diff options
| author | Frédéric Guillot <fred@kanboard.net> | 2018-01-29 15:56:30 -0800 |
|---|---|---|
| committer | Frédéric Guillot <fred@kanboard.net> | 2018-01-29 15:56:30 -0800 |
| commit | 9ddefa979a12aff2334d6e7048e142cfdef5bb89 (patch) | |
| tree | 30416f103ba88c7bdf1039c9d40085a7a784ddc0 /app/Core | |
| parent | 90984d6bb9b3bd508e0ca7f8c0ee07d304679fb5 (diff) | |
Add CSRF check for task and project files upload
Diffstat (limited to 'app/Core')
| -rw-r--r-- | app/Core/Http/Request.php | 11 | ||||
| -rw-r--r-- | app/Core/Security/Token.php | 42 |
2 files changed, 45 insertions, 8 deletions
diff --git a/app/Core/Http/Request.php b/app/Core/Http/Request.php index 44bfdbe6..f7d29ab9 100644 --- a/app/Core/Http/Request.php +++ b/app/Core/Http/Request.php @@ -112,6 +112,17 @@ class Request extends Base } /** + * Get POST value without modification + * + * @param $name + * @return mixed|null + */ + public function getRawValue($name) + { + return isset($this->post[$name]) ? $this->post[$name] : null; + } + + /** * Get the raw body of the HTTP request * * @access public diff --git a/app/Core/Security/Token.php b/app/Core/Security/Token.php index 9b0c5769..5efc6201 100644 --- a/app/Core/Security/Token.php +++ b/app/Core/Security/Token.php @@ -25,21 +25,25 @@ class Token extends Base } /** - * Generate and store a CSRF token in the current session + * Generate and store a one-time CSRF token * * @access public * @return string Random token */ public function getCSRFToken() { - if (! session_exists('csrf')) { - session_set('csrf', []); - } - - $nonce = self::getToken(); - session_merge('csrf', [$nonce => true]); + return $this->createSessionToken('csrf'); + } - return $nonce; + /** + * Generate and store a reusable CSRF token + * + * @access public + * @return string + */ + public function getReusableCSRFToken() + { + return $this->createSessionToken('pcsrf'); } /** @@ -60,4 +64,26 @@ class Token extends Base return false; } + + public function validateReusableCSRFToken($token) + { + $tokens = session_get('pcsrf'); + if (isset($tokens[$token])) { + return true; + } + + return false; + } + + protected function createSessionToken($key) + { + if (! session_exists($key)) { + session_set($key, []); + } + + $nonce = self::getToken(); + session_merge($key, [$nonce => true]); + + return $nonce; + } } |