Add CSRF protection

2025-05-02 10:04:22 +00:00 · 2020-01-25 10:07:06 +00:00 · 2020-01-25 10:07:06 +00:00 · bf2cfaf0ed
commit bf2cfaf0ed
parent 5fdc7a59b2
13 changed files with 219 additions and 48 deletions
--- a/templates/header.tmpl
+++ b/templates/header.tmpl
@ -4,6 +4,9 @@
 <head>
 	<meta charset='utf-8'>
 	<meta content='width=device-width, initial-scale=1' name='viewport'>
+	{{if .CSRFToken}}
+	<meta name="csrf_token" content="{{.CSRFToken}}">
+	{{end}}
 	<title>{{if gt .NotificationCount 0}}({{.NotificationCount}}) {{end}}{{.Title}}</title>
 	<link rel="stylesheet" href="/static/main.css">
 	{{if .CustomCSS}}
--- a/templates/postform.tmpl
+++ b/templates/postform.tmpl
@ -1,5 +1,6 @@
 {{with .Data}}
 <form class="post-form" action="/post" method="POST" enctype="multipart/form-data">
+	<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
 	{{if .ReplyContext}}
 	<input type="hidden" name="reply_to_id" value="{{.ReplyContext.InReplyToID}}" />
 	<label for="post-content" class="post-form-title"> Reply to {{.ReplyContext.InReplyToName}} </label>
--- a/templates/settings.tmpl
+++ b/templates/settings.tmpl
@ -4,6 +4,7 @@
 <div class="page-title"> Settings </div>

 <form id="settings-form" action="/settings" method="POST">
+	<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
 	<div class="settings-form-field">
 		<label for="visibility"> Default scope </label>
 		<select id="visibility" name="visibility">
--- a/templates/status.tmpl
+++ b/templates/status.tmpl
@ -109,12 +109,14 @@
 					{{else}}
 					{{if .Reblogged}}
 					<form class="status-retweet" data-action="unretweet" action="/unretweet/{{.ID}}" method="post">
-						<input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}" />
+						<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+						<input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}">
 						<input type="image" src="{{GetIcon "retweeted" $.Ctx.DarkMode}}" alt="undo retweet" class="icon" title="undo retweet">
 					</form>
 					{{else}}
 					<form class="status-retweet" data-action="retweet" action="/retweet/{{.ID}}" method="post">
-						<input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}" />
+						<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+						<input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}">
 						<input type="image" src="{{GetIcon "retweet" $.Ctx.DarkMode}}" alt="retweet" class="icon" title="retweet">
 					</form>
 					{{end}}
@ -126,12 +128,14 @@
 				<div class="status-action">
 					{{if .Favourited}}
 					<form class="status-like" data-action="unlike" action="/unlike/{{.ID}}" method="post">
-						<input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}" />
+						<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+						<input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}">
 						<input type="image" src="{{GetIcon "liked" $.Ctx.DarkMode}}" alt="unlike" class="icon" title="unlike">
 					</form>
 					{{else}}
 					<form class="status-like" data-action="like" action="/like/{{.ID}}" method="post">
-						<input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}" />
+						<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+						<input type="hidden" name="retweeted_by_id" value="{{.RetweetedByID}}">
 						<input type="image" src="{{GetIcon "star-o" $.Ctx.DarkMode}}" alt="like" class="icon" title="like">
 					</form>
 					{{end}}
--- a/templates/user.tmpl
+++ b/templates/user.tmpl
@ -22,17 +22,20 @@
 			<span> {{if .User.Pleroma.Relationship.FollowedBy}} follows you - {{end}} </span>  
 			{{if .User.Pleroma.Relationship.Following}} 
 			<form class="d-inline" action="/unfollow/{{.User.ID}}" method="post">
-			    <input type="submit" value="unfollow" class="btn-link">
+				<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+				<input type="submit" value="unfollow" class="btn-link">
 			</form>
 			{{end}} 
 			{{if .User.Pleroma.Relationship.Requested}} 
 			<form class="d-inline" action="/unfollow/{{.User.ID}}" method="post">
-			    <input type="submit" value="cancel request" class="btn-link">
+				<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+				<input type="submit" value="cancel request" class="btn-link">
 			</form>
 			{{end}} 
 			{{if not .User.Pleroma.Relationship.Following}} 
 			<form class="d-inline" action="/follow/{{.User.ID}}" method="post">
-			    <input type="submit" value="{{if .User.Pleroma.Relationship.Requested}}resend request{{else}}follow{{end}}" class="btn-link">
+				<input type="hidden" name="csrf_token" value="{{$.Ctx.CSRFToken}}">
+				<input type="submit" value="{{if .User.Pleroma.Relationship.Requested}}resend request{{else}}follow{{end}}" class="btn-link">
 			</form>
 			{{end}} 
 		</div>