fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-07 02:31:40 +09:00
Code Issues Projects Releases Packages Wiki Activity
18909 commits 3 branches 212 tags 117 MiB
Commit graph

25 commits

Author SHA1 Message Date
Kijin Sung
0029d1a1ec Rename all common/framework source files to be case-sensitive 2022-12-26 16:13:09 +09:00
Kijin Sung
35a93f3928 Remove code that uses defuse/php-encryption (from next branch) 2022-12-25 19:45:12 +09:00
Kijin Sung
632a3fff71 Disable strict checking of CSRF token if the user is not logged in 
로그인이 풀리면 세션이 초기화되면서 CSRF 토큰 정보가 사라져서
다른 탭에서 어떤 액션을 호출하더라도 무조건 CSRF 오류가 발생하는 문제 수정

현재 세션에서 토큰을 발행한 적 없는 경우 토큰 체크를 스킵하도록 함
 2022-07-01 13:09:59 +09:00
Kijin Sung
34517e83ce Fix #1966 warning in PHP 8.0 2022-06-29 19:48:44 +09:00
Kijin Sung
e423cba24d Use Origin header before Referer to check CSRF 
OWASP에서는 Referer 헤더보다 Origin 헤더를 먼저 체크하는 것을 권장합니다.
Referer가 비어 있는 경우에도 Origin 헤더에는 유용한 정보가 들어 있을 수 있기 때문입니다.

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
 2021-02-23 16:51:46 +09:00
Kijin Sung
4ac0a6bf66 Use RX_WINDOWS constant in core and file module 2020-02-14 16:16:33 +09:00
Kijin Sung
4b6737800f Throw exception if neither openssl nor mcrypt is available 2018-12-03 15:10:20 +09:00
Kijin Sung
af64ae79c1 Rename checkXEE() to checkXXE() 2018-10-18 14:21:08 +09:00
Kijin Sung
6a7b1e3fd2 Use hash_equals() function if it exists 2018-10-18 14:18:06 +09:00
Kijin Sung
1d35511e04 Enforce CSRF tokens if option is enabled 2018-10-10 18:20:48 +09:00
Kijin Sung
0c62ff7561 Prevent exception on servers with flaky random_bytes() implementation 
카페24 PHP 7.0 웹호스팅 상품에서 random_bytes() 함수가 작동하지 않음
 2017-12-03 10:06:33 +09:00
Kijin Sung
5ae15f4b66 Remove _rx_ajax_compat and _rx_csrf_token from request vars 
JSON/XMLRPC 호환성 확보와 CSRF 공격 방지를 위해 사용되는 이 변수들이
Context::getRequestVars()에 포함되어 불필요하게 여기저기 저장되거나
URL에 포함되어 나오는 문제를 방지합니다.
 2017-07-02 21:46:50 +09:00
Kijin Sung
8c797aaba1 Pass through crypto exceptions 2017-05-07 15:29:21 +09:00
Kijin Sung
2822191271 Fix CSRF check for GET requests 2017-04-23 14:51:41 +09:00
Kijin Sung
df59e541c9 Skip diagnostic CSRF warning if the user is not logged in 2017-03-13 16:41:57 +09:00
Kijin Sung
89255d0281 Initial implementation of CSRF token enforcement in Security class 2017-03-06 15:54:56 +09:00
Kijin Sung
a1618c236f Merge branch 'develop' into pr/session-class 2016-10-05 17:26:12 +09:00
Kijin Sung
4f52122a3c Fix #593 incorrect result from checkCSRF() in GET+JSON request 2016-09-25 12:35:50 +09:00
Kijin Sung
02a45ece9a Fix missing static keyword 2016-08-16 21:55:32 +09:00
Kijin Sung
910f7220e6 Import cryptographic signature functions from XE 1.8.23 2016-08-02 16:30:33 +09:00
Kijin Sung
a0d9e1c6ad Remove outdated checks for old PHP versions 2016-03-22 11:34:36 +09:00
Kijin Sung
cb229c2d66 Clean up namespaces 2016-03-14 21:04:27 +09:00
Kijin Sung
4407af2b0f Use utf8_check to check variables in Security class 2016-03-14 20:54:27 +09:00
Kijin Sung
90dcc4a2e8 Implement encryption, decryption, and CSPRNG in Security class 2016-03-13 20:40:23 +09:00
Kijin Sung
28da8948d7 Initial implementation of Security and URL classes 2016-03-12 17:26:12 +09:00