Add CSRF protections

author: Frédéric Guillot <fred@kanboard.net> 2014-05-28 15:14:52 -0400
committer: Frédéric Guillot <fred@kanboard.net> 2014-05-28 15:14:52 -0400
commit: 445ef6d1481745cd4e7af7e671f534a25d4495dc (patch)
tree: 7990903e398d77339587595ef5a07df8464f5a2e /app/Core/Request.php
parent: 75ab09e28b22e9a5676ee912482027926e271515 (diff)
1 files changed, 22 insertions, 2 deletions
diff --git a/app/Core/Request.php b/app/Core/Request.php
index 7e9f24ac..6bc738be 100644
--- a/app/Core/Request.php
+++ b/app/Core/Request.php
@@ -2,6 +2,8 @@
 
 namespace Core;
 
+use Core\Security;
+
 /**
  * Request class
  *
@@ -58,7 +60,12 @@ class Request
     public function getValues()
     {
         if (! empty($_POST)) {
-            return $_POST;
+
+            if (Security::validateCSRFFormToken($_POST)) {
+                return $_POST;
+            }
+
+            return array();
         }
 
         $result = json_decode($this->getBody(), true);
@@ -116,6 +123,19 @@ class Request
      */
     public function isAjax()
     {
-        return isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest';
+        return $this->getHeader('X-Requested-With') === 'XMLHttpRequest';
+    }
+
+    /**
+     * Return a HTTP header value
+     *
+     * @access public
+     * @param  string   $name   Header name
+     * @return string
+     */
+    public function getHeader($name)
+    {
+        $name = 'HTTP_'.str_replace('-', '_', strtoupper($name));
+        return isset($_SERVER[$name]) ? $_SERVER[$name] : '';
     }
 }
author	Frédéric Guillot <fred@kanboard.net>	2014-05-28 15:14:52 -0400
committer	Frédéric Guillot <fred@kanboard.net>	2014-05-28 15:14:52 -0400
commit	445ef6d1481745cd4e7af7e671f534a25d4495dc (patch)
tree	7990903e398d77339587595ef5a07df8464f5a2e /app/Core/Request.php
parent	75ab09e28b22e9a5676ee912482027926e271515 (diff)