Merge pull request #4 from mikeycgto/csrf_fix

Updates for CSRF protection

app.rb

@@ -232,6 +232,10 @@ get '/privacy' do
   slim :'privacy'
 end
 
+before do
+  redirect '/' if request.post? && !csrf_safe?
+end
+
 def sites_name_redirect
   path = request.path.gsub "/sites/#{params[:name]}", ''
   # path += "/#{params[:file]}" unless params[:file].nil?
@@ -244,15 +248,19 @@ def dashboard_if_signed_in
 end
 
 def require_login_ajax
-  halt 'You are not logged in!' unless signed_in? && csrf_safe
+  halt 'You are not logged in!' unless signed_in?
 end
 
-def csrf_safe
-  (request.referer =~ /.+\.neocities\.org/i).nil?
+def csrf_safe?
+  csrf_token == params[:csrf_token] || csrf_token == request.env['HTTP_X_CSRF_TOKEN']
+end
+
+def csrf_token
+   session[:_csrf_token] ||= SecureRandom.base64(32)
 end
 
 def require_login
-  redirect '/' unless signed_in? && csrf_safe
+  redirect '/' unless signed_in?
 end
 
 def signed_in?

views/dashboard.slim

@@ -66,6 +66,7 @@ javascript:
         h4: a href="/site_files/#{current_site.username}.zip" Download Entire Site
 
 form method="POST" action="/site_files/delete" id="deleteFilenameForm"
+  input name="csrf_token" type="hidden" value="#{csrf_token}"
   input type="hidden" id="deleteFilenameInput" name="filename"
 
 .modal.hide.fade id="deleteConfirmModal" tabindex="-1" role="dialog" aria-labelledby="deleteConfirmModalLabel" aria-hidden="true"

views/layout.slim

@@ -9,6 +9,7 @@ html
     link href="/css/styles.css" rel="stylesheet"
     meta property="og:title" content="NeoCities"
     meta property="og:description" content="NeoCities is the new Geocities. Create your own free home page, and do whatever you want with it."
+    meta name="csrf-token" content="#{csrf_token}"
     script src="/js/jquery.min.js"
 
   body
@@ -40,6 +41,16 @@ html
 
   script src="/js/bootstrap.min.js"
 
+  javascript:
+    !function(){
+      var csrf_token = $('meta[name="csrf-token"]').attr('content');
+
+      $(document).ajaxSend(function(ev, jqxhr){
+        jqxhr.setRequestHeader('X-CSRF-Token', csrf_token);
+      });
+    }();
+
+
   javascript:
     (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
     (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),

views/new.slim

@@ -15,6 +15,7 @@ javascript:
 .row
   .span8.offset3
     form method="POST" action="/create"
+      input name="csrf_token" type="hidden" value="#{csrf_token}"
       h2 Create a new Home Page
 
       .row

views/signin.slim

@@ -5,6 +5,8 @@
   .row
     .span12
       form method="POST" action="/signin"
+        input name="csrf_token" type="hidden" value="#{csrf_token}"
+
         fieldset
           div: input name="username" type="text" placeholder="Your username"
           div: input name="password" type="password" placeholder="Your password"

views/site_files/new.slim

@@ -13,6 +13,7 @@
 .row
   .span12.text-center
     form method="POST" action="/site_files/upload" enctype="multipart/form-data"
+      input name="csrf_token" type="hidden" value="#{csrf_token}"
       h4 Select a file from your computer:
       h4: input type="file" name="newfile"
       p: input.btn.btn-success.btn-large type="submit" value="Upload File"