tinyfilemanager icon indicating copy to clipboard operation
tinyfilemanager copied to clipboard
verified publisher icon prasathmani

"Invalid Token" Error When Saving Files in TinyFileManager v2.6

Open smalos opened this issue 10 months ago • 3 comments

I'm encountering an issue with TinyFileManager v2.6. Logging in and opening files work as expected, but attempting to save a file results in an "Invalid Token" error. This issue did not occur in version 2.4.7.

Configuration Details:

I am using the following configuration:

define('FM_EMBED', true);
define('FM_SELF_URL', $_SERVER['PHP_SELF']);

To debug, I added a simple logMessage() function to log the CSRF token. I observed that the token changes with every action in TFM, which might be expected behavior.

Here’s the relevant section of the code:

// Generating CSRF Token
if (empty($_SESSION['token'])) {
    if (function_exists('random_bytes')) {
        $_SESSION['token'] = bin2hex(random_bytes(32));
    } else {
        $_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
    }
    logMessage($_SESSION['token']);  // log token to a text file
}

However, the verifyToken() function fails, meaning:

hash_equals($_SESSION['token'], $token)

returns false.

Observations:

It seems like the CSRF token is not being correctly passed to the server before saving the file. The issue is new in v2.6—it did not occur in v2.4.7. Every action in TinyFileManager seems to generate a new token.

Expected Behavior:

Saving a file should not trigger an "Invalid Token" error if the session token is valid.

Any insights on why hash_equals($_SESSION['token'], $token) fails in v2.6 but worked in v2.4.7 would be greatly appreciated. Could this be related to FM_EMBED mode, or has there been a change in how CSRF tokens are handled?

smalos avatar Feb 14 '25 05:02 smalos

thanks for reporting, i'll check it out.

prasathmani avatar Feb 14 '25 05:02 prasathmani

I think the issue lies here: For FM_EMBED, no session is created as far as I have seen, which is why the token is generated again and again with every click:

//Generating CSRF Token
if (empty($_SESSION['token'])) {

As a quick test has shown, the aforementioned error is no longer displayed if a session is also started for FM_EMBED. (There might be other ways to solve the issue of course)

if (defined('FM_EMBED')) {
    $use_auth = false;
    $sticky_navbar = false;

    if (session_status() == PHP_SESSION_NONE) {
        session_start();
    }
}

But I’m not sure why the whole session initialization block is omitted at all for FM_EMBED here:

else { 
    @set_time_limit(600);

    date_default_timezone_set($default_timezone);
   // ...

smalos avatar Feb 15 '25 09:02 smalos

Is there any reason not to use sessions in embedded mode as well? Someone probably once decided they weren't needed.

smalos avatar Feb 24 '25 15:02 smalos