diff --git a/client.inc.php b/client.inc.php index f8f6ddff..97d42755 100644 --- a/client.inc.php +++ b/client.inc.php @@ -61,6 +61,8 @@ @header('Location: index.php'); //just incase redirect fails die('Action denied (400)!'); +} elseif ($_POST && !$ost->checkActivityToken()) { + $errors['err'] = 'Cowardly refusing to repeat previous activity'; } /* Client specific defaults */ diff --git a/include/class.osticket.php b/include/class.osticket.php index a2d2205d..b9bbbe8f 100644 --- a/include/class.osticket.php +++ b/include/class.osticket.php @@ -117,6 +117,30 @@ function checkCSRFToken($name='') { return false; } + function checkActivityToken($name='__activity__') { + global $thisstaff, $thisclient; + $user = null; + + if (defined('OSTSTAFFINC') && $thisstaff) { + $user = $thisstaff; + } + elseif (defined('OSTCLIENTINC') && $thisclient) { + $user = $thisclient; + } + if (isset($_POST[$name]) && $user) { + // Ensure the token matches the current token for the user. If + // they don't match, this is likely a stale form post + $pass = ($user->getActivityToken() == $_POST[$name]); + // Regardless, the same token CANNOT be used in a future post + $user->rollActivityToken(); + return $pass; + } + else { + // Token not found. Pass by default + return true; + } + } + function getLinkToken() { return md5($this->getCSRFToken().SECRET_SALT.session_id()); } diff --git a/include/class.usersession.php b/include/class.usersession.php index b596934c..7903adbb 100644 --- a/include/class.usersession.php +++ b/include/class.usersession.php @@ -24,6 +24,7 @@ class UserSession { var $browser = ''; var $ip = ''; var $validated=FALSE; + var $activity; function UserSession($userid){ @@ -31,6 +32,7 @@ function UserSession($userid){ $this->ip=(!empty($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : getenv('REMOTE_ADDR'); $this->session_id=session_id(); $this->userID=$userid; + $this->activity = &$_SESSION['activity:token']; } function isStaff(){ @@ -57,6 +59,17 @@ function refreshSession(){ //nothing to do...clients need to worry about it. } + function getActivityToken() { + if (!$this->activity) + $this->rollActivityToken(); + + return $this->activity; + } + + function rollActivityToken() { + $this->activity = sha1(session_id().microtime(true).$this->ip); + } + function sessionToken(){ $time = time(); @@ -137,7 +150,14 @@ function getSessionToken() { function getIP(){ return $this->session->getIP(); - } + } + + function getActivityToken() { + return $this->session->getActivityToken(); + } + function rollActivityToken() { + return $this->session->rollActivityToken(); + } } @@ -175,7 +195,26 @@ function getSessionToken() { function getIP(){ return $this->session->getIP(); } - + + function getActivityToken() { + return $this->session->getActivityToken(); + } + function rollActivityToken() { + return $this->session->rollActivityToken(); + } +} + +function activity_token() { + global $thisstaff, $thisclient; + + if (defined('OSTSTAFFINC') && $thisstaff) { ?> + + + + diff --git a/include/client/open.inc.php b/include/client/open.inc.php index 275e856d..f8d59f56 100644 --- a/include/client/open.inc.php +++ b/include/client/open.inc.php @@ -14,6 +14,7 @@

Please fill in the form below to open a new ticket.

+ diff --git a/include/client/view.inc.php b/include/client/view.inc.php index f6bac884..b9c02c3e 100644 --- a/include/client/view.inc.php +++ b/include/client/view.inc.php @@ -97,6 +97,7 @@ +

Post a Reply

diff --git a/include/staff/ticket-open.inc.php b/include/staff/ticket-open.inc.php index ed29b873..a294e435 100644 --- a/include/staff/ticket-open.inc.php +++ b/include/staff/ticket-open.inc.php @@ -5,6 +5,7 @@ ?> +

Open New Ticket

diff --git a/include/staff/ticket-view.inc.php b/include/staff/ticket-view.inc.php index 3d119fb8..284993f8 100644 --- a/include/staff/ticket-view.inc.php +++ b/include/staff/ticket-view.inc.php @@ -392,6 +392,7 @@ if($thisstaff->canPostReply()) { ?> + @@ -516,6 +517,7 @@ } ?> + @@ -622,6 +624,7 @@ if($thisstaff->canTransferTickets()) { ?> +
@@ -680,6 +683,7 @@ if($thisstaff->canAssignTickets()) { ?> +
@@ -770,6 +774,7 @@
+
@@ -810,6 +815,7 @@ %s this ticket?', $ticket->isClosed()?'REOPEN':'CLOSE'); ?> + @@ -863,6 +869,7 @@
Please confirm to continue.
+ diff --git a/open.php b/open.php index 4c740afe..6c893ad7 100644 --- a/open.php +++ b/open.php @@ -16,8 +16,7 @@ require('client.inc.php'); define('SOURCE','Web'); //Ticket source. $ticket = null; -$errors=array(); -if($_POST): +if($_POST && !$errors): $vars = $_POST; $vars['deptId']=$vars['emailId']=0; //Just Making sure we don't accept crap...only topicId is expected. if($thisclient) { diff --git a/scp/staff.inc.php b/scp/staff.inc.php index 359663a4..a2f9fdbc 100644 --- a/scp/staff.inc.php +++ b/scp/staff.inc.php @@ -121,6 +121,8 @@ function staffLoginPage($msg) { } elseif($cfg->isHelpDeskOffline()) { $sysnotice='System is set to offline mode - Client interface is disabled and ONLY admins can access staff control panel.'; $sysnotice.=' Enable.'; +} elseif ($_POST && !$ost->checkActivityToken()) { + $errors['err'] = 'Cowardly refusing to repeat previous activity'; } $nav = new StaffNav($thisstaff); diff --git a/tickets.php b/tickets.php index d1293db8..0d283692 100644 --- a/tickets.php +++ b/tickets.php @@ -28,7 +28,7 @@ } //Process post...depends on $ticket object above. -if($_POST && is_object($ticket) && $ticket->getId()): +if($_POST && is_object($ticket) && $ticket->getId() && !$errors): $errors=array(); switch(strtolower($_POST['a'])){ case 'reply':