Include headers lib & csrf hidden form field

To help protect against CSRF and clickjacking
Also include hidden form field containing this for postback
top.ICEcoder.csrf also set

editor.php

@@ -1,4 +1,7 @@
-<?php include("lib/settings.php");?>
+<?php
+include("lib/headers.php");
+include("lib/settings.php");
+?>
 <!DOCTYPE html>
 
 <html style="margin: 0" onMouseDown="top.ICEcoder.mouseDown=true" onMouseUp="top.ICEcoder.mouseDown=false; if (!top.ICEcoder.overCloseLink) {top.ICEcoder.tabDragEnd()}" onMouseMove="if(top.ICEcoder) {top.ICEcoder.getMouseXY(event,'editor');top.ICEcoder.canResizeFilesW()}" onDrop="if(top.ICEcoder) {top.ICEcoder.getMouseXY(event,'editor')}">
@@ -315,4 +318,4 @@ var debounce;
 
 </body>
 
-</html>
+</html>

files.php

@@ -1,4 +1,7 @@
-<?php include("lib/settings.php");?>
+<?php
+include("lib/headers.php");
+include("lib/settings.php");
+?>
 <!DOCTYPE html>
 
 <html onMouseDown="top.ICEcoder.mouseDown=true" onMouseUp="top.ICEcoder.mouseDown=false; if (!top.ICEcoder.overCloseLink) {top.ICEcoder.tabDragEnd()}" onMouseMove="if(top.ICEcoder) {top.ICEcoder.getMouseXY(event,'files');top.ICEcoder.canResizeFilesW()}" onDrop="if(top.ICEcoder) {top.ICEcoder.getMouseXY(event,'files')}" onContextMenu="top.ICEcoder.selectFileFolder(event); return top.ICEcoder.showMenu(event)" onClick="top.ICEcoder.selectFileFolder(event)" onDragStart="top.ICEcoder.selectFileFolder(event);" onDragOver="event.preventDefault();event.stopPropagation()">

index.php

@@ -1,4 +1,6 @@
-<?php include("lib/settings.php");
+<?php
+include("lib/headers.php");
+include("lib/settings.php");
 
 // Check IP permissions
 if (!in_array($_SERVER["REMOTE_ADDR"], $_SESSION['allowedIPs']) && !in_array("*", $_SESSION['allowedIPs'])) {
@@ -71,7 +73,8 @@ window.onbeforeunload = function() {
 		"top.ICEcoder.autoComplete = '".$ICEcoder["autoComplete"]."';".
 		"top.ICEcoder.bugFilePaths = ['".implode("','",$ICEcoder["bugFilePaths"])."'];".
 		"top.ICEcoder.bugFileCheckTimer = ".$ICEcoder["bugFileCheckTimer"].";".
-		"top.ICEcoder.bugFileMaxLines = ".$ICEcoder["bugFileMaxLines"];
+		"top.ICEcoder.bugFileMaxLines = ".$ICEcoder["bugFileMaxLines"].";".
+		"top.ICEcoder.csrf = '".$_SESSION["csrf"]."'";
 ?>;ICEcoder.init()<?php echo $updateMsg.$onLoadExtras;?>;top.ICEcoder.content.style.visibility='visible';top.ICEcoder.filesFrame.contentWindow.frames['processControl'].location.href = 'processes/on-load.php';" onResize="ICEcoder.setLayout()" onKeyDown="return ICEcoder.interceptKeys('coder',event);" onKeyUp="parent.ICEcoder.resetKeys(event);" onBlur="parent.ICEcoder.resetKeys(event);">
 
 <div id="blackMask" class="blackMask" onClick="if (!ICEcoder.overPopup) {ICEcoder.showHide('hide',this)}" onContextMenu="return false">
@@ -109,6 +112,7 @@ Color picker"><img src="images/color-picker.png" style="cursor: pointer" alt="Co
 				<input type="hidden" name="folder" id="uploadDir" value="/">
 				<input type="file" name="filesInput[]" id="fileInput" onchange="top.ICEcoder.uploadFilesSubmit(this)" multiple>
 				<input type="submit" value="Upload File">
+				<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 			</form>
 		</div>
 		<a href="javascript:top.ICEcoder.pasteFiles(top.ICEcoder.selectedFiles[top.ICEcoder.selectedFiles.length-1])" onMouseOver="ICEcoder.showFileMenu()" id="fmMenuPasteOption" style="display: none">Paste</a>
@@ -248,6 +252,7 @@ Color picker"><img src="images/color-picker.png" style="cursor: pointer" alt="Co
 				<input type="submit" name="submit" value="&gt;&gt;" class="submit">
 				<div class="results" id="results"></div>
 			</div>
+			<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 		</form>
 		<form onSubmit="return ICEcoder.goToLine()">
 			<div class="codeAssist" title="Turn on/off JS Hint &amp; CSS color previews">
@@ -257,6 +262,7 @@ Color picker"><img src="images/color-picker.png" style="cursor: pointer" alt="Co
 			<div class="goLine">Go to Line <input type="text" name="goToLine" value="" id="goToLineNo" class="textbox goToLine">
 			<div class="view" title="View" onClick="top.ICEcoder.openPreviewWindow()" id="fMView"></div>
 			<div class="bug" title="Bug reporting not active" onClick="top.ICEcoder.openBugReport()" id="bugIcon"></div>
+			<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 		</form>
 	</div>
 	<iframe name="contentFrame" id="content" src="editor.php" class="code"></iframe>

lib/bug-files-check.php

@@ -1,5 +1,6 @@
 <?php
 // Load common functions
+include("headers.php");
 include("settings-common.php");
 
 $files		= explode(",",str_replace("|","/",$_GET['files']));

lib/download.php

@@ -1,5 +1,7 @@
-<?php include("settings.php");?>
 <?php
+include("headers.php");
+include("settings.php");
+
 $file = $docRoot.$iceRoot.str_replace("|","/",$_GET['file']);
 
 if (file_exists($file)) {

lib/get-branch.php

@@ -1,5 +1,6 @@
 <?php
 if (!isset($ICEcoder['root'])) {
+	include("headers.php");
 	include("settings.php");
 }
 

lib/help.php

@@ -1,4 +1,7 @@
-<?php include("settings.php");?>
+<?php
+include("headers.php");
+include("settings.php");
+?>
 <!DOCTYPE html>
 
 <html>

lib/login.php

@@ -1,4 +1,5 @@
 <?php
+include("headers.php");
 include("settings.php");
 ?>
 <!DOCTYPE html>
@@ -32,6 +33,7 @@ echo $ICEcoder["password"] == "" && !$ICEcoder["multiUser"] ? "Setup" : "Login";
 		}
 		if (!$ICEcoder["multiUser"]) { echo '<div class="text"><a href="javascript:alert(\'To put into multi-user mode, open lib/config___settings.php and change multiUser to true then reload this page\')">multi-user?</a></div>';};
 		?>
+		<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 		</form>
 		</div>
 	</div>

lib/multiple-results.php

@@ -1,4 +1,7 @@
-<?php include("settings.php");?>
+<?php
+include("headers.php");
+include("settings.php");
+?>
 <?php
 if(isset($_GET['selectedFiles'])) {
 	$selectedFiles=explode(":",strClean($_GET['selectedFiles']));

lib/plugins-display.php

@@ -1,4 +1,6 @@
 <?php
+include("headers.php");
+
 $onLoadExtras = "";
 $pluginsDisplay = "";
 

lib/properties.php

@@ -1,4 +1,7 @@
-<?php include("settings.php");?>
+<?php
+include("headers.php");
+include("settings.php");
+?>
 <!DOCTYPE html>
 
 <html onContextMenu="return false">
@@ -85,6 +88,7 @@ $execVars  = array(1,3,5,7);
 Change to:<br>
 <form name="chmod" action="#" method="GET">
 <input type="text" name="chmod" id="permText" style="width: 30px; border: 0; background-color: #444; font-size: 10px; color: #fff" maxlength="3" value="<?php echo substr($chmodInfo,1,3); ?>" onKeyUp="changePerms(this.value);showButton()" onChange="changePerms(this.value);showButton()">
+<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 </form>
 </span>
 

lib/settings-screen.php

@@ -1,4 +1,7 @@
-<?php include("settings.php");?>
+<?php
+include("headers.php");
+include("settings.php");
+?>
 <!DOCTYPE html>
 
 <html>
@@ -268,6 +271,7 @@ var validatePasswords = function() {
 
 </div>
 
+<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 </form>
 
 </body>

lib/updater.php

@@ -1,4 +1,7 @@
-<?php include("settings.php");?>
+<?php
+include("headers.php");
+include("settings.php");
+?>
 <!DOCTYPE html>
 <head>
 <title>Updating ICEcoder...</title>