Fix secruity issues (#1403)

* secure file uploads

* session hardening

* secure path traversal in uploads

* 50mb max from frontend

* restrict shellCommand and sanitize post filenames

* restrict and mask output on serverInfo endpoint

* csrf in admin forms

* escape ffmpeg inputs to prevent injection

* sanitize print filename and escape command args

* use shared admin_boot to enforce auth on admin pages

* sanitize random image dir to allowed roots

* validate theme export file before download

* add rate limiting and validation to sendPic

* add global frame/referrer/nosniff headers

* set uploads to 0644 with chmod warning

* log errors

* add ip-based throttling for password and pin login

* fixes

* add pin hashing

* fix

* harden shell command auth

* secure live chroma config with admin auth

* sanitize video effect filename

* tighten sendpic limits and validation

* sanitize download image param

* csrf token flow and rate limit for print

* sanitize file input in applyeffects

* protect rebuild imagedb with admin bootstrap

* protect checkversion with admin bootstrap

* sanitize delete photo input

* add csrf token to client calls, add csrf and rate limiting to printdb

* sanitize qrcode filename input

* add more csrf

* add more csrf

* fix csrf

* show msg on too many attempts

* Added keypad attempt reset FAQ

* fix saving password and pin

* fix saving password and pin

Author: reloxx13

admin/admin_boot.php

@@ -0,0 +1,42 @@
+<?php
+
+/** @var array $config */
+
+require_once __DIR__ . '/../lib/boot.php';
+
+use Photobooth\Service\ConfigurationService;
+use Photobooth\Utility\PathUtility;
+
+$config = ConfigurationService::getInstance()->getConfiguration();
+
+// Make sure CSRF helper is available even if only admin_boot is required
+if (!function_exists('checkCsrfOrFail')) {
+    /**
+     * @param  array<string,mixed>  $source
+     */
+    function checkCsrfOrFail(array $source, string $key = 'csrf'): void
+    {
+        $sessionToken  = $_SESSION[$key] ?? '';
+        $incomingToken = $source[$key] ?? '';
+        if (!hash_equals((string)$sessionToken, (string)$incomingToken)) {
+            $logger = Photobooth\Service\LoggerService::getInstance()->getLogger('main');
+            $logger->debug('CSRF validation failed', [
+                'expected' => $sessionToken,
+                'provided' => $incomingToken,
+                'path'     => $_SERVER['REQUEST_URI'] ?? '',
+                'method'   => $_SERVER['REQUEST_METHOD'] ?? '',
+            ]);
+            http_response_code(403);
+            echo json_encode(['error' => 'Invalid CSRF token']);
+            exit();
+        }
+    }
+}
+
+// Enforce admin session only when login is enabled
+if ($config['login']['enabled']) {
+    if (!isset($_SESSION['auth']) || $_SESSION['auth'] !== true) {
+        header('Location: ' . PathUtility::getPublicPath('login'));
+        exit();
+    }
+}

admin/captureconfig.php

@@ -1,24 +1,14 @@
 <?php
 
 /** @var array $config */
-require_once '../lib/boot.php';
+require_once __DIR__ . '/admin_boot.php';
 
 use Photobooth\Environment;
 use Photobooth\Service\ConfigurationService;
 use Photobooth\Service\LoggerService;
 use Photobooth\Service\ProcessService;
 use Photobooth\Utility\PathUtility;
 
-// Login / Authentication check
-if (!(
-    !$config['login']['enabled'] ||
-    (!$config['protect']['localhost_admin'] && isset($_SERVER['SERVER_ADDR']) &&  $_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) ||
-    (isset($_SESSION['auth']) && $_SESSION['auth'] === true) || !$config['protect']['admin']
-)) {
-    header('location: ' . PathUtility::getPublicPath('login'));
-    exit();
-}
-
 header('Content-Type: application/json');
 
 $loggerService = LoggerService::getInstance();

admin/debug/index.php

@@ -1,23 +1,13 @@
 <?php
 
-require_once '../../lib/boot.php';
+require_once __DIR__ . '/../admin_boot.php';
 
 use Photobooth\Environment;
 use Photobooth\Service\ApplicationService;
 use Photobooth\Service\AssetService;
 use Photobooth\Service\LanguageService;
 use Photobooth\Utility\PathUtility;
 
-// Login / Authentication check
-if (!(
-    !$config['login']['enabled'] ||
-    (!$config['protect']['localhost_admin'] && isset($_SERVER['SERVER_ADDR']) &&  $_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) ||
-    (isset($_SESSION['auth']) && $_SESSION['auth'] === true) || !$config['protect']['admin']
-)) {
-    header('location: ' . PathUtility::getPublicPath('login'));
-    exit();
-}
-
 $languageService = LanguageService::getInstance();
 $assetService = AssetService::getInstance();
 $pageTitle = 'Debugpanel - ' . ApplicationService::getInstance()->getTitle();

admin/diskusage/index.php

@@ -1,23 +1,13 @@
 <?php
 
-require_once '../../lib/boot.php';
+require_once __DIR__ . '/../admin_boot.php';
 
 use Photobooth\Enum\FolderEnum;
 use Photobooth\Helper;
 use Photobooth\Service\ApplicationService;
 use Photobooth\Service\LanguageService;
 use Photobooth\Utility\PathUtility;
 
-// Login / Authentication check
-if (!(
-    !$config['login']['enabled'] ||
-    (!$config['protect']['localhost_admin'] && isset($_SERVER['SERVER_ADDR']) &&  $_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) ||
-    (isset($_SESSION['auth']) && $_SESSION['auth'] === true) || !$config['protect']['admin']
-)) {
-    header('location: ' . PathUtility::getPublicPath('login'));
-    exit();
-}
-
 $languageService = LanguageService::getInstance();
 $pageTitle = 'Diskusage - ' . ApplicationService::getInstance()->getTitle();
 include PathUtility::getAbsolutePath('admin/components/head.admin.php');

admin/generator/index.php

@@ -1,5 +1,5 @@
 <?php
-require_once '../../lib/boot.php';
+require_once __DIR__ . '/../admin_boot.php';
 
 use Photobooth\Service\ConfigurationService;
 use Photobooth\Service\ApplicationService;
@@ -10,16 +10,6 @@
 use Photobooth\Utility\PathUtility;
 use Photobooth\Service\AssetService;
 
-// Login / Authentication check
-if (!(
-    !$config['login']['enabled'] ||
-    (!$config['protect']['localhost_admin'] && isset($_SERVER['SERVER_ADDR']) &&  $_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) ||
-    (isset($_SESSION['auth']) && $_SESSION['auth'] === true) || !$config['protect']['admin']
-)) {
-    header('location: ' . PathUtility::getPublicPath('login'));
-    exit();
-}
-
 $configurationService = ConfigurationService::getInstance();
 
 $error = false;

admin/index.php

@@ -1,20 +1,10 @@
 <?php
 
-require_once '../lib/boot.php';
+require_once __DIR__ . '/admin_boot.php';
 
 use Photobooth\Service\ApplicationService;
 use Photobooth\Utility\PathUtility;
 
-// Login / Authentication check
-if (!(
-    !$config['login']['enabled'] ||
-    (!$config['protect']['localhost_admin'] && isset($_SERVER['SERVER_ADDR']) &&  $_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) ||
-    (isset($_SESSION['auth']) && $_SESSION['auth'] === true) || !$config['protect']['admin']
-)) {
-    header('location: ' . PathUtility::getPublicPath('login'));
-    exit();
-}
-
 $configsetup = require PathUtility::getAbsolutePath('lib/configsetup.inc.php');
 
 $appName = ApplicationService::getInstance()->getTitle();

admin/upload/index.php

@@ -1,22 +1,18 @@
 <?php
 
-require_once '../../lib/boot.php';
+require_once __DIR__ . '/../admin_boot.php';
 
 use Photobooth\FileUploader;
 use Photobooth\Service\ApplicationService;
 use Photobooth\Service\LanguageService;
 use Photobooth\Utility\PathUtility;
 use Photobooth\Service\LoggerService;
 
-// Login / Authentication check
-if (!(
-    !$config['login']['enabled'] ||
-    (!$config['protect']['localhost_admin'] && isset($_SERVER['SERVER_ADDR']) &&  $_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) ||
-    (isset($_SESSION['auth']) && $_SESSION['auth'] === true) || !$config['protect']['admin']
-)) {
-    header('location: ' . PathUtility::getPublicPath('login'));
-    exit();
+// CSRF token helper
+if (!isset($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
 }
+$csrfToken = $_SESSION['csrf_token'];
 
 $logger = LoggerService::getInstance()->getLogger('main');
 $logger->debug(basename($_SERVER['PHP_SELF']));
@@ -36,26 +32,33 @@
 $max_file_size = ini_get('upload_max_filesize');
 
 if (isset($_POST['submit'])) {
+    if (!isset($_POST['csrf_token']) || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
+        $errors['csrf'] = 'csrf';
+    }
+
     $folderName = $_POST['folder_name'];
     $uploadedFiles = $_FILES['files'];
 
-    $uploader = new FileUploader($folderName, $uploadedFiles, $logger);
-    $response = $uploader->uploadFiles();
-
-    list($success, $message, $errors, $uploadedFiles, $failedFiles) = [
-        $response['success'],
-        $response['message'],
-        $response['errors'],
-        $response['uploadedFiles'],
-        $response['failedFiles']
-    ];
+    if (!isset($errors['csrf'])) {
+        $uploader = new FileUploader($folderName, $uploadedFiles, $logger);
+        $response = $uploader->uploadFiles();
+
+        list($success, $message, $errors, $uploadedFiles, $failedFiles) = [
+            $response['success'],
+            $response['message'],
+            $response['errors'],
+            $response['uploadedFiles'],
+            $response['failedFiles']
+        ];
+    }
 }
 ?>
 
 <div class="w-full h-screen grid place-items-center absolute bg-brand-2 px-6 py-12 overflow-x-hidden overflow-y-auto">
     <div class="w-full flex items-center justify-center flex-col">
         <div class="w-full max-w-xl rounded-lg p-8 bg-white flex flex-col shadow-xl">
             <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST" enctype="multipart/form-data">
+                <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($csrfToken); ?>">
                 <div class="w-full flex flex-col items-center justify-center text-2xl font-bold text-brand-1 mb-2">
                     File uploader
                 </div>
@@ -76,16 +79,21 @@
                     <label class="<?= $labelClass ?>" for="files"><?=$languageService->translate('upload_selection')?></label>
                     <input class="<?= $labelClass ?>" type="file" name="files[]" id="files" multiple accept="image/*, video/*, .ttf" required>
                     <div class="my-2"><?= $languageService->translate('file_upload_max_size') ?> <?= $max_file_size ?></div>
+                    <?php
+                        if (isset($errors['csrf'])) {
+                            echo '<div class="flex flex-col justify-between p-2 rounded-sm bg-red-300 text-red-800 border-2 border-red-800">' . $languageService->translate('invalid_session') . '</div>';
+                        }
+?>
                 </div>
 
                 <?php
-                    if (count($failedFiles) > 0) {
-                        echo '<div class="flex flex-col gap-2">';
-                        foreach ($failedFiles as $fileName => $reason) {
-                            echo '<div class="flex flex-col justify-between p-2 rounded-sm bg-red-300 text-red-800 border-2 border-red-800"><div class="col-span-1">' . $fileName . '</div><div class="col-span-1">' . $languageService->translate($reason) . '</div></div>';
-                        }
-                        echo '</div>';
-                    }
+if (count($failedFiles) > 0) {
+    echo '<div class="flex flex-col gap-2">';
+    foreach ($failedFiles as $fileName => $reason) {
+        echo '<div class="flex flex-col justify-between p-2 rounded-sm bg-red-300 text-red-800 border-2 border-red-800"><div class="col-span-1">' . $fileName . '</div><div class="col-span-1">' . $languageService->translate($reason) . '</div></div>';
+    }
+    echo '</div>';
+}
 ?>
 
                 <div class="mt-6">

admin/wgetcaptureconfig.php

@@ -1,24 +1,14 @@
 <?php
 
 /** @var array $config */
-require_once '../lib/boot.php';
+require_once __DIR__ . '/admin_boot.php';
 
 use Photobooth\Environment;
 use Photobooth\Service\ConfigurationService;
 use Photobooth\Service\LoggerService;
 use Photobooth\Service\ProcessService;
 use Photobooth\Utility\PathUtility;
 
-// Login / Authentication check
-if (!(
-    !$config['login']['enabled'] ||
-    (!$config['protect']['localhost_admin'] && isset($_SERVER['SERVER_ADDR']) &&  $_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) ||
-    (isset($_SESSION['auth']) && $_SESSION['auth'] === true) || !$config['protect']['admin']
-)) {
-    header('location: ' . PathUtility::getPublicPath('login'));
-    exit();
-}
-
 header('Content-Type: application/json');
 
 $loggerService = LoggerService::getInstance();