Mercurial > hg > fapweb

changeset 360:2af8458058ab

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Implement CSRF token checks.
author Matti Hamalainen <ccr@tnsp.org>
date Tue, 03 Dec 2013 11:13:44 +0200
parents f7a806d5060f
children 842e35d13e6c
files admajax.php msession.inc.php usrajax.php
diffstat 3 files changed, 10 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/admajax.php	Tue Dec 03 10:58:46 2013 +0200
+++ b/admajax.php	Tue Dec 03 11:13:44 2013 +0200
@@ -201,7 +201,7 @@
 //
 // Check if we are allowed to execute
 //
-if (!stCheckHTTPS() || !stAdmSessionAuth())
+if (!stCheckHTTPS() || !stAdmSessionAuth() || !stCSRFCheck())
 {
   stSetupCacheControl();
 
--- a/msession.inc.php	Tue Dec 03 10:58:46 2013 +0200
+++ b/msession.inc.php	Tue Dec 03 11:13:44 2013 +0200
@@ -121,6 +121,7 @@
       "expires" => time() + stGetSetting($timeout) * 60,
       "message" => "",
       "status" => 0,
+      "csrfID" => hash("sha512", mt_rand(0, mt_getrandmax())),
     );
     return TRUE;
   }
@@ -132,6 +133,13 @@
 }
 
 
+function stCSRFCheck()
+{
+  $csrfID = stGetRequestItem("csrfID", FALSE);
+  return ($csrfID !== FALSE && stGetSessionItem("csrfID", FALSE) == $csrfID);
+}
+
+
 function stAdmSessionAuth($silent = FALSE)
 {
   if (@session_start() === TRUE &&
--- a/usrajax.php	Tue Dec 03 10:58:46 2013 +0200
+++ b/usrajax.php	Tue Dec 03 11:13:44 2013 +0200
@@ -40,7 +40,7 @@
 //
 // Initialize
 //
-if (!stUserSessionAuth())
+if (!stUserSessionAuth() || !stCSRFCheck())
 {
   stSetupCacheControl();