From: Florian Schlichting <fsfs@debian.org>
Subject: fix CVE-2019-18345 CVE-2019-18346 CVE-2019-18347
 This combines four upstream commits contained in davical 1.1.9.2:
  86a8ec530 Added CSRF to the application, Mitigated the XSS vulnerabilities reported by HackDefense
  1a917b30e Addressed comments made by @puck42
  c8a0ca453 Fix CSRF not being checked in collection-edit.php
  e2c6b927c HTTP_REFERER will usually be unset for caldav requests, prevent "Undefined index" warnings
 The fix was developed by nielsvangijzen <n.van.gijzen@gmail.com>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946343

diff --git a/htdocs/admin.php b/htdocs/admin.php
index b48b8558..3efe4b8a 100644
--- a/htdocs/admin.php
+++ b/htdocs/admin.php
@@ -1,4 +1,5 @@
 <?php
+
 require_once('./always.php');
 require_once('classEditor.php');
 require_once('classBrowser.php');
@@ -25,7 +26,12 @@ require_once('interactive-page.php');
 $page_elements = array();
 $code_file = sprintf( 'ui/%s-%s.php', $component, $action );
 if ( ! @include_once( $code_file ) ) {
-  $c->messages[] = sprintf('No page found to %s %s%s%s', $action, ($action == 'browse' ? '' : 'a '), $component, ($action == 'browse' ? 's' : ''));
+  $c->messages[] = sprintf(
+      'No page found to %s %s%s%s',
+      htmlspecialchars($action),
+      ($action == 'browse' ? '' : 'a '), $component,
+      ($action == 'browse' ? 's' : '')
+  );
   include('page-header.php');
   include('page-footer.php');
   @ob_flush(); exit(0);
diff --git a/htdocs/always.php b/htdocs/always.php
index 3e457bee..cd223e7d 100644
--- a/htdocs/always.php
+++ b/htdocs/always.php
@@ -8,6 +8,47 @@
 
 if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location: index.php');
 
+// XSS Protection
+function filter_post(&$val, $index) {
+    if(in_array($index, ["newpass1", "newpass2"])) return;
+
+    switch (gettype($val)) {
+        case "string":
+            $val = htmlspecialchars($val);
+            break;
+
+        case "array":
+            array_walk_recursive($val, function(&$v) {
+                if (gettype($v) == "string") {
+                    $v = htmlspecialchars($v);
+                }
+            });
+            break;
+    }
+}
+
+function clean_get() {
+    $temp = [];
+
+    foreach($_GET as $key => $value) {
+        // XSS is possible in both key and values
+        $k = htmlspecialchars($key);
+        $v = htmlspecialchars($value);
+        $temp[$k] = $v;
+    }
+
+    return $temp;
+}
+
+// Before anything else is executed we filter all the user input, a lot of code in this project
+// relies on variables that are easily manipulated by the user. These lines and functions filter all those variables.
+if(isset($_POST)) array_walk($_POST, 'filter_post');
+$_GET = clean_get();
+$_SERVER['REQUEST_URI'] = str_replace("&amp;", "&", htmlspecialchars($_SERVER['REQUEST_URI']));
+$_SERVER['HTTP_REFERER'] = htmlspecialchars(@$_SERVER['HTTP_REFERER']);
+
+
+
 // Ensure the configuration starts out as an empty object.
 $c = (object) array();
 $c->script_start_time = microtime(true);
diff --git a/inc/csrf_tokens.php b/inc/csrf_tokens.php
new file mode 100644
index 00000000..9d05ec4e
--- /dev/null
+++ b/inc/csrf_tokens.php
@@ -0,0 +1,119 @@
+<?php
+
+/**
+ * Update the CSRF token
+ */
+function updateCsrf() {
+    if(!sessionExists()) {
+        session_start();
+    }
+
+    $_SESSION['csrf_token'] = generateCsrf();
+}
+
+/**
+ * Check whether a session is currently active
+ * @return bool
+ */
+function sessionExists() {
+    if (version_compare(phpversion(), '5.4.0', '>')) {
+        return session_id() !== '';
+    } else {
+        return session_status() === PHP_SESSION_ACTIVE;
+    }
+}
+
+/**
+ * Generate a CSRF token, it chooses from 3 different functions based on PHP version and modules
+ * @return bool|string
+ */
+function generateCsrf() {
+    if (version_compare(phpversion(), '7.0.0', '>=')) {
+        $random = generateRandom();
+        if($random !== false) return $random;
+    }
+
+    if (function_exists('mcrypt_create_iv')) {
+        return generateMcrypt();
+    }
+
+    return generateOpenssl();
+}
+
+/**
+ * Generate a random string using the PHP built in function random_bytes
+ * @version 7.0.0
+ * @return bool|string
+ */
+function generateRandom() {
+    try {
+        return bin2hex(random_bytes(32));
+    } catch (Exception $e) {
+        return false;
+    }
+}
+
+/**
+ * Generate a random string using MCRYPT
+ * @return string
+ */
+function generateMcrypt() {
+    return bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
+}
+
+/**
+ * Generate a random string using OpenSSL
+ * @return string
+ */
+function generateOpenssl() {
+    return bin2hex(openssl_random_pseudo_bytes(32));
+}
+
+/**
+ * Checks for session and the existence of a key
+ * after ensuring both are present it returns the
+ * current CSRF token
+ * @return string
+ */
+function getCsrf() {
+    if(!sessionExists()) {
+        session_start();
+    }
+
+    if(!array_key_exists('csrf_token', $_SESSION)) {
+        updateCsrf();
+    }
+
+    return $_SESSION['csrf_token'];
+}
+
+/**
+ * Get a hidden CSRF input field to be used in forms
+ * @return string
+ */
+function getCsrfField() {
+    return sprintf("<input type=\"hidden\" name=\"csrf_token\" value=\"%s\">", getCsrf());
+}
+
+/**
+ * Verify a given CSRF token
+ * @param $csrf_token
+ * @return bool
+ */
+function verifyCsrf($csrf_token) {
+    $current_csrf = getCsrf();
+    // Prefer hash_equals over === because the latter is vulnerable to timing attacks
+    if(function_exists('hash_equals')) {
+        return hash_equals($current_csrf, $csrf_token);
+    }
+
+    return $current_csrf === $csrf_token;
+}
+
+/**
+ * Uses the global $_POST variable to check if the CSRF token is valid
+ * @return bool
+ */
+function verifyCsrfPost() {
+    return (isset($_POST['csrf_token']) && verifyCsrf($_POST['csrf_token']));
+}
\ No newline at end of file
diff --git a/inc/interactive-page.php b/inc/interactive-page.php
index 86c88898..c0e87389 100644
--- a/inc/interactive-page.php
+++ b/inc/interactive-page.php
@@ -20,6 +20,9 @@ if ( isset($_SERVER['SCRIPT_NAME']) ) {
   if ( $wiki_help == 'admin' ) {
     $wiki_help .= '/' . $_GET['t'] . '/' . $_GET['action'];
   }
+
+  $wiki_help = htmlspecialchars($wiki_help);
+
   $wiki_help = 'w/Help/'.$wiki_help;
 }
 
diff --git a/inc/ui/collection-edit.php b/inc/ui/collection-edit.php
index 4fa778c9..81bffb0b 100644
--- a/inc/ui/collection-edit.php
+++ b/inc/ui/collection-edit.php
@@ -1,4 +1,5 @@
 <?php
+require_once("csrf_tokens.php");
 
 // Editor component for collections
 $editor = new Editor(translate('Collection'), 'collection');
@@ -65,6 +66,12 @@ if ( isset($privsql) ) {
   $can_write_collection = ($session->AllowedTo('Admin') || (bindec($permissions->priv) & privilege_to_bits('DAV::bind')) );
 }
 
+// Verify CSRF token
+if($_SERVER['REQUEST_METHOD'] === "POST" && !verifyCsrfPost()) {
+    $c->messages[] = i18n("A valid CSRF token must be provided");
+    $can_write_collection = false;
+}
+
 dbg_error_log('collection-edit', "Can write collection: %s", ($can_write_collection? 'yes' : 'no') );
 
 $pwstars = '@@@@@@@@@@';
@@ -273,6 +280,7 @@ EOPRIV;
   $submit_row = '';
 }
 
+$csrf_field = getCsrfField();
 $id = $editor->Value('collection_id');
 $template = <<<EOTEMPLATE
 ##form##
@@ -384,6 +392,7 @@ label.privilege {
  <tr> <th class="right">$prompt_description:</th>      <td class="left">##description.textarea.78x6##</td> </tr>
  $submit_row
 </table>
+$csrf_field
 </form>
 <script language="javascript">
 toggle_enabled('fld_is_calendar','=fld_timezone','=fld_schedule_transp','!fld_is_addressbook');
@@ -453,9 +462,11 @@ if ( $editor->Available() ) {
     $orig_to_id = $row_data->to_principal;
     $form_id = $grantrow->Id();
     $form_url = preg_replace( '#&(edit|delete)_grant=\d+#', '', $_SERVER['REQUEST_URI'] );
+    $csrf_field = getCsrfField();
 
     $template = <<<EOTEMPLATE
 <form method="POST" enctype="multipart/form-data" id="form_$form_id" action="$form_url">
+  $csrf_field
   <td class="left" colspan="2"><input type="hidden" name="id" value="$id"><input type="hidden" name="orig_to_id" value="$orig_to_id">##to_principal.select##</td>
   <td class="left" colspan="2">
 <input type="button" value="$btn_all" class="submit" title="$btn_all_title" onclick="toggle_privileges('grant_privileges', 'all', 'form_$form_id');">
diff --git a/inc/ui/principal-edit.php b/inc/ui/principal-edit.php
index 2e37cd59..6646b7c2 100644
--- a/inc/ui/principal-edit.php
+++ b/inc/ui/principal-edit.php
@@ -1,4 +1,5 @@
 <?php
+require_once("csrf_tokens.php");
 
 param_to_global('id', 'int', 'old_id', 'principal_id' );
 
@@ -181,6 +182,13 @@ function principal_editor() {
   $editor->AddAttribute( 'email', 'title', translate("The email address identifies principals when processing invitations and freebusy lookups. It should be set to a unique value.") );
   $editor->SetWhere( 'principal_id='.$id );
 
+  if($_SERVER['REQUEST_METHOD'] === "POST" && !verifyCsrfPost()) {
+      $c->messages[] = i18n("A valid CSRF token must be provided");
+      $can_write_principal = false;
+  }
+
+  $csrf_field = getCsrfField();
+
   $editor->AddField('is_admin', 'EXISTS( SELECT 1 FROM role_member WHERE role_no = 1 AND role_member.user_no = dav_principal.user_no )' );
   $editor->AddAttribute('is_admin', 'title', translate('An "Administrator" user has full rights to the whole DAViCal System'));
 
@@ -396,6 +404,7 @@ label.privilege {
  <tr> <th class="right" style="white-space:normal;">$prompt_privileges:</th><td class="left">$privs_html</td> </tr>
  $submit_row
 </table>
+ $csrf_field 
 </form>
 EOTEMPLATE;
 
@@ -545,9 +554,11 @@ function edit_group_row( $row_data ) {
   global $id, $grouprow;
 
   $form_url = preg_replace( '#&(edit|delete)_group=\d+#', '', $_SERVER['REQUEST_URI'] );
+  $csrf_field = getCsrfField();
 
   $template = <<<EOTEMPLATE
 <form method="POST" enctype="multipart/form-data" id="add_group" action="$form_url">
+  $csrf_field
   <td class="left"><input type="hidden" name="id" value="$id"></td>
   <td class="left" colspan="3">##member_id.select## &nbsp; ##Add.submit##</td>
   <td class="center"></td>
@@ -660,8 +671,11 @@ function edit_grant_row_principal( $row_data ) {
   $form_id = $grantrow->Id();
   $form_url = preg_replace( '#&(edit|delete)_grant=\d+#', '', $_SERVER['REQUEST_URI'] );
 
+  $csrf_field = getCsrfField();
+
   $template = <<<EOTEMPLATE
 <form method="POST" enctype="multipart/form-data" id="form_$form_id" action="$form_url">
+  $csrf_field
   <td class="left" colspan="2"><input type="hidden" name="id" value="$id"><input type="hidden" name="orig_to_id" value="$orig_to_id">##to_principal.select##</td>
   <td class="left" colspan="2">$privs_html</td>
   <td class="center">##submit##</td>
@@ -788,9 +802,11 @@ function edit_ticket_row( $row_data ) {
   $form_id = $ticketrow->Id();
   $ticket_id = $row_data->ticket_id;
   $form_url = preg_replace( '#&(edit|delete)_[a-z]+=\d+#', '', $_SERVER['REQUEST_URI'] );
+  $csrf_field = getCsrfField();
 
   $template = <<<EOTEMPLATE
 <form method="POST" enctype="multipart/form-data" id="form_$form_id" action="$form_url">
+  $csrf_field
   <td class="left">$ticket_id<input type="hidden" name="id" value="$id"><input type="hidden" name="ticket_id" value="$ticket_id"></td>
   <td class="left"><input type="text" name="target" value="$row_data->target"></td>
   <td class="left"><input type="text" name="expires" value="$row_data->expires" size="10"></td>
@@ -1011,8 +1027,11 @@ function edit_binding_row( $row_data ) {
   $source_title = translate('Path to collection you wish to bind, like /user1/calendar/ or https://cal.example.com/user2/cal/');
   $access_title = translate('optional');
 
+  $csrf_field = getCsrfField();
+
   $template = <<<EOTEMPLATE
 <form method="POST" enctype="multipart/form-data" id="form_$form_id" action="$form_url">
+  $csrf_field
   <td class="left">&nbsp;<input type="hidden" name="id" value="$id"></td>
   <td class="left"><input type="text" name="dav_name" value="$row_data->dav_name" size="25"></td>
   <td class="left"><input type="text" name="dav_displayname" size="20"></td>
