fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-07 02:31:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'upstream/master' into master

Browse source
This commit is contained in:
Lastorder-DC 2025-10-27 23:09:27 +09:00
commit 1c8ae0d766
52 changed files with 447 additions and 1007 deletions
Download patch file Download diff file Expand all files Collapse all files

68
common/framework/Security.php
View file

@ -314,43 +314,61 @@ class Security
*/
public static function checkCSRF(?string $referer = null): bool
{
// If CSRF token checking is enabled, check the token header or parameter first.
// Tokens are allowed to be missing for unauthenticated users.
$check_csrf_token = config('security.check_csrf_token') ? true : false;
if ($token = isset($_SERVER['HTTP_X_CSRF_TOKEN']) ? $_SERVER['HTTP_X_CSRF_TOKEN'] : null)
if ($check_csrf_token)
{
return Session::verifyToken((string)$token, '', $check_csrf_token);
}
elseif ($token = isset($_REQUEST['_rx_csrf_token']) ? $_REQUEST['_rx_csrf_token'] : null)
{
return Session::verifyToken((string)$token, '', $check_csrf_token);
$token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? ($_REQUEST['_rx_csrf_token'] ?? null);
if ($token)
{
return Session::verifyToken((string)$token, '', $check_csrf_token);
}
elseif (Session::getMemberSrl())
{
trigger_error('CSRF token missing in authenticated POST request: ' . (\Context::get('act') ?: '(no act)'), \E_USER_WARNING);
return false;
}
}
elseif ($token = isset($_REQUEST['_fb_adsense_token']) ? $_REQUEST['_fb_adsense_token'] : null)
{
return Password::checkPassword($token, 'bb15471de21f33c373abbea6438730ace9bbbacf5f4f9a0cbebdfff7e99c50fe631a78efe3e39736836b5b2082a0c3939e4c4e0f0f2e0028042411c4a8797b73');
}
elseif ($_SERVER['REQUEST_METHOD'] === 'GET')
// Return early for GET and other "safe" requests.
if (in_array($_SERVER['REQUEST_METHOD'], ['GET', 'HEAD', 'OPTIONS', 'TRACE']))
{
return false;
}
// The Sec-Fetch-Site header is the standard way to check whether the request is same-origin.
$sec_fetch_site = $_SERVER['HTTP_SEC_FETCH_SITE'] ?? '';
if ($sec_fetch_site === 'same-origin' || $sec_fetch_site === 'none')
{
return true;
}
if ($sec_fetch_site === 'cross-site')
{
return false;
}
// If the Sec-Fetch-Site header is not available, check the Origin header.
$origin = strval($_SERVER['HTTP_ORIGIN'] ?? '');
if ($origin !== '' && $origin !== 'null')
{
return URL::isInternalURL($origin);
}
// If the Origin header is not available, fall back to the Referer header.
// The Referer header is NOT allowed to be empty in this case.
$referer = $referer ?? strval($_SERVER['HTTP_REFERER'] ?? '');
if ($referer !== '' && $referer !== 'null')
{
return URL::isInternalURL($referer);
}
else
{
$is_logged = Session::getMemberSrl();
if ($is_logged)
{
trigger_error('CSRF token missing in POST request: ' . (\Context::get('act') ?: '(no act)'), \E_USER_WARNING);
}
if (!$referer)
{
$referer = strval(($_SERVER['HTTP_ORIGIN'] ?? '') ?: ($_SERVER['HTTP_REFERER'] ?? ''));
}
if ($referer !== '' && $referer !== 'null' && (!$check_csrf_token || !$is_logged))
{
return URL::isInternalURL($referer);
}
else
{
return false;
}
return false;
}
}