From 2bb066729985c60a842b8571765f1cf2c35b3fc8 Mon Sep 17 00:00:00 2001
From: Charlie Merland <charlie@caercam.org>
Date: Fri, 7 Aug 2015 00:34:34 +0200
Subject: [PATCH] Implement nonces on edit/post forms (#1342 #1248) + fix JS
 onbeforeunload overuse

---
 edit.php                      |  3 ++-
 include/class/luna_nonces.php | 41 +++++++++++++++++++++++++++++++++++
 include/draw_functions.php    | 13 +++++++++--
 post.php                      |  4 +++-
 4 files changed, 57 insertions(+), 4 deletions(-)

diff --git a/edit.php b/edit.php
index 0b7f59119..7acea0b35 100755
--- a/edit.php
+++ b/edit.php
@@ -52,7 +52,8 @@
 
 if (isset($_POST['form_sent'])) {
 	// Make sure they got here from the site
-	confirm_referrer('edit.php');
+	if (!isset($_POST['_luna_nonce_edit_post']) || !LunaNonces::verify($_POST['_luna_nonce_edit_post'],'edit-post'))
+		message(__('Are you sure you want to do this?', 'luna'));
 
 	// If it's a topic it must contain a subject
 	if ($can_edit_subject) {
diff --git a/include/class/luna_nonces.php b/include/class/luna_nonces.php
index b13ad2b9b..5a8d36a22 100644
--- a/include/class/luna_nonces.php
+++ b/include/class/luna_nonces.php
@@ -166,6 +166,29 @@ private function _create() {
 		return $this->nonce;
 	}
 
+	/**
+	 * Output a nonce field.
+	 * 
+	 * Create a HTML <INPUT> field to store the nonce. If no name is set for
+	 * the field, generate a default one based on the action.
+	 * 
+	 * @since    1.1
+	 * 
+	 * @param    string     $action Nonce action
+	 * @param    string     $name Name of the field
+	 * 
+	 * @return   void
+	 */
+	private function _field($name = null) {
+
+		$nonce = $this->_create();
+		if ( is_null( $name ) ) {
+			$name = '_luna_nonce_' . str_replace( '-', '_', strtolower( $this->action ) );
+		}
+
+		echo '<input type="hidden" name="' . $name . '" value="' . $nonce . '"/>';
+	}
+
 	/**
 	 * Check a nonce validity.
 	 * 
@@ -231,6 +254,24 @@ public static function verify($nonce, $action = -1) {
 		return $check;
 	}
 
+	/**
+	 * Output a nonce field.
+	 * 
+	 * This method is static and can be called publicly.
+	 * 
+	 * @since    1.1
+	 * 
+	 * @param    string     $action Nonce action
+	 * @param    string     $name Name of the field
+	 * 
+	 * @return   void
+	 */
+	public static function field($action = -1, $name = null) {
+
+		$nonce = new LunaNonces($action);
+		$nonce = $nonce->_field($name);
+	}
+
 	/**
 	 * Match to hash againts each other to determine if they're identical.
 	 * 
diff --git a/include/draw_functions.php b/include/draw_functions.php
index 9cefe5936..92effc33b 100755
--- a/include/draw_functions.php
+++ b/include/draw_functions.php
@@ -168,10 +168,19 @@ function draw_editor($height) {
 			elseif (FORUM_ACTIVE_PAGE == 'new-inbox')
 				echo luna_htmlspecialchars(isset($p_message) ? $p_message : '');
 		?></textarea>
+		<?php
+			if (FORUM_ACTIVE_PAGE == 'edit')
+				$action = 'edit-post';
+			elseif (FORUM_ACTIVE_PAGE == 'new-inbox')
+				$action = 'post-message';
+			else
+				$action = ($fid ? 'post-topic' : 'post-reply');
+			LunaNonces::field($action);
+		?>
 		<div class="btn-toolbar textarea-toolbar textarea-bottom">
 			<div class="btn-group pull-right">
-				<button class="btn btn-with-text btn-default" type="submit" name="preview" accesskey="p" tabindex="<?php echo $cur_index++ ?>"><span class="fa fa-fw fa-eye"></span> <?php _e('Preview', 'luna') ?></button>
-				<button class="btn btn-with-text btn-primary" type="submit" name="submit" accesskey="s" tabindex="<?php echo $cur_index++ ?>"><span class="fa fa-fw fa-plus"></span> <?php _e('Submit', 'luna') ?></button>
+				<button class="btn btn-with-text btn-default" type="submit" name="preview" accesskey="p" tabindex="<?php echo $cur_index++ ?>" onclick="window.onbeforeunload=null"><span class="fa fa-fw fa-eye"></span> <?php _e('Preview', 'luna') ?></button>
+				<button class="btn btn-with-text btn-primary" type="submit" name="submit" accesskey="s" tabindex="<?php echo $cur_index++ ?>" onclick="window.onbeforeunload=null"><span class="fa fa-fw fa-plus"></span> <?php _e('Submit', 'luna') ?></button>
 			</div>
 		</div>
 	</fieldset>
diff --git a/post.php b/post.php
index 66dd41add..a0ae1ddbc 100755
--- a/post.php
+++ b/post.php
@@ -54,7 +54,9 @@
 		$errors[] = sprintf(__('At least %s seconds have to pass between posts. Please wait %s seconds and try posting again.', 'luna'), $luna_user['g_post_flood'], $luna_user['g_post_flood'] - (time() - $luna_user['last_post']));
 
 	// Make sure they got here from the site
-	confirm_referrer(array('post.php', 'viewtopic.php'));
+	if (($fid && (!isset($_POST['_luna_nonce_post_topic']) || !LunaNonces::verify($_POST['_luna_nonce_post_topic'],'post-reply'))) ||
+	   (!$fid && (!isset($_POST['_luna_nonce_post_reply']) || !LunaNonces::verify($_POST['_luna_nonce_post_reply'],'post-reply'))))
+		message(__('Are you sure you want to do this?', 'luna'));
 
 	// If it's a new topic
 	if ($fid) {