Added formKey - clear cache - work on (#1086)

api/functions/organizr-functions.php

@@ -370,7 +370,7 @@ function qualifyRequest($accessLevelNeeded)
 	}
 }
 
-function isApprovedRequest()
+function isApprovedRequest($method)
 {
 	$requesterToken = isset(getallheaders()['Token']) ? getallheaders()['Token'] : (isset($_GET['apikey']) ? $_GET['apikey'] : false);
 	// Check token or API key
@@ -387,7 +387,14 @@ function isApprovedRequest()
 			$referer = $_SERVER['HTTP_REFERER'];
 		}
 		if ($referer == getServerPath(false)) {
-			return true;
+			if ($method == 'POST') {
+				if (password_verify(substr($GLOBALS['quickConfig']['organizrHash'], 2, 10), $_POST['data']['formKey'])) {
+					return true;
+				}
+			} else {
+				return true;
+			}
+			
 		}
 	}
 	return false;

api/functions/static-globals.php

@@ -13,6 +13,7 @@ $GLOBALS['userConfigPath'] = dirname(__DIR__, 1) . DIRECTORY_SEPARATOR . 'config
 $GLOBALS['defaultConfigPath'] = dirname(__DIR__, 1) . DIRECTORY_SEPARATOR . 'config' . DIRECTORY_SEPARATOR . 'default.php';
 $GLOBALS['currentTime'] = gmdate("Y-m-d\TH:i:s\Z");
 $GLOBALS['docker'] = (file_exists(dirname(__DIR__, 2) . DIRECTORY_SEPARATOR . 'Docker.txt')) ? true : false;
+$GLOBALS['quickConfig'] = (file_exists($GLOBALS['userConfigPath'])) ? loadConfigOnce($GLOBALS['userConfigPath']) : null;
 // Quick function for plugins
 function pluginFiles($type)
 {
@@ -46,6 +47,16 @@ function loadConfigOnce($path = null)
 	}
 }
 
+function formKey()
+{
+	if (isset($GLOBALS['quickConfig']['organizrAPI'])) {
+		if ($GLOBALS['quickConfig']['organizrAPI'] !== '') {
+			$hash = password_hash(substr($GLOBALS['quickConfig']['organizrHash'], 2, 10), PASSWORD_BCRYPT);
+			return '<script>local("s","formKey","' . $hash . '");</script>';
+		}
+	}
+}
+
 function favIcons()
 {
 	$favicon = '
@@ -60,12 +71,9 @@ function favIcons()
 	<meta name="msapplication-config" content="plugins/images/favicon/browserconfig.xml">
 	<meta name="theme-color" content="#ffffff">
 	';
-	if (file_exists($GLOBALS['userConfigPath'])) {
-		$config = loadConfigOnce($GLOBALS['userConfigPath']);
-		if (isset($config['favIcon'])) {
-			if ($config['favIcon'] !== '') {
-				$favicon = $config['favIcon'];
-			}
+	if (isset($GLOBALS['quickConfig']['favIcon'])) {
+		if ($GLOBALS['quickConfig']['favIcon'] !== '') {
+			$favicon = $GLOBALS['quickConfig']['favIcon'];
 		}
 	}
 	return $favicon;

api/index.php

@@ -15,9 +15,10 @@ if ($function === false) {
 	$result['statusText'] = "No API Path Supplied";
 	exit(json_encode($result));
 }
-if (isApprovedRequest() === false && $function !== 'v1_auth') {
+if (isApprovedRequest($method, $_POST) === false && $function !== 'v1_auth' && $function !== 'v1_wizard_config') {
 	$result['status'] = "error";
 	$result['statusText'] = "Not Authorized";
+	writeLog('success', 'Killed Attack From [' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'No Referer') . ']', $GLOBALS['organizrUser']['username']);
 	exit(json_encode($result));
 }
 $result['request'] = key($_GET);

index.php

@@ -291,7 +291,8 @@
 <script id="custom-theme-javascript"></script>
 <script id="custom-javascript"></script>
 <script src="https://js.pusher.com/4.1/pusher.min.js"></script>
-<?php echo pluginFiles('js'); ?>
+<?php echo pluginFiles('js');
+echo formKey(); ?>
 </body>
 
 </html>

js/functions.js

@@ -3261,6 +3261,7 @@ function organizrAPI(type,path,data=null){
 		case 'post':
 		case 'POST':
 		case 'p':
+		    data.formKey = local('g','formKey');
 			return $.ajax({
 				url:path,
 				method:"POST",