fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-10 20:44:28 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix CSRF check for GET requests

Browse source
This commit is contained in:
Kijin Sung 2017-04-23 14:51:41 +09:00
parent fa5c7afce2
commit 2822191271
2 changed files with 21 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
common/framework/security.php
View file

@ -307,11 +307,7 @@ class Security
*/ */
public static function checkCSRF($referer = null) public static function checkCSRF($referer = null)
{ {
if ($_SERVER['REQUEST_METHOD'] === 'GET') if ($token = $_SERVER['HTTP_X_CSRF_TOKEN'])
{
return true;
}
elseif ($token = $_SERVER['HTTP_X_CSRF_TOKEN'])
{ {
return Session::verifyToken($token); return Session::verifyToken($token);
} }
@ -319,6 +315,10 @@ class Security
{ {
return Session::verifyToken($token); return Session::verifyToken($token);
} }
elseif ($_SERVER['REQUEST_METHOD'] === 'GET')
{
return false;
}
else else
{ {
if (Session::getMemberSrl()) if (Session::getMemberSrl())

16
tests/unit/framework/SecurityTest.php
View file

@ -110,14 +110,30 @@ class SecurityTest extends \Codeception\TestCase\Test
$_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_REFERER'] = ''; $_SERVER['HTTP_REFERER'] = '';
$_SERVER['HTTP_X_CSRF_TOKEN'] = '';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_X_CSRF_TOKEN'] = Rhymix\Framework\Session::createToken();
$this->assertTrue(Rhymix\Framework\Security::checkCSRF()); $this->assertTrue(Rhymix\Framework\Security::checkCSRF());
$_SERVER['REQUEST_METHOD'] = 'POST'; $_SERVER['REQUEST_METHOD'] = 'POST';
$_SERVER['HTTP_REFERER'] = '';
$_SERVER['HTTP_X_CSRF_TOKEN'] = '';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF()); $this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_X_CSRF_TOKEN'] = Rhymix\Framework\Session::createToken();
$this->assertTrue(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_REFERER'] = 'http://www.foobar.com/'; $_SERVER['HTTP_REFERER'] = 'http://www.foobar.com/';
$_SERVER['HTTP_X_CSRF_TOKEN'] = '';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF()); $this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_REFERER'] = 'http://www.rhymix.org/foo/bar';
$_SERVER['HTTP_X_CSRF_TOKEN'] = '';
$this->assertTrue(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_X_CSRF_TOKEN'] = 'invalid value';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_REFERER'] = '';
$_SERVER['HTTP_X_CSRF_TOKEN'] = '';
$this->assertTrue(Rhymix\Framework\Security::checkCSRF('http://www.rhymix.org/')); $this->assertTrue(Rhymix\Framework\Security::checkCSRF('http://www.rhymix.org/'));
error_reporting($error_reporting); error_reporting($error_reporting);