diff options
Diffstat (limited to 'app/Core')
| -rw-r--r-- | app/Core/Request.php | 24 | ||||
| -rw-r--r-- | app/Core/Response.php | 4 | ||||
| -rw-r--r-- | app/Core/Security.php | 87 |
3 files changed, 112 insertions, 3 deletions
diff --git a/app/Core/Request.php b/app/Core/Request.php index 7e9f24ac..6bc738be 100644 --- a/app/Core/Request.php +++ b/app/Core/Request.php @@ -2,6 +2,8 @@ namespace Core; +use Core\Security; + /** * Request class * @@ -58,7 +60,12 @@ class Request public function getValues() { if (! empty($_POST)) { - return $_POST; + + if (Security::validateCSRFFormToken($_POST)) { + return $_POST; + } + + return array(); } $result = json_decode($this->getBody(), true); @@ -116,6 +123,19 @@ class Request */ public function isAjax() { - return isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest'; + return $this->getHeader('X-Requested-With') === 'XMLHttpRequest'; + } + + /** + * Return a HTTP header value + * + * @access public + * @param string $name Header name + * @return string + */ + public function getHeader($name) + { + $name = 'HTTP_'.str_replace('-', '_', strtoupper($name)); + return isset($_SERVER[$name]) ? $_SERVER[$name] : ''; } } diff --git a/app/Core/Response.php b/app/Core/Response.php index 11d7567a..aee029af 100644 --- a/app/Core/Response.php +++ b/app/Core/Response.php @@ -18,8 +18,10 @@ class Response public function nocache() { header('Pragma: no-cache'); - header('Cache-Control: no-cache, must-revalidate'); header('Expires: Sat, 26 Jul 1997 05:00:00 GMT'); + + // Use no-store due to a Chrome bug: https://code.google.com/p/chromium/issues/detail?id=28035 + header('Cache-Control: no-store, must-revalidate'); } /** diff --git a/app/Core/Security.php b/app/Core/Security.php new file mode 100644 index 00000000..0bd7c991 --- /dev/null +++ b/app/Core/Security.php @@ -0,0 +1,87 @@ +<?php + +namespace Core; + +/** + * Security class + * + * @package core + * @author Frederic Guillot + */ +class Security +{ + /** + * Generate a random token with different methods: openssl or /dev/urandom or fallback to uniqid() + * + * @static + * @access public + * @return string Random token + */ + public static function generateToken() + { + if (function_exists('openssl_random_pseudo_bytes')) { + return bin2hex(\openssl_random_pseudo_bytes(30)); + } + else if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') { + return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30)); + } + + return hash('sha256', uniqid(mt_rand(), true)); + } + + /** + * Generate and store a CSRF token in the current session + * + * @static + * @access public + * @return string Random token + */ + public static function getCSRFToken() + { + $nonce = self::generateToken(); + + if (empty($_SESSION['csrf_tokens'])) { + $_SESSION['csrf_tokens'] = array(); + } + + $_SESSION['csrf_tokens'][$nonce] = true; + + return $nonce; + } + + /** + * Check if the token exists for the current session (a token can be used only one time) + * + * @static + * @access public + * @param string $token CSRF token + * @return bool + */ + public static function validateCSRFToken($token) + { + if (isset($_SESSION['csrf_tokens'][$token])) { + unset($_SESSION['csrf_tokens'][$token]); + return true; + } + + return false; + } + + /** + * Check if the token used in a form is correct and then remove the value + * + * @static + * @access public + * @param array $values Form values + * @return bool + */ + public static function validateCSRFFormToken(array &$values) + { + if (! empty($values['csrf_token']) && self::validateCSRFToken($values['csrf_token'])) { + unset($values['csrf_token']); + return true; + } + + return false; + } +} |