Security: Refactor cookie warning to avoid CSRF - refs BT#21289

AngelFQC · AngelFQC · commit ca2e7a58ac22 · 2023-12-14T03:42:53.000-05:00
diff --git a/index.php b/index.php
@@ -126,15 +126,13 @@
 $useCookieValidation = api_get_setting('cookie_warning');
 
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
-        api_set_site_use_cookie_warning_cookie();
-    } elseif (!api_site_use_cookie_warning_cookie_exist()) {
+    if (!api_site_use_cookie_warning_cookie_exist()) {
         if (Template::isToolBarDisplayedForUser()) {
             $controller->tpl->assign('toolBarDisplayed', true);
         } else {
             $controller->tpl->assign('toolBarDisplayed', false);
         }
-        $controller->tpl->assign('displayCookieUsageWarning', true);
+        $controller->tpl->enableCookieUsageWarning();
     }
 }
 // When loading a chamilo page do not include the hot courses and news
diff --git a/main/admin/index.php b/main/admin/index.php
@@ -1018,15 +1018,13 @@
 // Display the Site Use Cookie Warning Validation
 $useCookieValidation = api_get_setting('cookie_warning');
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
-        api_set_site_use_cookie_warning_cookie();
-    } elseif (!api_site_use_cookie_warning_cookie_exist()) {
+    if (!api_site_use_cookie_warning_cookie_exist()) {
         if (Template::isToolBarDisplayedForUser()) {
             $tpl->assign('toolBarDisplayed', true);
         } else {
             $tpl->assign('toolBarDisplayed', false);
         }
-        $tpl->assign('displayCookieUsageWarning', true);
+        $tpl->enableCookieUsageWarning();
     }
 }
 
diff --git a/main/inc/lib/template.lib.php b/main/inc/lib/template.lib.php
@@ -1317,6 +1317,42 @@ public static function displayLoginForm()
         return $html;
     }
 
+    public function enableCookieUsageWarning()
+    {
+        $form = new FormValidator(
+            'cookiewarning',
+            'post',
+            '',
+            '',
+            [
+                //'onsubmit' => "$(this).toggle('show')",
+            ],
+            FormValidator::LAYOUT_BOX_NO_LABEL
+        );
+        $form->addHidden('acceptCookies', '1');
+        $form->addHtml(
+            '<div class="cookieUsageValidation">
+                '.get_lang('YouAcceptCookies').'
+                <button class="btn btn-link" onclick="$(this).next().toggle(\'slow\'); $(this).toggle(\'slow\')" type="button">
+                    ('.get_lang('More').')
+                </button>
+                <div style="display:none; margin:20px 0;">
+                    '.get_lang('HelpCookieUsageValidation').'
+                </div>
+                <button class="btn btn-link" onclick="$(this).parents(\'form\').submit()" type="button">
+                    ('.get_lang('Accept').')
+                </button>
+            </div>'
+        );
+
+        if ($form->validate()) {
+            api_set_site_use_cookie_warning_cookie();
+        } else {
+            $form->protect();
+            $this->assign('frmDisplayCookieUsageWarning', $form->returnForm());
+        }
+    }
+
     /**
      * Returns the tutors names for the current course in session
      * Function to use in Twig templates.
diff --git a/main/template/default/layout/page.tpl b/main/template/default/layout/page.tpl
@@ -14,24 +14,10 @@
     <main id="main" dir="{{ text_direction }}" class="{{ section_name }} {{ login_class }}">
     <noscript>{{ "NoJavascript"|get_lang }}</noscript>
 
-            {% if displayCookieUsageWarning == true %}
+            {% if frmDisplayCookieUsageWarning %}
                 <!-- START DISPLAY COOKIES VALIDATION -->
                 <div class="toolbar-cookie alert-warning">
-                    <form onSubmit="$(this).toggle('slow')" action="" method="post">
-                        <input value=1 type="hidden" name="acceptCookies"/>
-                        <div class="cookieUsageValidation">
-                            {{ 'YouAcceptCookies' | get_lang }}
-                            <span style="margin-left:20px;" onclick="$(this).next().toggle('slow'); $(this).toggle('slow')">
-                                ({{"More" | get_lang }})
-                            </span>
-                            <div style="display:none; margin:20px 0;">
-                                {{ "HelpCookieUsageValidation" | get_lang}}
-                            </div>
-                            <span style="margin-left:20px;" onclick="$(this).parent().parent().submit()">
-                                ({{"Accept" | get_lang }})
-                            </span>
-                        </div>
-                    </form>
+                    {{ frmDisplayCookieUsageWarning }}
                 </div>
                 <!-- END DISPLAY COOKIES VALIDATION -->
             {% endif %}
diff --git a/main/template/default/layout/show_header.tpl b/main/template/default/layout/show_header.tpl
@@ -14,24 +14,10 @@
 <!-- START MAIN -->
 <main id="main" dir="{{ text_direction }}" class="{{ section_name }} {{ login_class }}">
     <noscript>{{ "NoJavascript"|get_lang }}</noscript>
-    {% if displayCookieUsageWarning == true %}
+    {% if frmDisplayCookieUsageWarning %}
         <!-- START DISPLAY COOKIES VALIDATION -->
         <div class="toolbar-cookie alert-warning">
-            <form onSubmit="$(this).toggle('slow')" action="" method="post">
-                <input value=1 type="hidden" name="acceptCookies"/>
-                <div class="cookieUsageValidation">
-                    {{ 'YouAcceptCookies' | get_lang }}
-                    <span style="margin-left:20px;" onclick="$(this).next().toggle('slow'); $(this).toggle('slow')">
-                                ({{"More" | get_lang }})
-                            </span>
-                    <div style="display:none; margin:20px 0;">
-                        {{ "HelpCookieUsageValidation" | get_lang}}
-                    </div>
-                    <span style="margin-left:20px;" onclick="$(this).parent().parent().submit()">
-                                ({{"Accept" | get_lang }})
-                            </span>
-                </div>
-            </form>
+            {{ frmDisplayCookieUsageWarning }}
         </div>
         <!-- END DISPLAY COOKIES VALIDATION -->
     {% endif %}
diff --git a/user_portal.php b/user_portal.php
@@ -295,17 +295,13 @@ function changeMyCoursesView(inView) {
 // Display the Site Use Cookie Warning Validation
 $useCookieValidation = api_get_setting('cookie_warning');
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
-        api_set_site_use_cookie_warning_cookie();
-    } else {
-        if (!api_site_use_cookie_warning_cookie_exist()) {
-            if (Template::isToolBarDisplayedForUser()) {
-                $controller->tpl->assign('toolBarDisplayed', true);
-            } else {
-                $controller->tpl->assign('toolBarDisplayed', false);
-            }
-            $controller->tpl->assign('displayCookieUsageWarning', true);
+    if (!api_site_use_cookie_warning_cookie_exist()) {
+        if (Template::isToolBarDisplayedForUser()) {
+            $controller->tpl->assign('toolBarDisplayed', true);
+        } else {
+            $controller->tpl->assign('toolBarDisplayed', false);
         }
+        $controller->tpl->enableCookieUsageWarning();
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -126,15 +126,13 @@`
`126`	`126`	`$useCookieValidation = api_get_setting('cookie_warning');`
`127`	`127`
`128`	`128`	`if ($useCookieValidation === 'true') {`
`129`		`- if (isset($_POST['acceptCookies'])) {`
`130`		`- api_set_site_use_cookie_warning_cookie();`
`131`		`- } elseif (!api_site_use_cookie_warning_cookie_exist()) {`
	`129`	`+ if (!api_site_use_cookie_warning_cookie_exist()) {`
`132`	`130`	`if (Template::isToolBarDisplayedForUser()) {`
`133`	`131`	`$controller->tpl->assign('toolBarDisplayed', true);`
`134`	`132`	`} else {`
`135`	`133`	`$controller->tpl->assign('toolBarDisplayed', false);`
`136`	`134`	`}`
`137`		`- $controller->tpl->assign('displayCookieUsageWarning', true);`
	`135`	`+ $controller->tpl->enableCookieUsageWarning();`
`138`	`136`	`}`
`139`	`137`	`}`
`140`	`138`	`// When loading a chamilo page do not include the hot courses and news`
Original file line number	Diff line number	Diff line change
`@@ -1018,15 +1018,13 @@`
`1018`	`1018`	`// Display the Site Use Cookie Warning Validation`
`1019`	`1019`	`$useCookieValidation = api_get_setting('cookie_warning');`
`1020`	`1020`	`if ($useCookieValidation === 'true') {`
`1021`		`- if (isset($_POST['acceptCookies'])) {`
`1022`		`- api_set_site_use_cookie_warning_cookie();`
`1023`		`- } elseif (!api_site_use_cookie_warning_cookie_exist()) {`
	`1021`	`+ if (!api_site_use_cookie_warning_cookie_exist()) {`
`1024`	`1022`	`if (Template::isToolBarDisplayedForUser()) {`
`1025`	`1023`	`$tpl->assign('toolBarDisplayed', true);`
`1026`	`1024`	`} else {`
`1027`	`1025`	`$tpl->assign('toolBarDisplayed', false);`
`1028`	`1026`	`}`
`1029`		`- $tpl->assign('displayCookieUsageWarning', true);`
	`1027`	`+ $tpl->enableCookieUsageWarning();`
`1030`	`1028`	`}`
`1031`	`1029`	`}`
`1032`	`1030`