fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-08 11:11:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

Initial implementation of CSRF token enforcement in Security class

Browse source
This commit is contained in:
Kijin Sung 2017-03-06 15:54:56 +09:00
parent b8569aa5ab
commit 89255d0281
2 changed files with 22 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

27
common/framework/security.php
View file

@ -307,16 +307,31 @@ class Security
*/
public static function checkCSRF($referer = null)
{
if (!$referer)
if ($_SERVER['REQUEST_METHOD'] === 'GET')
{
$referer = strval($_SERVER['HTTP_REFERER']);
if ($referer === '')
return true;
}
elseif ($token = $_SERVER['HTTP_X_CSRF_TOKEN'])
{
return Session::verifyToken($token);
}
elseif ($token = \Context::get('_rx_csrf_token'))
{
return Session::verifyToken($token);
}
else
{
trigger_error('CSRF token missing in POST request: ' . (\Context::get('act') ?: '(no act)'), \E_USER_WARNING);
$referer = strval($referer ?: $_SERVER['HTTP_REFERER']);
if ($referer !== '')
{
return true;
return URL::isInternalURL($referer);
}
else
{
return false;
}
}
return URL::isInternalURL($referer);
}
/**

2
tests/unit/framework/SecurityTest.php
View file

@ -111,7 +111,7 @@ class SecurityTest extends \Codeception\TestCase\Test
$this->assertTrue(Rhymix\Framework\Security::checkCSRF());
$_SERVER['REQUEST_METHOD'] = 'POST';
$this->assertTrue(Rhymix\Framework\Security::checkCSRF());
$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_REFERER'] = 'http://www.foobar.com/';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF());