From 3c74ce2427167c823e61b8211ccd2487bce31929 Mon Sep 17 00:00:00 2001
From: elitsa <elm@umbraco.dk>
Date: Mon, 10 Dec 2018 08:55:54 +0100
Subject: [PATCH] Implementing anti forgery token which will not allows members
 to be created by sending a request directly to the registration controller
 when the request is not coming from a page in the application

---
 .../Controllers/UmbLoginController.cs         |  1 +
 .../Controllers/UmbLoginStatusController.cs   |  1 +
 .../Controllers/UmbProfileController.cs       |  1 +
 .../Controllers/UmbRegisterController.cs      |  1 +
 src/Umbraco.Web/HtmlHelperRenderExtensions.cs | 19 ++++++++++++++++---
 5 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/Umbraco.Web/Controllers/UmbLoginController.cs b/src/Umbraco.Web/Controllers/UmbLoginController.cs
index df67be72ce..ba46d0a17e 100644
--- a/src/Umbraco.Web/Controllers/UmbLoginController.cs
+++ b/src/Umbraco.Web/Controllers/UmbLoginController.cs
@@ -11,6 +11,7 @@ namespace Umbraco.Web.Controllers
     public class UmbLoginController : SurfaceController
     {
         [HttpPost]
+        [ValidateAntiForgeryToken]
         public ActionResult HandleLogin([Bind(Prefix = "loginModel")]LoginModel model)
         {
             if (ModelState.IsValid == false)
diff --git a/src/Umbraco.Web/Controllers/UmbLoginStatusController.cs b/src/Umbraco.Web/Controllers/UmbLoginStatusController.cs
index 9bb8ae7c9a..8e063bf2a3 100644
--- a/src/Umbraco.Web/Controllers/UmbLoginStatusController.cs
+++ b/src/Umbraco.Web/Controllers/UmbLoginStatusController.cs
@@ -12,6 +12,7 @@ namespace Umbraco.Web.Controllers
     public class UmbLoginStatusController : SurfaceController
     {
         [HttpPost]
+        [ValidateAntiForgeryToken]
         public ActionResult HandleLogout([Bind(Prefix = "logoutModel")]PostRedirectModel model)
         {
             if (ModelState.IsValid == false)
diff --git a/src/Umbraco.Web/Controllers/UmbProfileController.cs b/src/Umbraco.Web/Controllers/UmbProfileController.cs
index b45723ed30..7def7af826 100644
--- a/src/Umbraco.Web/Controllers/UmbProfileController.cs
+++ b/src/Umbraco.Web/Controllers/UmbProfileController.cs
@@ -15,6 +15,7 @@ namespace Umbraco.Web.Controllers
     public class UmbProfileController : SurfaceController
     {
         [HttpPost]
+        [ValidateAntiForgeryToken]
         public ActionResult HandleUpdateProfile([Bind(Prefix = "profileModel")] ProfileModel model)
         {
             var provider = global::Umbraco.Core.Security.MembershipProviderExtensions.GetMembersMembershipProvider();
diff --git a/src/Umbraco.Web/Controllers/UmbRegisterController.cs b/src/Umbraco.Web/Controllers/UmbRegisterController.cs
index 823d243eec..7931565c47 100644
--- a/src/Umbraco.Web/Controllers/UmbRegisterController.cs
+++ b/src/Umbraco.Web/Controllers/UmbRegisterController.cs
@@ -10,6 +10,7 @@ namespace Umbraco.Web.Controllers
     public class UmbRegisterController : SurfaceController
     {
         [HttpPost]
+        [ValidateAntiForgeryToken]
         public ActionResult HandleRegisterMember([Bind(Prefix = "registerModel")]RegisterModel model)
         {
             if (ModelState.IsValid == false)
diff --git a/src/Umbraco.Web/HtmlHelperRenderExtensions.cs b/src/Umbraco.Web/HtmlHelperRenderExtensions.cs
index 3062613b6b..30b4e64e33 100644
--- a/src/Umbraco.Web/HtmlHelperRenderExtensions.cs
+++ b/src/Umbraco.Web/HtmlHelperRenderExtensions.cs
@@ -4,6 +4,7 @@ using System.ComponentModel;
 using System.Linq;
 using System.Text;
 using System.Web;
+using System.Web.Helpers;
 using System.Web.Mvc;
 using System.Web.Mvc.Html;
 using System.Web.Routing;
@@ -289,6 +290,7 @@ namespace Umbraco.Web
 			{
 		        _viewContext = viewContext;
 		        _method = method;
+			    _controllerName = controllerName;
                 _encryptedString = UmbracoHelper.CreateEncryptedRouteString(controllerName, controllerAction, area, additionalRouteVals);
 			}
 
@@ -296,13 +298,24 @@ namespace Umbraco.Web
 		    private readonly FormMethod _method;
 			private bool _disposed;
 			private readonly string _encryptedString;
+		    private readonly string _controllerName;
 
-			protected override void Dispose(bool disposing)
+            protected override void Dispose(bool disposing)
 			{
 				if (this._disposed)
 					return;
 				this._disposed = true;
 
+                //Detect if the call is targeting UmbRegisterController/UmbProfileController/UmbLoginStatusController/UmbLoginController and if it is we automatically output a AntiForgeryToken()
+                // We have a controllerName and area so we can match
+                if (_controllerName == "UmbRegister"
+                    || _controllerName == "UmbProfile"
+                    || _controllerName == "UmbLoginStatus"
+                    || _controllerName == "UmbLogin")
+			    {
+			        _viewContext.Writer.Write(AntiForgery.GetHtml().ToString());
+			    }
+
                 //write out the hidden surface form routes
                 _viewContext.Writer.Write("<input name='ufprt' type='hidden' value='" + _encryptedString + "' />");
 
@@ -813,8 +826,8 @@ namespace Umbraco.Web
 			}
 			htmlHelper.ViewContext.Writer.Write(tagBuilder.ToString(TagRenderMode.StartTag));
 
-			//new UmbracoForm:
-			var theForm = new UmbracoForm(htmlHelper.ViewContext, surfaceController, surfaceAction, area, method, additionalRouteVals);
+            //new UmbracoForm:
+            var theForm = new UmbracoForm(htmlHelper.ViewContext, surfaceController, surfaceAction, area, method, additionalRouteVals);
 
 			if (traditionalJavascriptEnabled)
 			{