From a3c0243772142ba3a516ca9d74d83ee701673cd1 Mon Sep 17 00:00:00 2001
From: Matt Pass <matt@mattpass.com>
Date: Fri, 18 Apr 2014 17:57:54 +0100
Subject: [PATCH] Include headers lib & csrf hidden form field

To help protect against CSRF and clickjacking
Also include hidden form field containing this for postback
top.ICEcoder.csrf also set
---
 editor.php               |  7 +++++--
 files.php                |  5 ++++-
 index.php                | 10 ++++++++--
 lib/bug-files-check.php  |  1 +
 lib/download.php         |  4 +++-
 lib/get-branch.php       |  1 +
 lib/help.php             |  5 ++++-
 lib/login.php            |  2 ++
 lib/multiple-results.php |  5 ++++-
 lib/plugins-display.php  |  2 ++
 lib/properties.php       |  6 +++++-
 lib/settings-screen.php  |  6 +++++-
 lib/updater.php          |  5 ++++-
 13 files changed, 48 insertions(+), 11 deletions(-)

diff --git a/editor.php b/editor.php
index 086c3d4..cb56506 100644
--- a/editor.php
+++ b/editor.php
@@ -1,4 +1,7 @@
-<?php include("lib/settings.php");?>
+<?php
+include("lib/headers.php");
+include("lib/settings.php");
+?>
 <!DOCTYPE html>
 
 <html style="margin: 0" onMouseDown="top.ICEcoder.mouseDown=true" onMouseUp="top.ICEcoder.mouseDown=false; if (!top.ICEcoder.overCloseLink) {top.ICEcoder.tabDragEnd()}" onMouseMove="if(top.ICEcoder) {top.ICEcoder.getMouseXY(event,'editor');top.ICEcoder.canResizeFilesW()}" onDrop="if(top.ICEcoder) {top.ICEcoder.getMouseXY(event,'editor')}">
@@ -315,4 +318,4 @@ var debounce;
 
 </body>
 
-</html>
+</html>
\ No newline at end of file
diff --git a/files.php b/files.php
index 9bd854e..d71dbf8 100644
--- a/files.php
+++ b/files.php
@@ -1,4 +1,7 @@
-<?php include("lib/settings.php");?>
+<?php
+include("lib/headers.php");
+include("lib/settings.php");
+?>
 <!DOCTYPE html>
 
 <html onMouseDown="top.ICEcoder.mouseDown=true" onMouseUp="top.ICEcoder.mouseDown=false; if (!top.ICEcoder.overCloseLink) {top.ICEcoder.tabDragEnd()}" onMouseMove="if(top.ICEcoder) {top.ICEcoder.getMouseXY(event,'files');top.ICEcoder.canResizeFilesW()}" onDrop="if(top.ICEcoder) {top.ICEcoder.getMouseXY(event,'files')}" onContextMenu="top.ICEcoder.selectFileFolder(event); return top.ICEcoder.showMenu(event)" onClick="top.ICEcoder.selectFileFolder(event)" onDragStart="top.ICEcoder.selectFileFolder(event);" onDragOver="event.preventDefault();event.stopPropagation()">
diff --git a/index.php b/index.php
index f1b99f6..642c081 100644
--- a/index.php
+++ b/index.php
@@ -1,4 +1,6 @@
-<?php include("lib/settings.php");
+<?php
+include("lib/headers.php");
+include("lib/settings.php");
 
 // Check IP permissions
 if (!in_array($_SERVER["REMOTE_ADDR"], $_SESSION['allowedIPs']) && !in_array("*", $_SESSION['allowedIPs'])) {
@@ -71,7 +73,8 @@ window.onbeforeunload = function() {
 		"top.ICEcoder.autoComplete = '".$ICEcoder["autoComplete"]."';".
 		"top.ICEcoder.bugFilePaths = ['".implode("','",$ICEcoder["bugFilePaths"])."'];".
 		"top.ICEcoder.bugFileCheckTimer = ".$ICEcoder["bugFileCheckTimer"].";".
-		"top.ICEcoder.bugFileMaxLines = ".$ICEcoder["bugFileMaxLines"];
+		"top.ICEcoder.bugFileMaxLines = ".$ICEcoder["bugFileMaxLines"].";".
+		"top.ICEcoder.csrf = '".$_SESSION["csrf"]."'";
 ?>;ICEcoder.init()<?php echo $updateMsg.$onLoadExtras;?>;top.ICEcoder.content.style.visibility='visible';top.ICEcoder.filesFrame.contentWindow.frames['processControl'].location.href = 'processes/on-load.php';" onResize="ICEcoder.setLayout()" onKeyDown="return ICEcoder.interceptKeys('coder',event);" onKeyUp="parent.ICEcoder.resetKeys(event);" onBlur="parent.ICEcoder.resetKeys(event);">
 
 <div id="blackMask" class="blackMask" onClick="if (!ICEcoder.overPopup) {ICEcoder.showHide('hide',this)}" onContextMenu="return false">
@@ -109,6 +112,7 @@ Color picker"><img src="images/color-picker.png" style="cursor: pointer" alt="Co
 				<input type="hidden" name="folder" id="uploadDir" value="/">
 				<input type="file" name="filesInput[]" id="fileInput" onchange="top.ICEcoder.uploadFilesSubmit(this)" multiple>
 				<input type="submit" value="Upload File">
+				<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 			</form>
 		</div>
 		<a href="javascript:top.ICEcoder.pasteFiles(top.ICEcoder.selectedFiles[top.ICEcoder.selectedFiles.length-1])" onMouseOver="ICEcoder.showFileMenu()" id="fmMenuPasteOption" style="display: none">Paste</a>
@@ -248,6 +252,7 @@ Color picker"><img src="images/color-picker.png" style="cursor: pointer" alt="Co
 				<input type="submit" name="submit" value="&gt;&gt;" class="submit">
 				<div class="results" id="results"></div>
 			</div>
+			<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 		</form>
 		<form onSubmit="return ICEcoder.goToLine()">
 			<div class="codeAssist" title="Turn on/off JS Hint &amp; CSS color previews">
@@ -257,6 +262,7 @@ Color picker"><img src="images/color-picker.png" style="cursor: pointer" alt="Co
 			<div class="goLine">Go to Line <input type="text" name="goToLine" value="" id="goToLineNo" class="textbox goToLine">
 			<div class="view" title="View" onClick="top.ICEcoder.openPreviewWindow()" id="fMView"></div>
 			<div class="bug" title="Bug reporting not active" onClick="top.ICEcoder.openBugReport()" id="bugIcon"></div>
+			<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 		</form>
 	</div>
 	<iframe name="contentFrame" id="content" src="editor.php" class="code"></iframe>
diff --git a/lib/bug-files-check.php b/lib/bug-files-check.php
index 34abfb4..76f9a9b 100644
--- a/lib/bug-files-check.php
+++ b/lib/bug-files-check.php
@@ -1,5 +1,6 @@
 <?php
 // Load common functions
+include("headers.php");
 include("settings-common.php");
 
 $files		= explode(",",str_replace("|","/",$_GET['files']));
diff --git a/lib/download.php b/lib/download.php
index 6bc6833..0872d1c 100644
--- a/lib/download.php
+++ b/lib/download.php
@@ -1,5 +1,7 @@
-<?php include("settings.php");?>
 <?php
+include("headers.php");
+include("settings.php");
+
 $file = $docRoot.$iceRoot.str_replace("|","/",$_GET['file']);
 
 if (file_exists($file)) {
diff --git a/lib/get-branch.php b/lib/get-branch.php
index cb2a270..9f011c5 100644
--- a/lib/get-branch.php
+++ b/lib/get-branch.php
@@ -1,5 +1,6 @@
 <?php
 if (!isset($ICEcoder['root'])) {
+	include("headers.php");
 	include("settings.php");
 }
 
diff --git a/lib/help.php b/lib/help.php
index 1952848..64b7a63 100644
--- a/lib/help.php
+++ b/lib/help.php
@@ -1,4 +1,7 @@
-<?php include("settings.php");?>
+<?php
+include("headers.php");
+include("settings.php");
+?>
 <!DOCTYPE html>
 
 <html>
diff --git a/lib/login.php b/lib/login.php
index 17e2b4d..55a3c2e 100644
--- a/lib/login.php
+++ b/lib/login.php
@@ -1,4 +1,5 @@
 <?php
+include("headers.php");
 include("settings.php");
 ?>
 <!DOCTYPE html>
@@ -32,6 +33,7 @@ echo $ICEcoder["password"] == "" && !$ICEcoder["multiUser"] ? "Setup" : "Login";
 		}
 		if (!$ICEcoder["multiUser"]) { echo '<div class="text"><a href="javascript:alert(\'To put into multi-user mode, open lib/config___settings.php and change multiUser to true then reload this page\')">multi-user?</a></div>';};
 		?>
+		<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 		</form>
 		</div>
 	</div>
diff --git a/lib/multiple-results.php b/lib/multiple-results.php
index b5e8136..3fb8877 100644
--- a/lib/multiple-results.php
+++ b/lib/multiple-results.php
@@ -1,4 +1,7 @@
-<?php include("settings.php");?>
+<?php
+include("headers.php");
+include("settings.php");
+?>
 <?php
 if(isset($_GET['selectedFiles'])) {
 	$selectedFiles=explode(":",strClean($_GET['selectedFiles']));
diff --git a/lib/plugins-display.php b/lib/plugins-display.php
index 7dfad61..378c76f 100644
--- a/lib/plugins-display.php
+++ b/lib/plugins-display.php
@@ -1,4 +1,6 @@
 <?php
+include("headers.php");
+
 $onLoadExtras = "";
 $pluginsDisplay = "";
 
diff --git a/lib/properties.php b/lib/properties.php
index 511bd4f..965302e 100644
--- a/lib/properties.php
+++ b/lib/properties.php
@@ -1,4 +1,7 @@
-<?php include("settings.php");?>
+<?php
+include("headers.php");
+include("settings.php");
+?>
 <!DOCTYPE html>
 
 <html onContextMenu="return false">
@@ -85,6 +88,7 @@ $execVars  = array(1,3,5,7);
 Change to:<br>
 <form name="chmod" action="#" method="GET">
 <input type="text" name="chmod" id="permText" style="width: 30px; border: 0; background-color: #444; font-size: 10px; color: #fff" maxlength="3" value="<?php echo substr($chmodInfo,1,3); ?>" onKeyUp="changePerms(this.value);showButton()" onChange="changePerms(this.value);showButton()">
+<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 </form>
 </span>
 
diff --git a/lib/settings-screen.php b/lib/settings-screen.php
index 8e9ad4d..3f7f996 100644
--- a/lib/settings-screen.php
+++ b/lib/settings-screen.php
@@ -1,4 +1,7 @@
-<?php include("settings.php");?>
+<?php
+include("headers.php");
+include("settings.php");
+?>
 <!DOCTYPE html>
 
 <html>
@@ -268,6 +271,7 @@ var validatePasswords = function() {
 
 </div>
 
+<input type="hidden" name="csrf" value="<?php echo $_SESSION["csrf"]; ?>">
 </form>
 
 </body>
diff --git a/lib/updater.php b/lib/updater.php
index 7830e2b..3726009 100644
--- a/lib/updater.php
+++ b/lib/updater.php
@@ -1,4 +1,7 @@
-<?php include("settings.php");?>
+<?php
+include("headers.php");
+include("settings.php");
+?>
 <!DOCTYPE html>
 <head>
 <title>Updating ICEcoder...</title>