Merge pull request #448 from protich/issue/428

Issue/428

Merge pull request #448 from protich/issue/428
56c11ed1 · Peter Rotich · 8859c220 · b48a6abb · 56c11ed1 · 56c11ed1
Commit 56c11ed1 authored 12 years ago by Peter Rotich
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -127,12 +127,22 @@ class Format {

    //make urls clickable. Mainly for display 
    function clickableurls($text) {
-
+        global $ost;
+        
+        $token = $ost->getLinkToken();
        //Not perfect but it works - please help improve it. 
-        $text=preg_replace('/(((f|ht){1}tp(s?):\/\/)[-a-zA-Z0-9@:%_\+.~#?&;\/\/=]+)/',
-            '<a href="l.php?url=\\1" target="_blank">\\1</a>', $text);
-        $text=preg_replace("/(^|[ \\n\\r\\t])(www\.([a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+)(\/[^\/ \\n\\r]*)*)/",
-            '\\1<a href="l.php?url=http://\\2" target="_blank">\\2</a>', $text);
+        $text=preg_replace_callback('/(((f|ht){1}tp(s?):\/\/)[-a-zA-Z0-9@:%_\+.~#?&;\/\/=]+)/',
+                create_function('$matches',
+                    sprintf('return "<a href=\"l.php?url=".urlencode($matches[1])."&auth=%s\" target=\"_blank\">".$matches[1]."</a>";',
+                        $token)),
+                $text);
+
+        $text=preg_replace_callback("/(^|[ \\n\\r\\t])(www\.([a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+)(\/[^\/ \\n\\r]*)*)/",
+                create_function('$matches',
+                    sprintf('return "<a href=\"l.php?url=".urlencode("http://".$matches[2])."&auth=%s\" target=\"_blank\">".$matches[2]."</a>";',
+                        $token)),
+                $text);
+
        $text=preg_replace("/(^|[ \\n\\r\\t])([_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,4})/",
            '\\1<a href="mailto:\\2" target="_blank">\\2</a>', $text);


--- a/include/class.osticket.php
+++ b/include/class.osticket.php
@@ -119,7 +119,15 @@ class osTicket {

        return false;
    }
-    
+
+    function getLinkToken() {
+        return md5($this->getCSRFToken().SECRET_SALT.session_id());
+    }
+
+    function validateLinkToken($token) {
+            return ($token && !strcasecmp($token, $this->getLinkToken()));
+    }
+
    function isFileTypeAllowed($file, $mimeType='') {
       
        if(!$file || !($allowedFileTypes=$this->getConfig()->getAllowedFileTypes()))

--- a/include/client/header.inc.php
+++ b/include/client/header.inc.php
@@ -30,7 +30,7 @@ header("Content-Type: text/html; charset=UTF-8\r\n");
                <a href="<?php echo ROOT_PATH; ?>tickets.php">My Tickets <b>(<?php echo $thisclient->getNumTickets(); ?>)</b></a> -
                <?php
                } ?>
-                <a href="<?php echo ROOT_PATH; ?>logout.php">Log Out</a>
+                <a href="<?php echo ROOT_PATH; ?>logout.php?auth=<?php echo $ost->getLinkToken(); ?>">Log Out</a>
             <?php
             }elseif($nav){ ?>
                 Guest User - <a href="<?php echo ROOT_PATH; ?>login.php">Log In</a>

--- a/include/staff/header.inc.php
+++ b/include/staff/header.inc.php
@@ -49,7 +49,7 @@
            | <a href="index.php">Staff Panel</a>
            <?php } ?>
            | <a href="profile.php">My Preferences</a>
-            | <a href="logout.php?auth=<?php echo md5($ost->getCSRFToken().SECRET_SALT.session_id()); ?>">Log Out</a>
+            | <a href="logout.php?auth=<?php echo $ost->getLinkToken(); ?>">Log Out</a>
        </p>
    </div>
    <ul id="nav">

--- a/l.php
+++ b/l.php
@@ -14,8 +14,9 @@
    vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 require 'secure.inc.php';
-$url = trim($_GET['url']);
-if (!$url || !Validator::is_url($url)) exit('Invalid url');
+//Basic url validation + token check.
+if (!($url=trim($_GET['url'])) || !Validator::is_url($url) || !$ost->validateLinkToken($_GET['auth']))
+    exit('Invalid url');
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>

--- a/logout.php
+++ b/logout.php
@@ -15,7 +15,10 @@
 **********************************************************************/

 require('client.inc.php');
-//We are checking to make sure the user is logged in before a logout to avoid session reset tricks on excess logins
+//Check token: Make sure the user actually clicked on the link to logout.
+if(!$_GET['auth'] || !$ost->validateLinkToken($_GET['auth']))
+   @header('Location: index.php');
+
 $_SESSION['_client']=array();
 session_unset();
 session_destroy();

--- a/scp/l.php
+++ b/scp/l.php
@@ -14,8 +14,9 @@
    vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 require_once 'staff.inc.php';
-$url = trim($_GET['url']);
-if (!$url || !Validator::is_url($url)) exit('Invalid url');
+//Basic url validation + token check.
+if (!($url=trim($_GET['url'])) || !Validator::is_url($url) || !$ost->validateLinkToken($_GET['auth']))
+    exit('Invalid url');
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>

--- a/scp/logout.php
+++ b/scp/logout.php
@@ -15,9 +15,9 @@
    vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 require('staff.inc.php');
-//CSRF Check: Make sure the user actually clicked on the link to logout.
-if(!$_GET['auth'] || $_GET['auth']!=md5($ost->getCSRFToken().SECRET_SALT.session_id()))
-   @header('Location: index.php');
+//Check token: Make sure the user actually clicked on the link to logout.
+if(!$_GET['auth'] || !$ost->validateLinkToken($_GET['auth']))
+    @header('Location: index.php');

 $ost->logDebug('Staff logout',
        sprintf("%s logged out [%s]",