= $_SESSION["POLICY_CSRF_STRICTNESS"]) { return true; } else { http_response_code(400); echo "

Potential CSRF use detected

\n" . "

Please disable any plugins/add-ons inside your browser or contact your system administrator. If you are the system administrator you can run v-change-sys-config-value 'POLICY_CSRF_STRICTNESS' '0' as root to disable this check.

" . "

If you followed a bookmark or an static link please navigate to root"; die(); } } function prevent_post_csrf() { if (!empty($_SERVER["REQUEST_METHOD"])) { if ($_SERVER["REQUEST_METHOD"] === "POST") { if (!empty($_SERVER["HTTP_HOST"])) { $hostname = preg_replace( "/(\[?[^]]*\]?):([0-9]{1,5})$/", "$1", $_SERVER["HTTP_HOST"], ); $port_is_defined = preg_match("/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"]); if ($port_is_defined) { $port = preg_replace( "/(\[?[^]]*\]?):([0-9]{1,5})$/", "$2", $_SERVER["HTTP_HOST"], ); } else { $port = 443; } } else { $hostname = gethostname(); $port = 443; } if (isset($_SERVER["HTTP_ORIGIN"])) { $origin_host = parse_url($_SERVER["HTTP_ORIGIN"], PHP_URL_HOST); if ( strcmp($origin_host, gethostname()) === 0 && in_array($port, ["443", $_SERVER["SERVER_PORT"]]) ) { return checkStrictness(2); } else { if ( strcmp($origin_host, $hostname) === 0 && in_array($port, ["443", $_SERVER["SERVER_PORT"]]) ) { return checkStrictness(1); } else { return checkStrictness(0); } } } } } } function prevent_get_csrf() { if (!empty($_SERVER["REQUEST_METHOD"])) { if ($_SERVER["REQUEST_METHOD"] === "GET") { if (!empty($_SERVER["HTTP_HOST"])) { $hostname = preg_replace( "/(\[?[^]]*\]?):([0-9]{1,5})$/", "$1", $_SERVER["HTTP_HOST"], ); $port_is_defined = preg_match("/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"]); if ($port_is_defined) { $port = preg_replace( "/(\[?[^]]*\]?):([0-9]{1,5})$/", "$2", $_SERVER["HTTP_HOST"], ); } else { $port = 443; } } else { $hostname = gethostname(); $port = 443; } //list of possible entries route and these should never be blocked if ( in_array($_SERVER["DOCUMENT_URI"], [ "/list/user/index.php", "/login/index.php", "/list/web/index.php", "/list/dns/index.php", "/list/mail/index.php", "/list/db/index.php", "/list/cron/index.php", "/list/backup/index.php", "/reset/index.php", ]) ) { return true; } if (isset($_SERVER["HTTP_REFERER"])) { $referrer_host = parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST); if ( strcmp($referrer_host, gethostname()) === 0 && in_array($port, ["443", $_SERVER["SERVER_PORT"]]) ) { return checkStrictness(2); } else { if ( strcmp($referrer_host, $hostname) === 0 && in_array($port, ["443", $_SERVER["SERVER_PORT"]]) ) { return checkStrictness(1); } else { return checkStrictness(0); } } } else { return checkStrictness(0); } } } } if ($check_csrf == true) { prevent_post_csrf(); prevent_get_csrf(); }