Mercurial > hg > fapweb
changeset 359:f7a806d5060f
Add preliminary code for CSRF prevention via unique hash tokens. Not fully
implemented yet.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Tue, 03 Dec 2013 10:58:46 +0200 |
parents | 0244aeeab6e7 |
children | 2af8458058ab |
files | majax.php msitegen.inc.php |
diffstat | 2 files changed, 10 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/majax.php Tue Dec 03 10:31:37 2013 +0200 +++ b/majax.php Tue Dec 03 10:58:46 2013 +0200 @@ -100,6 +100,10 @@ function jsSendPOSTRequest(params, success, failure) { +<? + if (($csrfID = stGetSessionItem("csrfID", FALSE)) !== FALSE) + echo " params += \"&csrfID=".$csrfID."\";\n"; +?> var req = jsCreateXMLRequest(); req.open("POST", "<? echo $backend ?>", true); req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
--- a/msitegen.inc.php Tue Dec 03 10:31:37 2013 +0200 +++ b/msitegen.inc.php Tue Dec 03 10:58:46 2013 +0200 @@ -245,10 +245,15 @@ function stGetFormStart($name, $action = "", $method = "post") { - return + $str = "<form name=\"".$name."\" action=\"". ($action != "" ? $action : $name). "\" method=\"".$method."\">\n"; + + if (($csrfID = stGetSessionItem("csrfID", FALSE)) !== FALSE) + $str .= stGetFormHiddenInput("csrfID", $csrfID)."\n"; + + return $str; }