Arbitrary File Actions in import_template.php, make ajax csrf token t…

…o be a string, add csrf token to template import
LibreHealthIO · Aug 13, 2020 · 9cf84f6 · 9cf84f6
1 parent b685a0c
commit 9cf84f6
Show file tree

Hide file tree

Showing 36 changed files with 113 additions and 71 deletions.
diff --git a/interface/patient_file/encounter/forms.php b/interface/patient_file/encounter/forms.php
@@ -106,7 +106,7 @@
             { amc_id: "patient_edu_amc",
               complete: true,
               mode: mode,
-              token: <?php echo $_SESSION['token'];?>,
+              token: "<?php echo $_SESSION['token'];?>",
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>
@@ -126,7 +126,7 @@
             { amc_id: "provide_sum_pat_amc",
               complete: true,
               mode: mode,
-              token: <?php echo $_SESSION['token'];?>,
+              token: "<?php echo $_SESSION['token'];?>",
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>
@@ -151,7 +151,7 @@
             { amc_id: "med_reconc_amc",
               complete: false,
               mode: mode,
-              token: <?php echo $_SESSION['token'];?>,
+              token: "<?php echo $_SESSION['token'];?>",
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>
@@ -171,7 +171,7 @@
             { amc_id: "med_reconc_amc",
               complete: true,
               mode: mode,
-              token: <?php echo $_SESSION['token'];?>,
+              token: "<?php echo $_SESSION['token'];?>",
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>

diff --git a/interface/patient_file/reminder/clinical_reminders.php b/interface/patient_file/reminder/clinical_reminders.php
@@ -243,7 +243,7 @@
         type: 'passive_alert',
         setting: this.value,
         patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
-        token: <?php echo $_SESSION['token'];?> 
+        token: "<?php echo $_SESSION['token'];?>" 
       });
     });
 
@@ -254,7 +254,7 @@
         type: 'active_alert',
         setting: this.value,
         patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
-        token: <?php echo $_SESSION['token'];?> 
+        token: "<?php echo $_SESSION['token'];?>" 
       });
     });
 
@@ -265,7 +265,7 @@
         type: 'normal',
         setting: this.value,
         patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
-        token: <?php echo $_SESSION['token'];?> 
+        token: "<?php echo $_SESSION['token'];?>" 
       });
     });
 

diff --git a/interface/patient_file/reminder/patient_reminders.php b/interface/patient_file/reminder/patient_reminders.php
@@ -347,7 +347,7 @@ function sel_patient() {
       type: 'patient_reminder',
       setting: this.value,
       patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
-      token: <?php echo $_SESSION['token'];?> 
+      token: "<?php echo $_SESSION['token'];?>" 
     });
   });
 
@@ -362,7 +362,7 @@ function ReminderBatch(processType) {
 
    top.restoreSession();
    $.get("../../../library/ajax/collect_new_report_id.php",
-     {token: <?php echo $_SESSION['token'];?>},
+     {token: "<?php echo $_SESSION['token'];?>"},
      function(data){
        // Set the report id in page form
        $("#form_new_report_id").attr("value",data);
@@ -374,7 +374,8 @@ function(data){
        top.restoreSession();
        $.post("../../../library/ajax/execute_pat_reminder.php",
          {process_type: processType,
-          execute_report_id: $("#form_new_report_id").val()
+          execute_report_id: $("#form_new_report_id").val(),
+          token: "<?php echo $_SESSION['token'];?>"
          });
    });
 
@@ -386,7 +387,7 @@ function collectStatus(report_id) {
    top.restoreSession();
    // Do not send the skip_timeout_reset parameter, so don't close window before report is done.
    $.post("../../../library/ajax/status_report.php",
-     {status_report_id: report_id, token: <?php echo $_SESSION['token'];?> },
+     {status_report_id: report_id, token: "<?php echo $_SESSION['token'];?>" },
      function(data){
        if (data == "PENDING") {
          // Place the pending string in the DOM

diff --git a/interface/patient_file/summary/demographics.php b/interface/patient_file/summary/demographics.php
@@ -261,11 +261,11 @@ function toggleIndicator(target,div) {
           if ( $mode == "<?php echo htmlspecialchars(xl('collapse'),ENT_QUOTES); ?>" ) {
               $(target).find(".indicator").text( "<?php echo htmlspecialchars(xl('expand'),ENT_QUOTES); ?>" );
               $("#"+div).hide();
-          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 0 , token: <?php echo $_SESSION['token'];?> });
+          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 0 , token: "<?php echo $_SESSION['token'];?>" });
           } else {
               $(target).find(".indicator").text( "<?php echo htmlspecialchars(xl('collapse'),ENT_QUOTES); ?>" );
               $("#"+div).show();
-          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 1 , token: <?php echo $_SESSION['token'];?>});
+          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 1 , token: "<?php echo $_SESSION['token'];?>"});
           }
       }
 

diff --git a/interface/patient_file/summary/stats_full.php b/interface/patient_file/summary/stats_full.php
@@ -333,7 +333,7 @@ function newEncounter() {
 
     $(".noneCheck").click(function() {
       top.restoreSession();
-      $.post( "../../../library/ajax/lists_touch.php", { type: this.name, patient_id: <?php echo htmlspecialchars($pid,ENT_QUOTES); ?> });
+      $.post( "../../../library/ajax/lists_touch.php", { type: this.name, patient_id: <?php echo htmlspecialchars($pid,ENT_QUOTES); ?>, token: "<?php echo $_SESSION['token'];?>" });
       $(this).hide();
     });
 });

diff --git a/interface/patient_file/transaction/record_request.php b/interface/patient_file/transaction/record_request.php
@@ -45,7 +45,7 @@
       { amc_id: "provide_rec_pat_amc",
         complete: false,
         mode: "add_force",
-        token: <?php echo $_SESSION['token'];?>,
+        token: "<?php echo $_SESSION['token'];?>",
         patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>
       }
     );

diff --git a/interface/patient_tracker/patient_tracker.php b/interface/patient_tracker/patient_tracker.php
@@ -777,7 +777,7 @@ function validateForm() {
     }
       $.post( "../../library/ajax/drug_screen_completed.php", {
         trackerid: this.id,
-        token: <?php echo $_SESSION['token'];?>,
+        token: "<?php echo $_SESSION['token'];?>",
         testcomplete: testcomplete_toggle
       });
     });

diff --git a/interface/reports/clinical_stats_by_demographics_report.php b/interface/reports/clinical_stats_by_demographics_report.php
@@ -149,7 +149,7 @@ function show_all_diags(){
                 ethnicity:"<?php echo $_POST['ethnicity']; ?>",
                 age_from:"<?php echo $_POST['age_from']  ; ?>",
                 age_to:"<?php echo $_POST['age_to']  ; ?>",
-                token: <?php echo $_SESSION['token'];?>
+                token: "<?php echo $_SESSION['token'];?>"
 
             }, complete: function(){
                 $('#image').hide();

diff --git a/interface/reports/lab_stats_by_demographics_report.php b/interface/reports/lab_stats_by_demographics_report.php
@@ -176,7 +176,7 @@ function lab_result_details() {
                         age_to:"<?php echo $_POST['age_to']  ; ?>",
                         results_per_page: $('#rpp').val(),
                         page_number: $('#nof').val(),
-                        token: <?php echo $_SESSION['token'];?>
+                        token: "<?php echo $_SESSION['token'];?>"
 
                     }, complete: function(){
                         $('#image').hide();

diff --git a/interface/reports/username_report.php b/interface/reports/username_report.php
@@ -92,7 +92,7 @@ function show_session_times(){
                 func:"show_session_times",
                 to_date:   "<?php echo $to_date; ?>",
                 from_date:" <?php echo $from_date; ?> ",
-                token: <?php echo $_SESSION['token'];?>,
+                token: "<?php echo $_SESSION['token'];?>",
             }, complete: function(){
                 $('#image').hide();
             }},
@@ -162,7 +162,7 @@ function show_session_sums()
                 func:"show_session_sums",
                 to_date:   "<?php echo $to_date; ?>",
                 from_date:" <?php echo $from_date; ?> ",
-                token: <?php echo $_SESSION['token'];?>,
+                token: "<?php echo $_SESSION['token'];?>",
             },
         complete: function(){
             $('#image').hide();
@@ -233,7 +233,7 @@ function show_session_details()
                 func:"show_session_details",
                 to_date:   "<?php echo $to_date; ?>",
                 from_date:" <?php echo $from_date; ?> ",
-                token: <?php echo $_SESSION['token'];?>,
+                token: "<?php echo $_SESSION['token'];?>",
             },
             complete: function(){
                 $('#image').hide();

diff --git a/interface/super/edit_globals.php b/interface/super/edit_globals.php
@@ -46,10 +46,9 @@
 
 if (!empty($_POST)) {
   if (!isset($_POST['token'])) {
-      error_log('WARNING: A POST request detected with no csrf token found');
-      die('Authentication failed.');
+      CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/edit_globals.php.theform'))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 

diff --git a/interface/super/edit_layout.php b/interface/super/edit_layout.php
@@ -140,10 +140,9 @@ function addOrDeleteColumn($layout_id, $field_id, $add=TRUE) {
 
 if (!empty($_POST)) {
   if (!isset($_POST['token'])) {
-      error_log('WARNING: A POST request detected with no csrf token found');
-      die('Authentication failed.');
+      CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/edit_layout.php.theform'))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 

diff --git a/interface/super/edit_list.php b/interface/super/edit_list.php
@@ -41,10 +41,9 @@
 
 if (!empty($_POST)) {
   if (!isset($_POST['token'])) {
-      error_log('WARNING: A POST request detected with no csrf token found');
-      die('Authentication failed.');
+      CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/edit_list.php.theform'))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 

diff --git a/interface/super/field_id_popup.php b/interface/super/field_id_popup.php
@@ -96,7 +96,7 @@
   if (!isset($_GET['token'])) {
       CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 $source = empty($_REQUEST['source']) ? 'D' : $_REQUEST['source'];

diff --git a/interface/super/layout_listitems_ajax.php b/interface/super/layout_listitems_ajax.php
@@ -33,7 +33,7 @@
   if (!isset($_GET['token'])) {
       CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 $listid  = $_GET['listid'];

diff --git a/interface/super/load_codes.php b/interface/super/load_codes.php
@@ -38,10 +38,9 @@
 
 if (!empty($_POST)) {
   if (!isset($_POST['token'])) {
-      error_log('WARNING: A POST request detected with no csrf token found');
-      die('Authentication failed.');
+      CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/load_codes.php.theform'))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 

diff --git a/interface/super/manage_document_templates.php b/interface/super/manage_document_templates.php
@@ -35,10 +35,9 @@
 
 if (!empty($_POST)) {
   if (!isset($_POST['token'])) {
-      error_log('WARNING: A POST request detected with no csrf token found');
-      die('Authentication failed.');
+      CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/manage_document_templates.php.theform'))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 

diff --git a/interface/super/manage_site_files.php b/interface/super/manage_site_files.php
@@ -25,10 +25,9 @@
 
 if (!empty($_POST)) {
   if (!isset($_POST['token'])) {
-      error_log('WARNING: A POST request detected with no csrf token found');
-      die('Authentication failed.');
+      CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/manage_site_files.php.theform'))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 

diff --git a/interface/usergroup/adminacl.php b/interface/usergroup/adminacl.php
@@ -89,7 +89,7 @@
     data: {
      control: "acl",
      action: "add",
-     token: <?php echo $_SESSION['token'];?>,
+     token: "<?php echo $_SESSION['token'];?>",
      title: title,
      identifier: identifier,    
      return_value: return_value,
@@ -161,7 +161,7 @@
     data: {
      control: "acl",
      action: "remove",
-     token: <?php echo $_SESSION['token'];?>,
+     token: "<?php echo $_SESSION['token'];?>",
      title: title,
      return_value: return_value
     },
@@ -210,7 +210,7 @@ function membership_show() {
     dataType: "xml",
     data: {
      control: "username",
-     token: <?php echo $_SESSION['token'];?>,
+     token: "<?php echo $_SESSION['token'];?>",
      action: "list"
     },
     success: function(xml){
@@ -260,7 +260,7 @@ function acl_show() {
     dataType: "xml",
     data: {
      control: "acl",
-     token: <?php echo $_SESSION['token'];?>,
+     token: "<?php echo $_SESSION['token'];?>",
      action: "list"
     },
     success: function(xml){     
@@ -375,7 +375,7 @@ function generic_click(cthis) {
     data: {
      name: identityFormatted,
      control: control,
-     token: <?php echo $_SESSION['token'];?>,
+     token: "<?php echo $_SESSION['token'];?>",
      action: action,
      'selection[]': selected,
      return_value: return_value

diff --git a/library/CsrfToken.php b/library/CsrfToken.php
@@ -34,6 +34,11 @@ function verifyCsrfToken($token)
     //log error and kill the page
     function noTokenFoundError() {
         error_log('WARNING: A POST request detected with no csrf token found');
+        header('HTTP/1.1 401 Unauthorized');
+        die('Authentication failed.');
+    }
+    function incorrectToken() {
+        header('HTTP/1.1 401 Unauthorized');
         die('Authentication failed.');
     }
     // Function to verify a csrf token using with second token

diff --git a/library/ajax/adminacl_ajax.php b/library/ajax/adminacl_ajax.php
@@ -39,7 +39,7 @@
   if (!isset($_POST['token'])) {
     CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 //Display red alert if Emergency Login ACL is activated for a user.

diff --git a/library/ajax/amc_misc_data.php b/library/ajax/amc_misc_data.php
@@ -31,7 +31,7 @@
     if (!isset($_POST['token'])) {
       CsrfToken::noTokenFoundError();
     } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
     }
 
   processAmcCall($_POST['amc_id'], $_POST['complete'], $_POST['mode'], $_POST['patient_id'], $_POST['object_category'], $_POST['object_id'], $_POST['date_created']);

diff --git a/library/ajax/execute_background_services.php b/library/ajax/execute_background_services.php
@@ -83,7 +83,7 @@
   if (!isset($_POST['token'])) {
     CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 

diff --git a/library/ajax/payment_ajax.php b/library/ajax/payment_ajax.php
@@ -35,8 +35,8 @@
 if (!empty($_REQUEST)) {
   if (!isset($_REQUEST['token'])) {
     CsrfToken::noTokenFoundError();
-  } else if (!(CsrfToken::verifyCsrfToken($_REQUEST['token']))) {
-      die('Authentication failed.');
+  } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
+      CsrfToken::incorrectToken();
   }
 }
 //=================================

diff --git a/library/ajax/payment_ajax_jav.inc.php b/library/ajax/payment_ajax_jav.inc.php
@@ -109,7 +109,7 @@ function ajaxFunction(Source,SubmitOrSimple,SourceObject) {
     insurance_text_ajax: document.getElementById('type_code') ? document.getElementById('type_code').value : '',
 	encounter_patient_code:Source=='encounter' ? document.getElementById('hidden_patient_code').value : '',
 	submit_or_simple_type:SubmitOrSimple,
-	token: <?php echo $_SESSION['token'];?>
+	token: "<?php echo $_SESSION['token'];?>",
    },
    //async: false,
     success: function(thedata){

diff --git a/library/ajax/plan_setting.php b/library/ajax/plan_setting.php
@@ -27,7 +27,7 @@
   if (!isset($_POST['token'])) {
     CsrfToken::noTokenFoundError();
   } else if (!(CsrfToken::verifyCsrfToken($_POST['token']))) {
-      die('Authentication failed.');
+      CsrfToken::incorrectToken();
   }
 }
 //set the rule setting for patient (ensure all variables exist)