Mercurial > hg > fapweb
changeset 360:2af8458058ab
Implement CSRF token checks.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Tue, 03 Dec 2013 11:13:44 +0200 |
parents | f7a806d5060f |
children | 842e35d13e6c |
files | admajax.php msession.inc.php usrajax.php |
diffstat | 3 files changed, 10 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/admajax.php Tue Dec 03 10:58:46 2013 +0200 +++ b/admajax.php Tue Dec 03 11:13:44 2013 +0200 @@ -201,7 +201,7 @@ // // Check if we are allowed to execute // -if (!stCheckHTTPS() || !stAdmSessionAuth()) +if (!stCheckHTTPS() || !stAdmSessionAuth() || !stCSRFCheck()) { stSetupCacheControl();
--- a/msession.inc.php Tue Dec 03 10:58:46 2013 +0200 +++ b/msession.inc.php Tue Dec 03 11:13:44 2013 +0200 @@ -121,6 +121,7 @@ "expires" => time() + stGetSetting($timeout) * 60, "message" => "", "status" => 0, + "csrfID" => hash("sha512", mt_rand(0, mt_getrandmax())), ); return TRUE; } @@ -132,6 +133,13 @@ } +function stCSRFCheck() +{ + $csrfID = stGetRequestItem("csrfID", FALSE); + return ($csrfID !== FALSE && stGetSessionItem("csrfID", FALSE) == $csrfID); +} + + function stAdmSessionAuth($silent = FALSE) { if (@session_start() === TRUE &&