add ZM_ENABLE_CSRF_MAGIC toggle
This commit is contained in:
parent
d38bae72ae
commit
4e16ae6d19
|
@ -345,6 +345,26 @@ our @options = (
|
||||||
type => $types{boolean},
|
type => $types{boolean},
|
||||||
category => "system",
|
category => "system",
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name => "ZM_ENABLE_CSRF_MAGIC",
|
||||||
|
default => "no",
|
||||||
|
description => "Enable csrf-magic library",
|
||||||
|
help => qqq("
|
||||||
|
CSRF stands for Cross-Site Request Forgery which, under specific
|
||||||
|
circumstances, can allow an attacker to perform any task your
|
||||||
|
ZoneMinder user account has permission to perform. To accomplish
|
||||||
|
this, the attacker must write a very specific web page and get
|
||||||
|
you to navigate to it, while you are logged into the ZoneMinder
|
||||||
|
web console at the same time. Enabling ZM_ENABLE_CSRF_MAGIC will
|
||||||
|
help mitigate these kinds of attackes. Be warned this feature
|
||||||
|
is experimental and may cause problems, particularly with the API.
|
||||||
|
If you find a false positive and can document how to reproduce it,
|
||||||
|
then please report it. This feature defaults to OFF currently due to
|
||||||
|
its experimental nature.
|
||||||
|
"),
|
||||||
|
type => $types{boolean},
|
||||||
|
category => "system",
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name => "ZM_OPT_USE_API",
|
name => "ZM_OPT_USE_API",
|
||||||
default => "yes",
|
default => "yes",
|
||||||
|
|
|
@ -23,7 +23,7 @@
|
||||||
* a boolean false if the CSRF check failed. This allows for tighter integration
|
* a boolean false if the CSRF check failed. This allows for tighter integration
|
||||||
* with your system.
|
* with your system.
|
||||||
*/
|
*/
|
||||||
$GLOBALS['csrf']['defer'] = false;
|
$GLOBALS['csrf']['defer'] = true;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This is the amount of seconds you wish to allow before any token becomes
|
* This is the amount of seconds you wish to allow before any token becomes
|
||||||
|
|
|
@ -170,6 +170,11 @@ if ( isset($_REQUEST['action']) )
|
||||||
foreach ( getSkinIncludes( 'skin.php' ) as $includeFile )
|
foreach ( getSkinIncludes( 'skin.php' ) as $includeFile )
|
||||||
require_once $includeFile;
|
require_once $includeFile;
|
||||||
|
|
||||||
|
if ( ZM_ENABLE_CSRF_MAGIC && $action != 'login' ) {
|
||||||
|
Debug("Calling csrf_check with the following values: \$request = \"$request\", \$view = \"$view\", \$action = \"$action\"");
|
||||||
|
csrf_check();
|
||||||
|
}
|
||||||
|
|
||||||
require_once( 'includes/actions.php' );
|
require_once( 'includes/actions.php' );
|
||||||
|
|
||||||
# If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
|
# If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
|
||||||
|
|
Loading…
Reference in New Issue