smeserver-manager/sme10/smeserver-manager-0.1.4-review_csrf_url.patch

diff -urN smeserver-manager-0.1.4.old/root/etc/e-smith/templates/usr/share/smanager/themes/default/public/css/styles.css/50body smeserver-manager-0.1.4/root/etc/e-smith/templates/usr/share/smanager/themes/default/public/css/styles.css/50body
--- smeserver-manager-0.1.4.old/root/etc/e-smith/templates/usr/share/smanager/themes/default/public/css/styles.css/50body       2021-06-21 13:25:10.000000000 +0400
+++ smeserver-manager-0.1.4/root/etc/e-smith/templates/usr/share/smanager/themes/default/public/css/styles.css/50body   2021-11-01 21:53:42.016000000 +0400
@@ -126,6 +126,20 @@
     text-align: right;
 }
 
+td.label {
+    font-weight: bold;
+    background-color: #e8f3e1; /*lightgreen;*/
+    width: 30%;
+    text-align: right;
+}
+
+span.label2 {
+    display: inline-block;
+    font-weight: bold;
+    background-color: #e8f3e1; /*lightgreen;*/
+    text-align: right;
+}
+
 span.data {
     padding: 2px;
     font-weight: bold;
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/lib/SrvMngr/Plugin/CSRFDefender.pm smeserver-manager-0.1.4/root/usr/share/smanager/lib/SrvMngr/Plugin/CSRFDefender.pm
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/lib/SrvMngr/Plugin/CSRFDefender.pm      1970-01-01 04:00:00.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/lib/SrvMngr/Plugin/CSRFDefender.pm  2021-11-15 21:45:49.542000000 +0400
@@ -0,0 +1,244 @@
+package SrvMngr::Plugin::CSRFDefender;
+
+use strict;
+use warnings;
+use Carp;
+
+our $VERSION = '0.0.8-1';
+
+use base qw(Mojolicious::Plugin Class::Accessor::Fast);
+__PACKAGE__->mk_accessors(qw(
+    parameter_name
+    session_key
+    token_length
+    error_status
+    error_content
+    error_template
+    onetime
+    get_token_param
+
+));
+
+use String::Random;
+use Path::Class;
+
+sub register {
+    my ($self, $app, $conf) = @_;
+
+    # Plugin config
+    $conf ||= {};
+
+    # setting
+    $self->parameter_name($conf->{parameter_name} || 'csrftoken');
+    $self->session_key($conf->{session_key} || 'csrftoken');
+    $self->token_length($conf->{token_length} || 32);
+    $self->error_status($conf->{error_status} || 403);
+    $self->error_content($conf->{error_content} || 'Forbidden');
+    $self->onetime($conf->{onetime} || 0);
+    if ($conf->{error_template}) {
+        my $file = $app->home->rel_file($conf->{error_template});
+        $self->error_template($file);
+    }
+    $self->get_token_param($conf->{get_token_param} || 'CsrfDef=TOKEN');       # added for GET method
+
+    # input check
+    $app->hook(before_dispatch => sub {
+        my ($c) = @_;
+        unless ($self->_validate_csrf($c)) {
+            my $content;
+            if ($self->error_template) {
+                my $file = file($self->error_template);
+                $content = $file->slurp;
+            }
+            else {
+                $content = $self->{error_content},
+            }
+            $c->render(
+                status => $self->{error_status},
+                text   => $content,
+            );
+        };
+    });
+
+    # output filter
+    $app->hook(after_dispatch => sub {
+        my ($c) = @_;
+        my $token = $self->_get_csrf_token($c);
+        my $p_name = $self->parameter_name;
+        my $g_token = $self->get_token_param;
+        my $body = $c->res->body;
+        $body =~ s{(<form\s*[^>]*method=["']POST["'][^>]*>)}{$1\n<input type="hidden" name="$p_name" value="$token" />}isg;
+        $body =~ s{(\?$g_token)}{\?$p_name=$token}isg;         # added for GET method
+        $c->res->body($body);
+    });
+
+    return $self;
+}
+
+sub _validate_csrf {
+    my ($self, $c) = @_;
+
+    my $p_name = $self->parameter_name;
+    my $s_name = $self->session_key;
+    my $request_token = $c->req->param($p_name);
+    my $session_token = $c->session($s_name);
+
+#      POST method or local GET with params.
+    if ( $c->req->method eq 'POST' or ( $c->req->method eq 'GET' && %{$c->req->params->to_hash} ) )  {
+        return 0 unless $request_token;
+        return 0 unless $session_token;
+        return 0 unless $request_token eq $session_token;
+       # onetime
+       $c->session($self->{session_key} => '') if $self->onetime;
+    }
+
+    return 1;
+}
+
+sub _get_csrf_token {
+    my ($self, $c) = @_;
+
+    my $key    = $self->session_key;
+    my $token  = $c->session($key);
+    my $length = $self->token_length;
+    return $token if $token;
+
+    $token = String::Random::random_regex("[a-zA-Z0-9_]{$length}");
+    $c->session($key => $token);
+    return $token;
+}
+
+1;
+
+__END__
+
+=head1 NAME
+
+Mojolicious::Plugin::CSRFDefender - Defend CSRF automatically in Mojolicious Application
+
+
+=head1 VERSION
+
+This document describes Mojolicious::Plugin::CSRFDefender.
+
+
+=head1 SYNOPSIS
+
+    # Mojolicious
+    $self->plugin('Mojolicious::Plugin::CSRFDefender');
+
+    # Mojolicious::Lite
+    plugin 'Mojolicious::Plugin::CSRFDefender';
+
+=head1 DESCRIPTION
+
+This plugin defends CSRF automatically in Mojolicious Application.
+Following is the strategy.
+
+=head2 output filter
+
+When the application response body contains form tags with method="post",
+this inserts hidden input tag that contains token string into forms in the response body.
+For example, the application response body is
+
+    <html>
+      <body>
+        <form method="post" action="/get">
+          <input name="text" />
+          <input type="submit" value="send" />
+        </form>
+      </body>
+    </html>
+
+this becomes
+
+    <html>
+      <body>
+        <form method="post" action="/get">
+        <input type="hidden" name="csrf_token" value="zxjkzX9RnCYwlloVtOVGCfbwjrwWZgWr" />
+          <input name="text" />
+          <input type="submit" value="send" />
+        </form>
+      </body>
+    </html>
+
+=head2 input check
+
+For every POST requests, this module checks input parameters contain the collect token parameter. If not found, throws 403 Forbidden.
+
+=head1 OPTIONS
+
+    plugin 'Mojolicious::Plugin::CSRFDefender' => {
+        parameter_name => 'param-csrftoken',
+        session_key    => 'session-csrftoken',
+        token_length   => 40,
+        error_status   => 400,
+        error_template => 'public/400.html',
+    };
+
+=over 4
+
+=item parameter_name(default:"csrftoken")
+
+Name of the input tag for the token.
+
+=item session_key(default:"csrftoken")
+
+Name of the session key for the token.
+
+=item token_length(default:32)
+
+Length of the token string.
+
+=item error_status(default:403)
+
+Status code when CSRF is detected.
+
+=item error_content(default:"Forbidden")
+
+Content body when CSRF is detected.
+
+=item error_template
+
+Return content of the specified file as content body when CSRF is detected.  Specify the file path from the application home directory.
+
+=item onetime(default:0)
+
+If specified with 1,  this plugin uses onetime token, that is, whenever client sent collect token and this middleware detect that, token string is regenerated.
+
+=back
+
+=head1 METHODS
+
+L<Mojolicious::Plugin::CSRFDefender> inherits all methods from
+L<Mojolicious::Plugin> and implements the following new ones.
+
+=head2 C<register>
+
+    $plugin->register;
+
+Register plugin in L<Mojolicious> application.
+
+=head1 SEE ALSO
+
+=over 4
+
+=item * L<Mojolicious>
+
+=back
+
+=head1 REPOSITORY
+
+https://github.com/shibayu36/p5-Mojolicious-Plugin-CSRFDefender
+
+=head1 AUTHOR
+
+  C<< <shibayu36 {at} gmail.com> >>
+
+
+=head1 LICENCE AND COPYRIGHT
+
+Copyright (c) 2011, Yuki Shibazaki C<< <shibayu36 {at} gmail.com> >>. All rights reserved.
+
+This module is free software; you can redistribute it and/or
+modify it under the same terms as Perl itself. See L<perlartistic>.
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/lib/SrvMngr.pm smeserver-manager-0.1.4/root/usr/share/smanager/lib/SrvMngr.pm
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/lib/SrvMngr.pm  2021-10-20 22:30:47.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/lib/SrvMngr.pm      2021-11-14 22:36:45.633000000 +0400
@@ -23,7 +23,7 @@
 use SrvMngr::Model::Main;
 
 
-our $VERSION = '1.401';
+our $VERSION = '1.403';
 $VERSION = eval $VERSION;
 
 use Exporter 'import';
@@ -181,7 +181,9 @@
     $self->plugin('RenderFile');
 
     # CSRF protection if production mode
-    $self->plugin('Mojolicious::Plugin::CSRFDefender' => {
+#    $self->plugin('Mojolicious::Plugin::CSRFDefender' => {
+#   Adapted plugin for use with GET method
+    $self->plugin('SrvMngr::Plugin::CSRFDefender' => {
        onetime => 1,
        error_status => 400,
        error_content => 'Error: CSRF token is invalid or outdated'
@@ -814,4 +816,3 @@
 
 
 1;
-
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_dom_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_dom_list.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_dom_list.html.ep     2021-06-21 13:25:10.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_dom_list.html.ep 2021-11-05 23:55:48.000000000 +0400
@@ -42,13 +42,13 @@
             %= t td => (class => 'sme-border') => $domain->{'Content'}
             %= t td => (class => 'sme-border') => l('dom_' . $domain->{'Nameservers'})
 
-    %      my $actionModify = "<a href='domains2?trt=UPD&Domain=" . $domain->{Domain} . "'>" . l('MODIFY') . "</a>"; 
+    %      my $actionModify = "<a href='domains2?CsrfDef=TOKEN&trt=UPD&Domain=" . $domain->{Domain} . "'>" . l('MODIFY') . "</a>"; 
 
     %      my $removable = ($domain->{Removable} || 'yes');
     %      my $actionRemove = '&nbsp;';
 
     %      if ($removable eq 'yes')  { 
-    %          $actionRemove = "<a href='domains2?trt=DEL&Domain=" . $domain->{Domain} . "'>" . l('REMOVE') . "</a>"; 
+    %          $actionRemove = "<a href='domains2?CsrfDef=TOKEN&trt=DEL&Domain=" . $domain->{Domain} . "'>" . l('REMOVE') . "</a>"; 
     %      }
 
            <td class='sme-border'><%= $c->render_to_string(inline => $actionModify) %></td>
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_grp_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_grp_list.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_grp_list.html.ep     2021-06-21 13:25:10.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_grp_list.html.ep 2021-11-05 23:56:07.000000000 +0400
@@ -36,8 +36,8 @@
         <tr>
             %= t td => (class => 'sme-border') => $group->key
             %= t td => (class => 'sme-border') => $group->prop('Description')
-           <td class='sme-border'><a href="groups2?trt=UPD&group=<%= $group->key%>"><%=l 'MODIFY'%></a></td>
-           <td class='sme-border'><a href="groups2?trt=DEL&group=<%= $group->key%>"><%=l 'REMOVE'%></a></td>
+           <td class='sme-border'><a href="groups2?CsrfDef=TOKEN&trt=UPD&group=<%= $group->key%>"><%=l 'MODIFY'%></a></td>
+           <td class='sme-border'><a href="groups2?CsrfDef=TOKEN&trt=DEL&group=<%= $group->key%>"><%=l 'REMOVE'%></a></td>
        </tr>
     %    }
        </tbody>
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_header.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_header.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_header.html.ep       2021-06-21 13:25:10.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_header.html.ep   2021-11-14 22:21:06.985000000 +0400
@@ -3,7 +3,7 @@
        <div id="h2e11">
            <a target='_blank' href="http://www.koozali.org"><img src="images/smeserver_logo.jpg" height="40" alt="SME Server"></a>
        </div>
-        <div id="h2e12"><h5><a href="/smanager/">Server Manager II</a>
+        <div id="h2e12"><h5><a href="initial">Server Manager II</a>
             <a href="/server-manager" target='main'>&nbsp &nbsp (Previous)</a></h5>
        </div>
     </div>
@@ -14,13 +14,13 @@
         <%= session 'SystemName' %>@<%= session 'DomainName' %></b> 
        </div>
         <div id="h2e22">
-          <a target="_parent" href="/smanager/manual">&nbsp;&nbsp;<b> ? </b>&nbsp;&nbsp;</a>&nbsp;
+          <a target="_parent" href="manual">&nbsp;&nbsp;<b> ? </b>&nbsp;&nbsp;</a>&nbsp;
        </div>
        <div id="h2e23">
 %    if ( not defined $c->session->{username} ) {
           <a target="_parent" href="login"><b>Login</b></a>&nbsp;
 %    } else {
-          <a target="_parent" href="/smanager/logout"><b><%= $c->session->{username} %> Logout</b></a>&nbsp;
+          <a target="_parent" href="logout"><b><%= $c->session->{username} %> Logout</b></a>&nbsp;
 %    }
        </div>
     </div>
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_hos_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_hos_list.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_hos_list.html.ep     2021-06-21 13:25:10.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_hos_list.html.ep 2021-11-05 23:56:23.000000000 +0400
@@ -46,8 +46,8 @@
             %= t td => (class => 'sme-border') => $_->{'Comment'};
     %      my ($actionModify, $actionRemove) = '&nbsp;';
     %      if ($_->{'static'} ne 'yes') {
-    %          $actionModify = "<a href='hostentriesd?trt=UPD&Hostname=" . $_->{'HostName'} . "'>" . l('MODIFY') . "</a>"; 
-    %          $actionRemove = "<a href='hostentriesd?trt=DEL&Hostname=" . $_->{'HostName'} . "'>" . l('REMOVE') . "</a>"; 
+    %          $actionModify = "<a href='hostentriesd?CsrfDef=TOKEN&trt=UPD&Hostname=" . $_->{'HostName'} . "'>" . l('MODIFY') . "</a>"; 
+    %          $actionRemove = "<a href='hostentriesd?CsrfDef=TOKEN&trt=DEL&Hostname=" . $_->{'HostName'} . "'>" . l('REMOVE') . "</a>"; 
     %      }
            <td class='sme-border'><%= $c->render_to_string(inline => $actionModify) %></td>
            <td class='sme-border'><%= $c->render_to_string(inline => $actionRemove) %></td>
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_iba_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_iba_list.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_iba_list.html.ep     2021-10-20 22:30:47.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_iba_list.html.ep 2021-10-09 23:01:31.000000000 +0400
@@ -47,18 +47,18 @@
             %= t td => (class => 'sme-border') => $ibay->prop('Name')
     %      my ($actionModify, $actionResetPw, $actionRemove) = '&nbsp;';
     %      if ($modifiable eq 'yes') { 
-    %          $actionModify = "<a href='ibaysd?trt=UPD&ibay=" . $ibay->key . "'>" . l('MODIFY') . "</a>"; 
+    %          $actionModify = "<a href='ibaysd?CsrfDef=TOKEN&trt=UPD&ibay=" . $ibay->key . "'>" . l('MODIFY') . "</a>"; 
     %      }
     %      if ($passwordable eq 'yes')  { 
     %          if ($ibay->prop('PasswordSet') ne 'yes' && $needPassword) {
-    %                  $actionResetPw .= "<a href='ibaysd?trt=PWD&ibay=" . $ibay->key . "' class='error'>" . l('PASSWORD_RESET') . "</a>"; 
+    %                  $actionResetPw .= "<a href='ibaysd?CsrfDef=TOKEN&trt=PWD&ibay=" . $ibay->key . "' class='error'>" . l('PASSWORD_RESET') . "</a>"; 
     %          } else {
-    %                  $actionResetPw .= "<a href='ibaysd?trt=PWD&ibay=" . $ibay->key . "'>" . l('PASSWORD_RESET') . "</a>"; 
+    %                  $actionResetPw .= "<a href='ibaysd?CsrfDef=TOKEN&trt=PWD&ibay=" . $ibay->key . "'>" . l('PASSWORD_RESET') . "</a>"; 
     %          }
     %          $actionResetPw .= '&nbsp';
     %      }
     %      if ($removable eq 'yes')  { 
-    %          $actionRemove = "<a href='ibaysd?trt=DEL&ibay=" . $ibay->key . "'>" . l('REMOVE') . "</a>"; 
+    %          $actionRemove = "<a href='ibaysd?CsrfDef=TOKEN&trt=DEL&ibay=" . $ibay->key . "'>" . l('REMOVE') . "</a>"; 
     %      }
            <td class='sme-border'><%= $c->render_to_string(inline => $actionModify) %></td>
            <td class='sme-border'><%= $c->render_to_string(inline => $actionResetPw) %></td>
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_ln_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_ln_list.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_ln_list.html.ep      2020-11-19 11:53:26.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_ln_list.html.ep  2021-11-05 23:56:34.000000000 +0400
@@ -82,7 +82,7 @@
                                        %= t td => (class => 'sme-border') => $localnetwork->prop('Router')
                                        %  if ($removable eq "yes") {
                                                <td class='sme-border'>
-                                               <a href="/smanager/localnetworksd?trt=DEL&localnetwork=<%= $localnetwork->key%>"><%=l 'REMOVE'%></a></td>
+                                               <a href="localnetworksd?CsrfDef=TOKEN&trt=DEL&localnetwork=<%= $localnetwork->key%>"><%=l 'REMOVE'%></a></td>
                                        % } else {
                                                <td class='sme-border'> </td> 
                                        %}
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_pf_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_pf_list.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_pf_list.html.ep      2020-11-19 11:53:26.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_pf_list.html.ep  2021-11-05 23:56:46.000000000 +0400
@@ -98,7 +98,7 @@
                %=                      t td => (class => 'sme-border') => $allow
                %=                      t td => (class => 'sme-border') => $cmmnt
                                                <td class='sme-border'>
-                                               <a href="/smanager/portforwardingd?trt=DEL&sport=<%= $sport%>&proto=<%= $proto%>"><%=l 'REMOVE'%></a></td>
+                                               <a href="portforwardingd?CsrfDef=TOKEN&trt=DEL&sport=<%= $sport%>&proto=<%= $proto%>"><%=l 'REMOVE'%></a></td>
                        </tr>
          %       }
          %   }
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_prt_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_prt_list.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_prt_list.html.ep     2021-10-20 22:30:47.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_prt_list.html.ep 2021-11-05 23:56:56.000000000 +0400
@@ -55,7 +55,7 @@
             %= t td => (class => 'sme-border') => $printer->prop('Location')
             %= t td => (class => 'sme-border') => $address
             %= t td => (class => 'sme-border') => $remoteName
-           <td class='sme-border'><a href="printers2?trt=DEL&printer=<%= $printer->key%>"><%=l 'REMOVE'%></a></td>
+           <td class='sme-border'><a href="printers2?CsrfDef=TOKEN&trt=DEL&printer=<%= $printer->key%>"><%=l 'REMOVE'%></a></td>
        </tr>
     %    }
        </tbody>
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_pse_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_pse_list.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_pse_list.html.ep     2021-06-21 13:25:10.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_pse_list.html.ep 2021-11-05 23:57:06.000000000 +0400
@@ -52,10 +52,10 @@
 
     %      my ($actionModify, $actionRemove) = '&nbsp;';
     %      if ($modifiable eq 'yes') { 
-    %          $actionModify = "<a href='pseudonyms2?trt=UPD&pseudonym=" . $pseudonym->key . "'>" . l('MODIFY') . "</a>"; 
+    %          $actionModify = "<a href='pseudonyms2?CsrfDef=TOKEN&trt=UPD&pseudonym=" . $pseudonym->key . "'>" . l('MODIFY') . "</a>"; 
     %      }
     %      if ($removable eq 'yes')  { 
-    %          $actionRemove = "<a href='pseudonyms2?trt=DEL&pseudonym=" . $pseudonym->key . "'>" . l('REMOVE') . "</a>"; 
+    %          $actionRemove = "<a href='pseudonyms2?CsrfDef=TOKEN&trt=DEL&pseudonym=" . $pseudonym->key . "'>" . l('REMOVE') . "</a>"; 
     %      }
 
            <td class='sme-border'><%= $c->render_to_string(inline => $actionModify) %></td>
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_quo_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_quo_list.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_quo_list.html.ep     2021-10-20 22:30:47.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_quo_list.html.ep 2021-11-05 23:57:15.000000000 +0400
@@ -56,7 +56,7 @@
             %= t td => (class => 'sme-border') => sprintf("%.2f", $bs / 1024 )
             %= t td => (class => 'sme-border') => sprintf("%.2f", $bh / 1024 )
             %= t td => (class => 'sme-border') => sprintf("%.2f", $bc / 1024 )
-           <td class='sme-border'><a href="quotad?trt=UPD&user=<%= $user->key%>"><%=l 'MODIFY'%></a></td>
+           <td class='sme-border'><a href="quotad?CsrfDef=TOKEN&trt=UPD&user=<%= $user->key%>"><%=l 'MODIFY'%></a></td>
        </tr>
     %    }
        </tbody>
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_usr_list.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_usr_list.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/partials/_usr_list.html.ep     2021-10-20 22:30:47.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/partials/_usr_list.html.ep 2021-10-10 23:46:45.000000000 +0400
@@ -60,19 +60,19 @@
             %= t td => (class => 'sme-border') => $fwd
     %      my ($actionModify, $actionLock, $actionResetPw, $actionRemove) = '&nbsp;';
     %      if ($username eq 'admin')  { 
-    %          $actionModify = "<a href='useraccountsd?trt=UPS&user=" . $username . "'>" . l('MODIFY') . "</a>"; 
-    %          $actionResetPw = "<a href='useraccountsd?trt=PWS&user=" . $username . "'>" . l('PASSWORD_RESET') . "</a>"; 
+    %          $actionModify = "<a href='useraccountsd?CsrfDef=TOKEN&trt=UPS&user=" . $username . "'>" . l('MODIFY') . "</a>"; 
+    %          $actionResetPw = "<a href='useraccountsd?CsrfDef=TOKEN&trt=PWS&user=" . $username . "'>" . l('PASSWORD_RESET') . "</a>"; 
     %      } else {
-    %          $actionModify = "<a href='useraccountsd?trt=UPD&user=" . $username . "'>" . l('MODIFY') . "</a>"; 
+    %          $actionModify = "<a href='useraccountsd?CsrfDef=TOKEN&trt=UPD&user=" . $username . "'>" . l('MODIFY') . "</a>"; 
     %          if ($password_set ne 'yes') {
     %                  $actionLock = l('ACCOUNT_LOCKED'); 
-    %                  $actionResetPw = "<a href='useraccountsd?trt=PWD&user=" . $username . "' class='error'>" . l('PASSWORD_RESET') . "</a>"; 
+    %                  $actionResetPw = "<a href='useraccountsd?CsrfDef=TOKEN&trt=PWD&user=" . $username . "' class='error'>" . l('PASSWORD_RESET') . "</a>"; 
     %          } else {
-    %                  $actionLock = "<a href='useraccountsd?trt=LCK&user=" . $username . "'>" . l('usr_LOCK_ACCOUNT') . "</a>"; 
-    %                  $actionResetPw = "<a href='useraccountsd?trt=PWD&user=" . $username . "'>" . l('PASSWORD_RESET') . "</a>"; 
+    %                  $actionLock = "<a href='useraccountsd?CsrfDef=TOKEN&trt=LCK&user=" . $username . "'>" . l('usr_LOCK_ACCOUNT') . "</a>"; 
+    %                  $actionResetPw = "<a href='useraccountsd?CsrfDef=TOKEN&trt=PWD&user=" . $username . "'>" . l('PASSWORD_RESET') . "</a>"; 
     %          }
     %          if ( $removable eq 'yes' )  { 
-    %                  $actionRemove = "<a href='useraccountsd?trt=DEL&user=" . $username . "'>" . l('REMOVE') . "</a>"; 
+    %                  $actionRemove = "<a href='useraccountsd?CsrfDef=TOKEN&trt=DEL&user=" . $username . "'>" . l('REMOVE') . "</a>"; 
     %          }
     %      }
            <td class='sme-border'><%= $c->render_to_string(inline => $actionModify) %></td>
diff -urN smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/review.html.ep smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/review.html.ep
--- smeserver-manager-0.1.4.old/root/usr/share/smanager/themes/default/templates/review.html.ep 2020-11-19 11:53:26.000000000 +0400
+++ smeserver-manager-0.1.4/root/usr/share/smanager/themes/default/templates/review.html.ep     2021-07-27 21:08:13.000000000 +0400
@@ -8,123 +8,123 @@
     %= form_for 'review' => begin
        <b>
        %=l 'rvw_NETWORKING_PARAMS'
-       </b><br><br>
+       </b><br>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_SERVER_MODE'
-       </b>
+       </span>
        %= $rvw_datas->{servermode}
-       <br>
+       </p>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_LOCAL_IP_ADDRESS_SUBNET_MASK'
-       </b>
+       </span>
        %= $rvw_datas->{localip}
-       <br>
+       </p>
        
        % if ( $rvw_datas->{publicip} ) {
-           <b>
+           <p><span class=label>
            %=l 'rvw_INTERNET_VISIBLE_ADDRESS'
-           </b>
+           </span>
            %= $rvw_datas->{publicip}
-           <br>
+           </p>
        % }
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_GATEWAY'
-       </b>
+       </span>
        %= $rvw_datas->{gateway}
        %= $rvw_datas->{serveronly}
-       <br>
+       </p>
        
-       <b>
+       <p><table width='100%'><tr><td class=label><!--span class=label-->
        %=l 'rvw_ADDITIONAL_LOCAL_NETWORKS'
-       </b>
+       <!--/span--></td><td>
        %= $c->render_to_string( inline => $rvw_datas->{addlocalnetworks} );
-       <br>
+       </td></tr></table>
+       </p>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_DHCP_SERVER'
-       </b>
+       </span>
        %= $rvw_datas->{dhcpserver}
-       <br>
-       <br><br>
-       <b>
+       </p>
+
+       <br><br><b>
        %=l 'rvw_SERVER_NAMES'
-       </b><br><br>
+       </b><br>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_DNS_SERVER'
-       </b>
+       </span>
        %= $rvw_datas->{dnsserver}
-       <br>
+       </p>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_WEB_SERVER'
-       </b>
+       </span>
        %= $rvw_datas->{webserver}
-       <br>
+       </p>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_PROXY_SERVER'
-       </b>
+       </span>
        %= $rvw_datas->{proxyserver}
-       <br>
+       </p>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_FTP_SERVER'
-       </b>
+       </span>
        %= $rvw_datas->{ftpserver}
-       <br>
+       </p>
 
-       <b>
+       <p><span class=label>
        %=l 'rvw_SMTP_POP_AND_IMAP_MAIL_SERVERS'
-       </b>
+       </span>
        %= $rvw_datas->{smtpserver}
-       <br>
+       </p>
 
-       <br><br>
-       <b>
+       <br><br><b>
        %=l 'rvw_DOMAIN_INFORMATION'
-       </b><br><br>
+       </b><br>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_PRIMARY_DOMAIN'
-       </b>
+       </span>
        %= $rvw_datas->{domainname}
-       <br>
+       </p>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_VIRTUAL_DOMAINS'
-       </b>
+       </span>
        %= $rvw_datas->{virtualdomains}
-       <br>
+       </p>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_PRIMARY_WEB_SITE'
-       </b>
+       </span>
        %= $rvw_datas->{primarywebsite}
-       <br>
+       </p>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_SERVER_MANAGER'
-       </b>
+       </span>
        %= $rvw_datas->{servermanager}
-       <br>
+       </p>
        
-       <b>
+       <p><span class=label>
        %=l 'rvw_USER_PASSWORD_PANEL'
-       </b>
+       </span>
        %= $rvw_datas->{usermanager}
-       <br>
+       </p>
        
-       <b>
+       <p><table width='100%'><tr><td class=label>
        %=l 'rvw_EMAIL_ADDRESSES'
-       </b>
+       </td><td>
        %= $rvw_datas->{emailaddresses}
-       <br>
-       
-    % end    
+       </td></tr></table></p>
+
+    % end
 
 </div>
 