From 9ddefa979a12aff2334d6e7048e142cfdef5bb89 Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Mon, 29 Jan 2018 15:56:30 -0800
Subject: Add CSRF check for task and project files upload

---
 app/Core/Security/Token.php | 42 ++++++++++++++++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 8 deletions(-)

(limited to 'app/Core/Security/Token.php')

diff --git a/app/Core/Security/Token.php b/app/Core/Security/Token.php
index 9b0c5769..5efc6201 100644
--- a/app/Core/Security/Token.php
+++ b/app/Core/Security/Token.php
@@ -25,21 +25,25 @@ class Token extends Base
     }
 
     /**
-     * Generate and store a CSRF token in the current session
+     * Generate and store a one-time CSRF token
      *
      * @access public
      * @return string  Random token
      */
     public function getCSRFToken()
     {
-        if (! session_exists('csrf')) {
-            session_set('csrf', []);
-        }
-
-        $nonce = self::getToken();
-        session_merge('csrf', [$nonce => true]);
+        return $this->createSessionToken('csrf');
+    }
 
-        return $nonce;
+    /**
+     * Generate and store a reusable CSRF token
+     *
+     * @access public
+     * @return string
+     */
+    public function getReusableCSRFToken()
+    {
+        return $this->createSessionToken('pcsrf');
     }
 
     /**
@@ -60,4 +64,26 @@ class Token extends Base
 
         return false;
     }
+
+    public function validateReusableCSRFToken($token)
+    {
+        $tokens = session_get('pcsrf');
+        if (isset($tokens[$token])) {
+            return true;
+        }
+
+        return false;
+    }
+
+    protected function createSessionToken($key)
+    {
+        if (! session_exists($key)) {
+            session_set($key, []);
+        }
+
+        $nonce = self::getToken();
+        session_merge($key, [$nonce => true]);
+
+        return $nonce;
+    }
 }
-- 
cgit v1.2.3