fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-03 16:51:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

Disable strict checking of CSRF token if the user is not logged in

Browse source 
로그인이 풀리면 세션이 초기화되면서 CSRF 토큰 정보가 사라져서
다른 탭에서 어떤 액션을 호출하더라도 무조건 CSRF 오류가 발생하는 문제 수정

현재 세션에서 토큰을 발행한 적 없는 경우 토큰 체크를 스킵하도록 함
This commit is contained in:
Kijin Sung 2022-07-01 13:09:59 +09:00
parent e9375cd72a
commit 632a3fff71
2 changed files with 13 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
common/framework/security.php
View file

@ -330,13 +330,14 @@ class Security
*/
public static function checkCSRF($referer = null)
{
$check_csrf_token = config('security.check_csrf_token') ? true : false;
if ($token = isset($_SERVER['HTTP_X_CSRF_TOKEN']) ? $_SERVER['HTTP_X_CSRF_TOKEN'] : null)
{
return Session::verifyToken($token);
return Session::verifyToken($token, '', $check_csrf_token);
}
elseif ($token = isset($_REQUEST['_rx_csrf_token']) ? $_REQUEST['_rx_csrf_token'] : null)
{
return Session::verifyToken($token);
return Session::verifyToken($token, '', $check_csrf_token);
}
elseif ($_SERVER['REQUEST_METHOD'] === 'GET')
{
@ -354,7 +355,7 @@ class Security
{
$referer = strval(($_SERVER['HTTP_ORIGIN'] ?? '') ?: ($_SERVER['HTTP_REFERER'] ?? ''));
}
if ($referer !== '' && $referer !== 'null' && (!config('security.check_csrf_token') || !$is_logged))
if ($referer !== '' && $referer !== 'null' && (!$check_csrf_token || !$is_logged))
{
return URL::isInternalURL($referer);
}

10
common/framework/session.php
View file

@ -918,16 +918,24 @@ class Session
*
* This method returns true if the token is valid, and false otherwise.
*
* Strict checking can be disabled if the user is not logged in
* and no tokens have been issued in the current session.
*
* @param string $token
* @param string $key (optional)
* @param bool $strict (optional)
* @return bool
*/
public static function verifyToken($token, $key = null)
public static function verifyToken($token, $key = '', $strict = true)
{
if (isset($_SESSION['RHYMIX']['tokens'][$token]) && $_SESSION['RHYMIX']['tokens'][$token] === strval($key))
{
return true;
}
elseif (!$strict && empty($_SESSION['RHYMIX']['tokens']) && !self::getMemberSrl())
{
return true;
}
else
{
return false;