xhr.php 2.74 KB
Newer Older
Peter Tönnies's avatar
Peter Tönnies committed
1 2
<?php

3
use Foodsharing\Lib\Cache\Caching;
Tilmann Becker's avatar
Tilmann Becker committed
4
use Foodsharing\Lib\Db\Mem;
5
use Foodsharing\Lib\Session;
6
use Foodsharing\Lib\Xhr\XhrMethods;
7
use Symfony\Component\DependencyInjection\Container;
chandi's avatar
chandi committed
8
use Foodsharing\Lib\Xhr\XhrResponses;
9

Tilmann Becker's avatar
Tilmann Becker committed
10
require __DIR__ . '/includes/setup.php';
Raphael Wintrich's avatar
Raphael Wintrich committed
11
require_once 'config.inc.php';
Raphael Wintrich's avatar
Raphael Wintrich committed
12

13 14 15 16 17 18
/*
	methods wich are excluded from the CSRF Protection.
	We start with every method and remove one by another
	NEVER ADD SOMETING TO THIS LIST!
*/
$csrf_whitelist = [
19 20 21 22 23
	// 'getPinPost',
	// 'activeSwitch',
	// 'grabInfo',
	// 'addPinPost',
	// 'childBezirke',
24
	'bBubble',
25 26
	// 'loadMarker',
	// 'uploadPictureRefactorMeSoon',
27
	'uploadPicture',
28
	// 'cropagain',
29
	'pictureCrop',
30
	// 'out',
31
	// 'getRecip',
32
	'addPhoto',
33
	// 'continueMail',
34
	'uploadPhoto',
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
	// 'update_newbezirk',
	// 'update_abholen',
	// 'bezirkTree',
	// 'bteamstatus',
	// 'getBezirk',
	// 'acceptBezirkRequest',
	// 'denyBezirkRequest',
	// 'denyRequest',
	// 'acceptRequest',
	// 'warteRequest',
	// 'betriebRequest',
	// 'saveBezirk',
	// 'delDate',
	// 'fetchDeny',
	// 'fetchConfirm',
	// 'delBPost',
	// 'delPost',
	// 'abortEmail',
	// 'bcontext'
54 55
];

Nick Sellen's avatar
Nick Sellen committed
56 57
/* @var $container Container */
global $container;
Nick Sellen's avatar
Nick Sellen committed
58
$container = initializeContainer();
Nick Sellen's avatar
Nick Sellen committed
59 60 61

/* @var $session Session */
$session = $container->get(Session::class);
62
$session->initIfCookieExists();
63

Nick Sellen's avatar
Nick Sellen committed
64 65 66
/* @var $mem Mem */
$mem = $container->get(Mem::class);

67 68 69
/* @var $influxdb \Foodsharing\Modules\Core\InfluxMetrics */
$influxdb = $container->get(\Foodsharing\Modules\Core\InfluxMetrics::class);

70
if (isset($g_page_cache)) {
71
	$cache = new Caching($g_page_cache, $session, $mem, $influxdb);
72 73
	$cache->lookup();
}
Raphael Wintrich's avatar
Raphael Wintrich committed
74 75

require_once 'lang/DE/de.php';
Raphael Wintrich's avatar
Raphael Wintrich committed
76 77 78

$action = $_GET['f'];

Nick Sellen's avatar
Nick Sellen committed
79
$mem->updateActivity($session->id());
Peter Tönnies's avatar
Peter Tönnies committed
80
if (isset($_GET['f'])) {
81 82 83 84 85 86 87
	if (!in_array($action, $csrf_whitelist)) {
		if (!$session->isValidCsrfHeader()) {
			header('HTTP/1.1 403 Forbidden');
			die('CSRF Failed: CSRF token missing or incorrect.');
		}
	}

Tilmann Becker's avatar
Tilmann Becker committed
88
	/* @var $xhr XhrMethods */
Nick Sellen's avatar
Nick Sellen committed
89
	$xhr = $container->get(XhrMethods::class);
Peter Tönnies's avatar
Peter Tönnies committed
90
	$func = 'xhr_' . $action;
91
	if (method_exists($xhr, $func)) {
92 93
		$metrics = $container->get(\Foodsharing\Modules\Core\InfluxMetrics::class);
		$metrics->addPageStatData(['controller' => $func]);
chandi's avatar
chandi committed
94 95 96 97 98 99 100 101

		ob_start();
		echo $xhr->$func($_GET);
		$page = ob_get_contents();
		ob_end_clean();

		if ($page === XhrResponses::PERMISSION_DENIED) {
			header('HTTP/1.1 403 Forbidden');
102
			die('Permission denied');
chandi's avatar
chandi committed
103
		}
104

chandi's avatar
chandi committed
105
		if (is_string($page) && (!trim($page) || $page[0] == '{' || $page[0] == '[')) {
chandi's avatar
chandi committed
106
			// just assume it's an JSON, to prevent the browser from interpreting it as
107 108 109
			// HTML, which could result in XSS possibilities
			header('Content-Type: application/json');
		}
Matthias Larisch's avatar
Matthias Larisch committed
110 111 112
		/*
		 * check for page caching
		*/
113 114
		if (isset($cache) && $cache->shouldCache()) {
			$cache->cache($page);
Raphael Wintrich's avatar
Raphael Wintrich committed
115
		}
chandi's avatar
chandi committed
116
		echo $page;
Raphael Wintrich's avatar
Raphael Wintrich committed
117
	}
Raphael Wintrich's avatar
Raphael Wintrich committed
118
}