From 12be48f66164c62dace6db711943716828f9ef1c Mon Sep 17 00:00:00 2001 From: raviks789 Date: Wed, 17 Jul 2024 15:54:52 +0200 Subject: [PATCH] Fix CSRF validation for sorting in property tables --- .../Web/Form/PropertyTableSortForm.php | 34 +++++++++++++++++++ .../Web/Table/PropertymodifierTable.php | 18 ++++++++-- .../Director/Web/Table/SyncpropertyTable.php | 19 ++++++++++- 3 files changed, 68 insertions(+), 3 deletions(-) create mode 100644 library/Director/Web/Form/PropertyTableSortForm.php diff --git a/library/Director/Web/Form/PropertyTableSortForm.php b/library/Director/Web/Form/PropertyTableSortForm.php new file mode 100644 index 000000000..27aa6c5ea --- /dev/null +++ b/library/Director/Web/Form/PropertyTableSortForm.php @@ -0,0 +1,34 @@ +name = $name; + $this->table = $table; + } + + protected function assemble() + { + $this->addElement('hidden', '__FORM_NAME', ['value' => $this->name]); + $this->addElement($this->createCsrfCounterMeasure(Session::getSession()->getId())); + $this->addHtml($this->table); + } +} diff --git a/library/Director/Web/Table/PropertymodifierTable.php b/library/Director/Web/Table/PropertymodifierTable.php index a3d0691c5..37e14ac90 100644 --- a/library/Director/Web/Table/PropertymodifierTable.php +++ b/library/Director/Web/Table/PropertymodifierTable.php @@ -4,12 +4,16 @@ use Error; use Exception; +use GuzzleHttp\Psr7\ServerRequest; use Icinga\Module\Director\Hook\ImportSourceHook; use Icinga\Module\Director\Objects\ImportSource; use gipfl\IcingaWeb2\Link; use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority; use gipfl\IcingaWeb2\Table\ZfQueryBasedTable; use gipfl\IcingaWeb2\Url; +use Icinga\Module\Director\Web\Form\PropertyTableSortForm; +use ipl\Html\Form; +use ipl\Html\HtmlString; class PropertymodifierTable extends ZfQueryBasedTable { @@ -48,10 +52,20 @@ public function setReadOnly($readOnly = true) public function render() { - if ($this->readOnly) { + if ($this->readOnly || $this->request === null) { return parent::render(); } - return $this->renderWithSortableForm(); + + return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render()))) + ->setAction($this->request->getUrl()->getAbsoluteUrl()) + ->on(Form::ON_SENT, function (PropertyTableSortForm $form) { + $csrf = $form->getElement('CSRFToken'); + if ($csrf !== null && $csrf->isValid()) { + $this->reallyHandleSortPriorityActions(); + } + }) + ->handleRequest(ServerRequest::fromGlobals()) + ->render(); } protected function assemble() diff --git a/library/Director/Web/Table/SyncpropertyTable.php b/library/Director/Web/Table/SyncpropertyTable.php index 79461cec7..c0b282029 100644 --- a/library/Director/Web/Table/SyncpropertyTable.php +++ b/library/Director/Web/Table/SyncpropertyTable.php @@ -2,10 +2,14 @@ namespace Icinga\Module\Director\Web\Table; +use GuzzleHttp\Psr7\ServerRequest; use Icinga\Module\Director\Objects\SyncRule; use gipfl\IcingaWeb2\Link; use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority; use gipfl\IcingaWeb2\Table\ZfQueryBasedTable; +use Icinga\Module\Director\Web\Form\PropertyTableSortForm; +use ipl\Html\Form; +use ipl\Html\HtmlString; class SyncpropertyTable extends ZfQueryBasedTable { @@ -33,7 +37,20 @@ public static function create(SyncRule $rule) public function render() { - return $this->renderWithSortableForm(); + if ($this->request === null) { + return parent::render(); + } + + return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render()))) + ->setAction($this->request->getUrl()->getAbsoluteUrl()) + ->on(Form::ON_SENT, function (PropertyTableSortForm $form) { + $csrf = $form->getElement('CSRFToken'); + if ($csrf !== null && $csrf->isValid()) { + $this->reallyHandleSortPriorityActions(); + } + }) + ->handleRequest(ServerRequest::fromGlobals()) + ->render(); } public function renderRow($row)