prevent sending sms twice + share cache functions in dedicated lib/cache.php (#763)

htdocs/index.php

@@ -15,6 +15,7 @@
 #==============================================================================
 require_once("../vendor/autoload.php");
 require_once("../lib/functions.inc.php");
+require_once(__DIR__."/../lib/cache.php");
 
 use Symfony\Component\Cache\Adapter\FilesystemAdapter;
 
@@ -402,6 +403,7 @@
 if (isset($usermail)) { $smarty->assign('usermail', $usermail); }
 if (isset($displayname[0])) { $smarty->assign('displayname', $displayname[0]); }
 if (isset($encrypted_sms_login)) { $smarty->assign('encrypted_sms_login', $encrypted_sms_login); }
+if (isset($formtoken)) { $smarty->assign('formtoken', $formtoken); }
 
 # Set error message, criticity and fa_class
 

htdocs/sendsms.php

@@ -70,6 +70,10 @@
             $result = "loginrequired";
         }
         if ((!$login) and (!$phone)){
+            if(!$sms_use_ldap)
+            {
+                $formtoken = generate_form_token($sspCache, $cache_form_expiration);
+            }
             $result = "emptysendsmsform";
         }
     }
@@ -143,6 +147,10 @@
         $login = strval($_REQUEST["login"]);
         $result = check_username_validity($login,$login_forbidden_chars);
     }else{
+        if(!$sms_use_ldap)
+        {
+            $formtoken = generate_form_token($sspCache, $cache_form_expiration);
+        }
         $result = "emptysendsmsform";
     }
 }
@@ -186,6 +194,9 @@
             if ( $sms_partially_hide_number ) {
                 $smsdisplay = substr_replace($sms, '****', 4 , 4);
             }
+
+            $formtoken = generate_form_token($sspCache, $cache_form_expiration);
+
             $result = "smsuserfound";
         }
         if ($use_ratelimit) {
@@ -197,6 +208,17 @@
     }
 }
 
+#==============================================================================
+# Check formtoken
+#==============================================================================
+if ($result === "sendsms") {
+    $formtoken = strval($_REQUEST["formtoken"]);
+    $formtoken_result = verify_form_token($sspCache, $formtoken);
+    if($formtoken_result == "invalidformtoken")
+    {
+        $result = $formtoken_result;
+    }
+}
 
 #==============================================================================
 # Generate sms token and send by sms

htdocs/sendtoken.php

@@ -57,13 +57,7 @@
 
     $result = "emptysendtokenform";
 
-    # Generate formtoken
-    $formtoken = hash('sha256', bin2hex(random_bytes(16)));
-    $cachedToken = $sspCache->getItem($formtoken);
-    $cachedToken->set($formtoken);
-    $cachedToken->expiresAfter($cache_form_expiration);
-    $sspCache->save($cachedToken);
-    error_log("generated form token: " . $formtoken . " valid for $cache_form_expiration s");
+    $formtoken = generate_form_token($sspCache, $cache_form_expiration);
 }
 
 # Check the entered username for characters that our installation doesn't support
@@ -77,17 +71,7 @@
 
 if ( !$result ) {
     $formtoken = strval($_REQUEST["formtoken"]);
-    $cachedToken = $sspCache->getItem($formtoken);
-    if( $cachedToken->get() == $formtoken )
-    {
-        # Remove session
-        $sspCache->deleteItem($formtoken);
-    }
-    else
-    {
-        error_log("Invalid form token: sent: $formtoken, stored: " . $cachedToken->get());
-        $result = "invalidformtoken";
-    }
+    $result = verify_form_token($sspCache, $formtoken);
 }
 
 #==============================================================================

lib/cache.php

@@ -0,0 +1,35 @@
+<?php
+
+require_once("../vendor/autoload.php");
+use Symfony\Component\Cache\Adapter\FilesystemAdapter;
+
+function generate_form_token($sspCache, $cache_form_expiration)
+{
+    $formtoken = hash('sha256', bin2hex(random_bytes(16)));
+    $cachedToken = $sspCache->getItem($formtoken);
+    $cachedToken->set($formtoken);
+    $cachedToken->expiresAfter($cache_form_expiration);
+    $sspCache->save($cachedToken);
+    error_log("generated form token: " . $formtoken . " valid for $cache_form_expiration s");
+    return $formtoken;
+}
+
+function verify_form_token($sspCache, $formtoken)
+{
+    $formtoken = strval($_REQUEST["formtoken"]);
+    $result = "";
+    $cachedToken = $sspCache->getItem($formtoken);
+    if( $cachedToken->isHit() && $cachedToken->get() == $formtoken )
+    {
+        # Remove session
+        $sspCache->deleteItem($formtoken);
+    }
+    else
+    {
+        error_log("Invalid form token: sent: $formtoken, stored: " . $cachedToken->get());
+        $result = "invalidformtoken";
+    }
+    return $result;
+}
+
+?>

templates/sendsms.tpl

@@ -20,6 +20,7 @@
                 <p class="form-control-static">{$smsdisplay}</p>
             </div>
         </div>
+        <input type="hidden" name="formtoken" value="{$formtoken}" />
         <input type="hidden" name="encrypted_sms_login" value="{$encrypted_sms_login}" />
         <div class="row mb-3">
             <div class="offset-sm-4 col-sm-8">
@@ -82,6 +83,7 @@
             {$captcha_html nofilter}
         {/if}
         {if !$sms_use_ldap}
+          <input type="hidden" name="formtoken" value="{$formtoken}" />
           <div class="row mb-3">
           <label for="telephone" class="col-sm-4 col-form-label text-end">{$msg_phone}</label>
             <div class="col-sm-8">