diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 57ce1de3..ef824e7f 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -5,6 +5,10 @@ Changelog
Not yet released
----------------
+v3.3.2 (released November 22, 2018)
+--------------------------------
+* #679: Fixed CSRF vulnerability, added CSRF-token to delete-URLs.
+
v3.3.1 (released August 10, 2018)
--------------------------------
diff --git a/README.rst b/README.rst
index c3a86aab..be39c348 100755
--- a/README.rst
+++ b/README.rst
@@ -5,7 +5,7 @@ PHP Server Monitor
:alt: Join the chat at https://gitter.im/erickrf/nlpnet
:target: https://gitter.im/phpservermon/phpservermon
-Version 3.3.0
+Version 3.3.2
PHP Server Monitor is a script that checks whether your websites and servers are up and running.
diff --git a/src/includes/psmconfig.inc.php b/src/includes/psmconfig.inc.php
index 51753238..d575b301 100644
--- a/src/includes/psmconfig.inc.php
+++ b/src/includes/psmconfig.inc.php
@@ -29,7 +29,7 @@
/**
* Current PSM version
*/
-define('PSM_VERSION', '3.3.1');
+define('PSM_VERSION', '3.3.2');
/**
* URL to check for updates. Will not be checked if turned off on config page.
diff --git a/src/psm/Router.php b/src/psm/Router.php
index 782a9a88..04f52dbe 100644
--- a/src/psm/Router.php
+++ b/src/psm/Router.php
@@ -175,6 +175,25 @@ class Router {
}
}
}
+ if ($request->getMethod() == 'GET' && $request->query->get('action', '') == "delete") {
+ // require CSRF token for all GET calls that delete something
+ $session = $this->container->get('user')->getSession();
+ $token_in = $request->query->get('csrf', '');
+ $csrf_key = $controller->getCSRFKey();
+
+ if (empty($csrf_key)) {
+ if (!hash_equals($session->get('csrf_token'), $token_in)) {
+ throw new \InvalidArgumentException('invalid_csrf_token');
+ }
+ } else {
+ if (!hash_equals(
+ hash_hmac('sha256', $csrf_key, $session->get('csrf_token2')),
+ $token_in
+ )) {
+ throw new \InvalidArgumentException('invalid_csrf_token');
+ }
+ }
+ }
// get min required level for this controller and make sure the user matches
$min_lvl = $controller->getMinUserLevelRequired();
diff --git a/src/templates/default/main/macros.tpl.html b/src/templates/default/main/macros.tpl.html
index 47fb8fcc..63d6dca1 100644
--- a/src/templates/default/main/macros.tpl.html
+++ b/src/templates/default/main/macros.tpl.html
@@ -1,3 +1,7 @@
{% macro csrf_input() %}
+{% endmacro %}
+
+{% macro csrf_query() %}
+&csrf={{ csrf_token(csrf_key|default('')) }}
{% endmacro %}
\ No newline at end of file
diff --git a/src/templates/default/module/server/log.tpl.html b/src/templates/default/module/server/log.tpl.html
index 6edfb760..27191640 100644
--- a/src/templates/default/module/server/log.tpl.html
+++ b/src/templates/default/module/server/log.tpl.html
@@ -1,5 +1,6 @@
+{% import 'main/macros.tpl.html' as macro %}
{% if has_admin_actions %}
-
+
{{ label_clear_log }}
diff --git a/src/templates/default/module/server/server/list.tpl.html b/src/templates/default/module/server/server/list.tpl.html
index 9ab2ec66..acb6daa1 100644
--- a/src/templates/default/module/server/server/list.tpl.html
+++ b/src/templates/default/module/server/server/list.tpl.html
@@ -1,3 +1,4 @@
+{% import 'main/macros.tpl.html' as macro %}