyang/htmlpurifier": "^4.13"
+ "ezyang/htmlpurifier": "^4.13",
+ "slim/csrf": "0.8.3"
},
"require-dev": {
"atoum/atoum": "dev-master",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "47d56d47701d9038105bd93cf3b44a02",
+ "content-hash": "be12f467246cd29921b64f8f84dc17a8",
"packages": [
{
"name": "akrabat/rka-slim-session-middleware",
},
"time": "2021-04-09T13:42:10+00:00"
},
+ {
+ "name": "paragonie/random_compat",
+ "version": "v9.99.100",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/paragonie/random_compat.git",
+ "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a",
+ "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a",
+ "shasum": ""
+ },
+ "require": {
+ "php": ">= 7"
+ },
+ "require-dev": {
+ "phpunit/phpunit": "4.*|5.*",
+ "vimeo/psalm": "^1"
+ },
+ "suggest": {
+ "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
+ },
+ "type": "library",
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
+ "authors": [
+ {
+ "name": "Paragon Initiative Enterprises",
+ "email": "security@paragonie.com",
+ "homepage": "https://paragonie.com"
+ }
+ ],
+ "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
+ "keywords": [
+ "csprng",
+ "polyfill",
+ "pseudorandom",
+ "random"
+ ],
+ "support": {
+ "email": "info@paragonie.com",
+ "issues": "https://github.com/paragonie/random_compat/issues",
+ "source": "https://github.com/paragonie/random_compat"
+ },
+ "time": "2020-10-15T08:29:30+00:00"
+ },
{
"name": "php-di/invoker",
"version": "2.3.2",
},
"time": "2017-10-23T01:57:42+00:00"
},
+ {
+ "name": "slim/csrf",
+ "version": "0.8.3",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/slimphp/Slim-Csrf.git",
+ "reference": "5f2bcf5d89adf86dc0455a32bea84d912ab466a7"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/slimphp/Slim-Csrf/zipball/5f2bcf5d89adf86dc0455a32bea84d912ab466a7",
+ "reference": "5f2bcf5d89adf86dc0455a32bea84d912ab466a7",
+ "shasum": ""
+ },
+ "require": {
+ "paragonie/random_compat": "^1.1|^2.0|^9.99",
+ "php": ">=5.5.0",
+ "psr/http-message": "^1.0"
+ },
+ "require-dev": {
+ "phpunit/phpunit": "^4.0",
+ "slim/slim": "~3.0"
+ },
+ "type": "library",
+ "autoload": {
+ "psr-4": {
+ "Slim\\Csrf\\": "src"
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
+ "authors": [
+ {
+ "name": "Josh Lockhart",
+ "email": "hello@joshlockhart.com",
+ "homepage": "http://joshlockhart.com"
+ }
+ ],
+ "description": "Slim Framework 3 CSRF protection middleware",
+ "homepage": "http://slimframework.com",
+ "keywords": [
+ "csrf",
+ "framework",
+ "middleware",
+ "slim"
+ ],
+ "support": {
+ "issues": "https://github.com/slimphp/Slim-Csrf/issues",
+ "source": "https://github.com/slimphp/Slim-Csrf/tree/master"
+ },
+ "time": "2018-08-22T16:12:18+00:00"
+ },
{
"name": "slim/flash",
"version": "0.4.0",
)
);
+$container->set(
+ 'csrf',
+ function (ContainerInterface $c) {
+ $storage = null;
+ $guard = new \Slim\Csrf\Guard(
+ 'csrf',
+ $storage,
+ null,
+ 200,
+ 16,
+ true
+ );
+
+ $guard->setFailureCallable(function ($request, $response, $next) {
+ Analog::log(
+ 'CSRF check has failed',
+ Analog::CRITICAL
+ );
+ throw new \RuntimeException(_T('Failed CSRF check!'));
+ });
+
+ return $guard;
+ }
+);
+
//For bad existing globals can be used...
global $translator, $i18n;
if (
// Set up dependencies
require GALETTE_ROOT . '/includes/dependencies.php';
+$app->add(new \Galette\Middleware\SmartyCsrf($app->getContainer()));
+$app->add($app->getContainer()->get('csrf'));
if ($needs_update) {
$app->add(
--- /dev/null
+<?php
+
+/* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
+
+/**
+ * Galette CSRF middleware
+ *
+ * PHP version 5
+ *
+ * Copyright © 2021 The Galette Team
+ *
+ * This file is part of Galette (http://galette.tuxfamily.org).
+ *
+ * Galette is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Galette is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Galette. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * @category Core
+ * @package Galette
+ *
+ * @author Johan Cwiklinski <johan@x-tnd.be>
+ * @copyright 2021 The Galette Team
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL License 3.0 or (at your option) any later version
+ * @link http://galette.tuxfamily.org
+ * @since Available since 0.9.6dev - 2021-11-08
+ */
+
+namespace Galette\Middleware;
+
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Message\ResponseInterface as Response;
+use Analog\Analog;
+use DI\Container;
+
+/**
+ * Galette CSRF middleware
+ *
+ * @category Middleware
+ * @name SmartyCsrf
+ * @package Galette
+ * @author Johan Cwiklinski <johan@x-tnd.be>
+ * @copyright 2020 The Galette Team
+ * @license http://www.gnu.org/licenses/gpl-3.0.html GPL License 3.0 or (at your option) any later version
+ * @link http://galette.tuxfamily.org
+ * @since Available since 0.9.4dev - 2020-05-06
+ */
+class SmartyCsrf
+{
+ private $smarty;
+ private $csrf;
+
+ /**
+ * Constructor
+ *
+ * @param Container $container Container instance
+ */
+ public function __construct(Container $container)
+ {
+ $view = $container->get('Slim\Views\Smarty');
+ $this->smarty = $view->getSmarty();
+ $this->csrf = $container->get('csrf');
+ }
+
+ /**
+ * Middleware invokable class
+ *
+ * @param \Psr\Http\Message\ServerRequestInterface $request PSR7 request
+ * @param \Psr\Http\Message\ResponseInterface $response PSR7 response
+ * @param callable $next Next middleware
+ *
+ * @return \Psr\Http\Message\ResponseInterface
+ */
+ public function __invoke(Request $request, Response $response, $next): Response
+ {
+ $nameKey = $this->csrf->getTokenNameKey();
+ $valueKey = $this->csrf->getTokenValueKey();
+ $name = $request->getAttribute($nameKey);
+ $value = $request->getAttribute($valueKey);
+
+ $this->smarty->assign('csrf_name_key', $nameKey);
+ $this->smarty->assign('csrf_value_key', $valueKey);
+ $this->smarty->assign('csrf_name', $name);
+ $this->smarty->assign('csrf_value', $value);
+
+ return $next($request, $response);
+ }
+}
</p>
</fieldset>
<div class="button-container">
- <button ype="submit" class="action">
+ <button type="submit" class="action">
<i class="fas fa-database" aria-hidden="true"></i>
{_T string="Go"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{/block}
<input type="hidden" name="advanced_filtering" value="true" />
<input type="submit" class="inline" value="{_T string="Filter"}"/>
<input type="submit" name="clear_adv_filter" class="inline" value="{_T string="Clear filter"}"/>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{/block}
<input type="hidden" name="trans_id" value="{if $contribution->transaction neq NULL}{$contribution->transaction->id}{/if}"/>
</div>
{/if}
+ {include file="forms_types/csrf.tpl"}
</form>
{else} {* No members *}
<div class="center" id="warningbox">
</button>
<input type="hidden" name="trans_id" value="{$transaction->id}"/>
<input type="hidden" name="valid" value="1"/>
+ {include file="forms_types/csrf.tpl"}
</div>
<p>{_T string="NB : The mandatory fields are in"} <span class="required">{_T string="red"}</span></p>
</form>
{foreach $selection as $member}
<input type="hidden" name="selection[]" value="{$member}"/>
{/foreach}
+ {include file="forms_types/csrf.tpl"}
</p>
</fieldset>
{if not $ajax}
</table>
<input type="submit" name="change_passwd" value="{_T string="Change my password"}"/>
<input type="hidden" name="hash" value="{$hash}"/>
+ {include file="forms_types/csrf.tpl"}
</form>
{/block}
<script type="text/javascript">
+ function csrfSafeMethod(method) {
+ // these HTTP methods do not require CSRF protection
+ return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
+ }
+
$(function(){
+ $.ajaxPrefilter(function(options, originalOptions, jqXHR){
+ if (options.type.toLowerCase() === "post") {
+ // initialize `data` to empty string if it does not exist
+ options.data = options.data || "";
+
+ // add leading ampersand if `data` is non-empty
+ options.data += options.data?"&":"";
+
+ // add csrf
+ options.data += encodeURIComponent("{$csrf_name_key}") + "=" + encodeURIComponent("{$csrf_name}") + "&" + encodeURIComponent("{$csrf_value_key}") + "=" + encodeURIComponent("{$csrf_value}")
+ }
+ });
+
$.datepicker.setDefaults($.datepicker.regional['{$galette_lang}']);
{if $galette_lang eq 'en'}
$.datepicker.setDefaults({
<button type="submit" class="action">
<i class="fas fa-save fa-fw"></i> {_T string="Save"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{/block}
<i class="fas fa-save fa-fw"></i> {_T string="Save"}
</button>
</div>
+ {include file="forms_types/csrf.tpl"}
</form>
{/block}
<input type="hidden" name="{$key}" value="{$value}"/>
{/if}
{/foreach}
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
</div>
<input type="submit" name="directlink" value="{_T string="Get my document"}" />
<input type="hidden" name="valid" value="1"/>
<input type="hidden" name="hash" value="{$hash}"/>
+ {include file="forms_types/csrf.tpl"}
</section>
</form>
{/block}
</button>
<input type="submit" name="cancel" value="{_T string="Cancel"}"/>
<input type="hidden" name="id" id="id" value="{$ptype->id}"/>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{/block}
</button>
<input type="submit" name="cancel" value="{_T string="Cancel"}"/>
<input type="hidden" name="id" id="id" value="{$title->id}"/>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{/block}
<button type="submit" class="action">
<i class="fas fa-save fa-fw"></i> {_T string="Save"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
<i class="fas fa-save"></i>
{_T string="Save"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
</div>
</form>
</fieldset>
<div class="button-container">
<input type="submit" name="valid" value="{_T string="Continue"}"/>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{/block}
--- /dev/null
+<input type="hidden" name="{$csrf_name_key}" value="{$csrf_name}"/>
+<input type="hidden" name="{$csrf_value_key}" value="{$csrf_value}"/>
\ No newline at end of file
</p>
<pre id="sql_qry" class="hidden">{$filters->query}</pre>
{/if}
+ {include file="forms_types/csrf.tpl"}
</div>
<div class="infoline">
{_T string="%count member" plural="%count members" count=$nb_members pattern="/%count/" replace=$nb_members}
{/if}
</ul>
{/if}
-
+ {include file="forms_types/csrf.tpl"}
</form>
{if $nb_members != 0}
<div id="legende" title="{_T string="Legend"}">
}
if (this.id == 'masscontributions') {
+ event.preventDefault();
$.ajax({
url: '{path_for name="batch-memberslist"}',
type: "POST",
</select>
<noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
</div>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
<form action="{path_for name="batch-contributionslist" data=["type" => "contributions"]}" method="post" id="listform">
<button type="submit" id="csv" name="csv">
<i class="fas fa-file-csv fa-fw"></i> {_T string="Export as CSV"}
</button>
+ {include file="forms_types/csrf.tpl"}
</li>
</ul>
{/if}
<form action="{path_for name="doAddEntitled" data=["class" => $url_class]}" method="post" class="tabbed">
<div id="intitules_tabs">
{include file="gestion_intitule_content.tpl"}
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{/block}
{html_options options=$nbshow_options selected=$numrows}
</select>
<noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+ {include file="forms_types/csrf.tpl"}
</td>
</tr>
</table>
{/foreach}
</tbody>
</table>
+ {include file="forms_types/csrf.tpl"}
</form>
{/block}
<button type="submit" class="action">
<i class="fas fa-save fa-fw"></i> {_T string="Save"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{include file="replacements_legend.tpl" legends=$model->getLegend() cur_ref=$model->id}
\ No newline at end of file
{/foreach}
</select>
<noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+ {include file="forms_types/csrf.tpl"}
</form>
</div>
<button type="submit" class="action">
<i class="fas fa-save fa-fw"></i> {_T string="Save"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{include file="replacements_legend.tpl" legends=$texts->getLegend() cur_ref=$cur_ref}
{/foreach}
</tbody>
</table>
+ {include file="forms_types/csrf.tpl"}
</form>
{/block}
{html_options options=$nbshow_options selected=$numrows}
</select>
<noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+ {include file="forms_types/csrf.tpl"}
</td>
</tr>
</table>
{_T string="Group PDF"}
</a>
<input type="hidden" name="id_group" id="id_group" value="{$group->getId()}"/>
+ {include file="forms_types/csrf.tpl"}
</div>
<p>{_T string="NB : The mandatory fields are in"} <span class="required">{_T string="red"}</span></p>
</form>
{html_options options=$nbshow_options selected=$numrows}
</select>
<noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+ {include file="forms_types/csrf.tpl"}
</div>
</div>
</form>
<i class="fas fa-file-import"></i>
{_T string="Import"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
{else}
<p>{_T string="No import file actually exists."}<br/>{_T string="Use upload form below to send a new file on server, or copy it directly in the imports directory."}</p>
<i class="fas fa-upload" aria-hidd="true"></i>
{_T string="Upload file"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
</div>
</fieldset>
<i class="fas fa-save" aria-hidden="true"></i>
{_T string="Store new model"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
</div>
</table>
<input type="submit" value="{_T string="Login"}" />
<input type="hidden" name="ident" value="1" />
+ {include file="forms_types/csrf.tpl"}
</section>
</form>
{/block}
{html_options options=$nbshow_options selected=$numrows}
</select>
<noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+ {include file="forms_types/csrf.tpl"}
</td>
</tr>
</table>
</p>
<input type="submit" name="lostpasswd" value="{_T string="Recover password"}" />
<input type="hidden" name="valid" value="1"/>
+ {include file="forms_types/csrf.tpl"}
</section>
</form>
{/block}
</p>
</div>
{/if}
-
+ {include file="forms_types/csrf.tpl"}
</section>
</div>
</form>
<input type="hidden" name="{$key}" value="{$value}"/>
{/if}
{/foreach}
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
</div>
<input type="hidden" name="{$key}" value="{$value}"/>
{/if}
{/foreach}
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
</div>
<input type="hidden" name="{$key}" value="{$value}"/>
{/if}
{/foreach}
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
</div>
{/if}
{/if}
{/foreach}
-
+ {include file="forms_types/csrf.tpl"}
<a href="#" id="back2top">{_T string="Back to top"}</a>
</div>
</form>
<a href="{path_for name="plugins"}" class="button" id="btnback"><i class="fas fa-backward"></i> {_T string="Back to plugins managment page"}</a>
{/if}
{/if}
+ {include file="forms_types/csrf.tpl"}
</p>
</form>
</div>
</button>
</div>
<p>{_T string="NB : The mandatory fields are in"} <span class="required">{_T string="red"}</span></p>
+ {include file="forms_types/csrf.tpl"}
</form>
{include file="telemetry.tpl" part="dialog"}
<i class="fas fa-rocket" aria-hidden="true"></i>
{_T string="Send"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{foreach from=$previews key=key item=preview}
{/foreach}
</tbody>
</table>
+ {include file="forms_types/csrf.tpl"}
</form>
{/block}
{html_options values=$orig output=$orig selected=$text_orig}
</select>
<noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+ {include file="forms_types/csrf.tpl"}
</p>
</form>
{/if}
<button type="submit" name="trans" class="action">
<i class="fas fa-save fa-fw"></i> {_T string="Save"}
</button>
+ {include file="forms_types/csrf.tpl"}
</div>
</form>
{else}
{html_options options=$nbshow_options selected=$numrows}
</select>
<noscript> <span><input type="submit" value="{_T string="Change"}" /></span></noscript>
+ {include file="forms_types/csrf.tpl"}
</td>
</tr>
</table>