<?php
$check_csrf = true;
if (
$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/inc/mail-wrapper.php" ||
$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia//web/inc/mail-wrapper.php"
) {
$check_csrf = false;
} // execute only from CLI
if (
$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/reset/mail/index.php" ||
$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web//reset/mail/index.php"
) {
$check_csrf = false;
} // Localhost only
if (
$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web/api/index.php" ||
$_SERVER["SCRIPT_FILENAME"] == "/usr/local/hestia/web//api/index.php"
) {
$check_csrf = false;
} // Own check
if (substr($_SERVER["SCRIPT_FILENAME"], 0, 22) == "/usr/local/hestia/bin/") {
$check_csrf = false;
}
function checkStrictness($level) {
if ($level >= $_SESSION["POLICY_CSRF_STRICTNESS"]) {
return true;
} else {
http_response_code(400);
echo "<h1>Potential CSRF use detected</h1>\n" .
"<p>Please disable any plugins/add-ons inside your browser or contact your system administrator. If you are the system administrator you can run v-change-sys-config-value 'POLICY_CSRF_STRICTNESS' '0' as root to disable this check.<p>" .
"<p>If you followed a bookmark or an static link please <a href='/'>navigate to root</a>";
die();
}
}
function prevent_post_csrf() {
if (!empty($_SERVER["REQUEST_METHOD"])) {
if ($_SERVER["REQUEST_METHOD"] === "POST") {
if (!empty($_SERVER["HTTP_HOST"])) {
$hostname = preg_replace(
"/(\[?[^]]*\]?):([0-9]{1,5})$/",
"$1",
$_SERVER["HTTP_HOST"],
);
$port_is_defined = preg_match("/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"]);
if ($port_is_defined) {
$port = preg_replace(
"/(\[?[^]]*\]?):([0-9]{1,5})$/",
"$2",
$_SERVER["HTTP_HOST"],
);
} else {
$port = 443;
}
} else {
$hostname = gethostname();
$port = 443;
}
if (isset($_SERVER["HTTP_ORIGIN"])) {
$origin_host = parse_url($_SERVER["HTTP_ORIGIN"], PHP_URL_HOST);
if (
strcmp($origin_host, gethostname()) === 0 &&
in_array($port, ["443", $_SERVER["SERVER_PORT"]])
) {
return checkStrictness(2);
} else {
if (
strcmp($origin_host, $hostname) === 0 &&
in_array($port, ["443", $_SERVER["SERVER_PORT"]])
) {
return checkStrictness(1);
} else {
return checkStrictness(0);
}
}
}
}
}
}
function prevent_get_csrf() {
if (!empty($_SERVER["REQUEST_METHOD"])) {
if ($_SERVER["REQUEST_METHOD"] === "GET") {
if (!empty($_SERVER["HTTP_HOST"])) {
$hostname = preg_replace(
"/(\[?[^]]*\]?):([0-9]{1,5})$/",
"$1",
$_SERVER["HTTP_HOST"],
);
$port_is_defined = preg_match("/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"]);
if ($port_is_defined) {
$port = preg_replace(
"/(\[?[^]]*\]?):([0-9]{1,5})$/",
"$2",
$_SERVER["HTTP_HOST"],
);
} else {
$port = 443;
}
} else {
$hostname = gethostname();
$port = 443;
}
//list of possible entries route and these should never be blocked
if (
in_array($_SERVER["DOCUMENT_URI"], [
"/list/user/index.php",
"/login/index.php",
"/list/web/index.php",
"/list/dns/index.php",
"/list/mail/index.php",
"/list/db/index.php",
"/list/cron/index.php",
"/list/backup/index.php",
"/reset/index.php",
])
) {
return true;
}
if (isset($_SERVER["HTTP_REFERER"])) {
$referrer_host = parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST);
if (
strcmp($referrer_host, gethostname()) === 0 &&
in_array($port, ["443", $_SERVER["SERVER_PORT"]])
) {
return checkStrictness(2);
} else {
if (
strcmp($referrer_host, $hostname) === 0 &&
in_array($port, ["443", $_SERVER["SERVER_PORT"]])
) {
return checkStrictness(1);
} else {
return checkStrictness(0);
}
}
} else {
return checkStrictness(0);
}
}
}
}
if ($check_csrf == true) {
prevent_post_csrf();
prevent_get_csrf();
}