Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Invalid Token" Error When Saving Files in TinyFileManager v2.6 #1282

Open
smalos opened this issue Feb 14, 2025 · 3 comments
Open

"Invalid Token" Error When Saving Files in TinyFileManager v2.6 #1282

smalos opened this issue Feb 14, 2025 · 3 comments

Comments

@smalos
Copy link

smalos commented Feb 14, 2025

I'm encountering an issue with TinyFileManager v2.6. Logging in and opening files work as expected, but attempting to save a file results in an "Invalid Token" error. This issue did not occur in version 2.4.7.

Configuration Details:

I am using the following configuration:

define('FM_EMBED', true);
define('FM_SELF_URL', $_SERVER['PHP_SELF']);

To debug, I added a simple logMessage() function to log the CSRF token. I observed that the token changes with every action in TFM, which might be expected behavior.

Here’s the relevant section of the code:

// Generating CSRF Token
if (empty($_SESSION['token'])) {
    if (function_exists('random_bytes')) {
        $_SESSION['token'] = bin2hex(random_bytes(32));
    } else {
        $_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
    }
    logMessage($_SESSION['token']);  // log token to a text file
}

However, the verifyToken() function fails, meaning:

hash_equals($_SESSION['token'], $token)

returns false.

Observations:

It seems like the CSRF token is not being correctly passed to the server before saving the file.
The issue is new in v2.6—it did not occur in v2.4.7.
Every action in TinyFileManager seems to generate a new token.

Expected Behavior:

Saving a file should not trigger an "Invalid Token" error if the session token is valid.

Any insights on why hash_equals($_SESSION['token'], $token) fails in v2.6 but worked in v2.4.7 would be greatly appreciated.
Could this be related to FM_EMBED mode, or has there been a change in how CSRF tokens are handled?
@prasathmani
Copy link
Owner

thanks for reporting, i'll check it out.

@smalos
Copy link
Author

smalos commented Feb 15, 2025

I think the issue lies here: For FM_EMBED, no session is created as far as I have seen, which is why the token is generated again and again with every click:

//Generating CSRF Token
if (empty($_SESSION['token'])) {

As a quick test has shown, the aforementioned error is no longer displayed if a session is also started for FM_EMBED.
(There might be other ways to solve the issue of course)

if (defined('FM_EMBED')) {
    $use_auth = false;
    $sticky_navbar = false;

    if (session_status() == PHP_SESSION_NONE) {
        session_start();
    }
}

But I’m not sure why the whole session initialization block is omitted at all for FM_EMBED here:

else { 
    @set_time_limit(600);

    date_default_timezone_set($default_timezone);
   // ...

@smalos
Copy link
Author

smalos commented Feb 24, 2025

Is there any reason not to use sessions in embedded mode as well? Someone probably once decided they weren't needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@prasathmani @smalos