From 1ff8579575e04d9c535ae3eb9bfd8d7fd5d42a21 Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Thu, 8 Nov 2018 00:29:20 -0600 Subject: [PATCH] Check user_id as part of validating CSRF tokens --- src/invidious.cr | 4 ++-- src/invidious/helpers/helpers.cr | 10 +++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/src/invidious.cr b/src/invidious.cr index 7cf60531..cb8f011f 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -1429,7 +1429,7 @@ post "/delete_account" do |env| token = env.params.body["token"]? begin - validate_response(challenge, token, "delete_account", HMAC_KEY) + validate_response(challenge, token, user.email, "delete_account", HMAC_KEY) rescue ex error_message = ex.message next templated "error" @@ -1474,7 +1474,7 @@ post "/clear_watch_history" do |env| token = env.params.body["token"]? begin - validate_response(challenge, token, "clear_watch_history", HMAC_KEY) + validate_response(challenge, token, user.email, "clear_watch_history", HMAC_KEY) rescue ex error_message = ex.message next templated "error" diff --git a/src/invidious/helpers/helpers.cr b/src/invidious/helpers/helpers.cr index 65493790..46b2c7b7 100644 --- a/src/invidious/helpers/helpers.cr +++ b/src/invidious/helpers/helpers.cr @@ -403,7 +403,7 @@ def create_response(user_id, operation, key) return challenge, token end -def validate_response(challenge, token, action, key) +def validate_response(challenge, token, user_id, operation, key) if !challenge raise "Hidden field \"challenge\" is a required field" end @@ -414,7 +414,7 @@ def validate_response(challenge, token, action, key) challenge = Base64.decode_string(challenge) if challenge.split("-").size == 4 - expire, nonce, user_id, operation = challenge.split("-") + expire, nonce, challenge_user_id, challenge_operation = challenge.split("-") expire = expire.to_i? expire ||= 0 @@ -429,7 +429,11 @@ def validate_response(challenge, token, action, key) raise "Invalid token" end - if operation != action + if challenge_operation != operation + raise "Invalid token" + end + + if challenge_user_id != user_id raise "Invalid token" end