Changeset 756 for branches/1.1dev/lib/App.inc.php
- Timestamp:
- Nov 16, 2021 8:30:58 AM (2 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/1.1dev/lib/App.inc.php
r710 r756 413 413 * -false <-- To not carry any queries. If URL already has queries those will be retained. 414 414 */ 415 function printHiddenSession($carry_args=null )415 function printHiddenSession($carry_args=null, $include_csrf_token=false) 416 416 { 417 417 static $_using_trans_sid; … … 474 474 if (!isset($_COOKIE[session_name()]) && !$_using_trans_sid) { 475 475 echo '<input type="hidden" name="' . session_name() . '" value="' . session_id() . '" />'; 476 } 477 478 // Include the csrf_token in the form. 479 // This token can be validated upon form submission with $app->verifyCSRFToken() or $app->requireValidCSRFToken() 480 if ($include_csrf_token) { 481 printf('<input type="hidden" name="csrf_token" value="%s" />', getCSRFToken()); 476 482 } 477 483 } … … 620 626 } 621 627 622 /** 623 * Force the user to connect via https (port 443) by redirecting them to 624 * the same page but with https. 628 /* 629 * Generate a csrf_token if it doesn't exist or is expired, save it to the session and return its value. 630 * Otherwise just return the current token. 631 * Details on the synchronizer token pattern: 632 * https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern 633 * 634 * @access public 635 * @param bool $force_new_token Generate a new token, replacing any existing token in the session (used by $app->resetCSRFToken()) 636 * @return string The new or current csrf_token 637 * @author Quinn Comendant <quinn@strangecode.com> 638 * @version 1.0 639 * @since 15 Nov 2014 17:57:17 640 */ 641 function getCSRFToken($force_new_token=false) 642 { 643 if ($force_new_token || !isset($_SESSION['csrf_token']) || (removeSignature($_SESSION['csrf_token']) + 86400 < time())) { 644 // No token, or token is expired; generate one and return it. 645 return $_SESSION['csrf_token'] = addSignature(time(), null, 64); 646 } 647 // Current token is not expired; return it. 648 return $_SESSION['csrf_token']; 649 } 650 651 /* 652 * Generate a new token, replacing any existing token in the session. Call this function after $app->requireValidCSRFToken() for a new token to be required for each request. 653 * 654 * @access public 655 * @return void 656 * @author Quinn Comendant <quinn@strangecode.com> 657 * @since 14 Oct 2021 17:35:19 658 */ 659 function resetCSRFToken() 660 { 661 getCSRFToken(true); 662 } 663 664 /* 665 * Compares the given csrf_token with the current or previous one saved in the session. 666 * 667 * @access public 668 * @param string $user_submitted_csrf_token The user-submitted token to compare with the session token. 669 * @return bool True if the tokens match, false otherwise. 670 * @author Quinn Comendant <quinn@strangecode.com> 671 * @version 1.0 672 * @since 15 Nov 2014 18:06:55 673 */ 674 function verifyCSRFToken($user_submitted_csrf_token) 675 { 676 677 if ('' == trim($user_submitted_csrf_token)) { 678 logMsg(sprintf('Empty string failed CSRF verification.', null), LOG_NOTICE, __FILE__, __LINE__); 679 return false; 680 } 681 if (!verifySignature($user_submitted_csrf_token, null, 64)) { 682 logMsg(sprintf('Input failed CSRF verification (invalid signature in %s).', $user_submitted_csrf_token), LOG_WARNING, __FILE__, __LINE__); 683 return false; 684 } 685 $csrf_token = getCSRFToken(); 686 if ($user_submitted_csrf_token != $csrf_token) { 687 logMsg(sprintf('Input failed CSRF verification (%s not in %s).', $user_submitted_csrf_token, $csrf_token), LOG_WARNING, __FILE__, __LINE__); 688 return false; 689 } 690 logMsg(sprintf('Verified CSRF token %s', $user_submitted_csrf_token), LOG_DEBUG, __FILE__, __LINE__); 691 return true; 692 } 693 694 /* 695 * Bounce user if they submit a token that doesn't match the one saved in the session. 696 * Because this function calls dieURL() it must be called before any other HTTP header output. 697 * 698 * @access public 699 * @param string $message Optional message to display to the user (otherwise default message will display). Set to an empty string to display no message. 700 * @param int $type The type of message: MSG_NOTICE, 701 * MSG_SUCCESS, MSG_WARNING, or MSG_ERR. 702 * @param string $file __FILE__. 703 * @param string $line __LINE__. 704 * @return void 705 * @author Quinn Comendant <quinn@strangecode.com> 706 * @version 1.0 707 * @since 15 Nov 2014 18:10:17 708 */ 709 function requireValidCSRFToken($message=null, $type=MSG_NOTICE, $file=null, $line=null) 710 { 711 if (!verifyCSRFToken(getFormData('csrf_token'))) { 712 $message = isset($message) ? $message : _("Sorry, the form token expired. Please try again."); 713 raiseMsg($message, $type, $file, $line); 714 dieBoomerangURL(); 715 } 716 } 717 718 /** 719 * This function has changed to do nothing. SSL redirection should happen at the server layer, doing so here may result in a redirect loop. 625 720 */ 626 721 function sslOn() 627 722 { 628 global $CFG; 629 630 if (function_exists('apache_get_modules')) { 631 $modules = apache_get_modules(); 632 } else { 633 // It's safe to assume we have mod_ssl if we can't determine otherwise. 634 $modules = array('mod_ssl'); 635 } 636 637 if ('on' != getenv('HTTPS') && $CFG->ssl_enabled && in_array('mod_ssl', $modules)) { 638 raiseMsg(sprintf(_("Secure SSL connection made to %s"), $CFG->ssl_domain), MSG_NOTICE, __FILE__, __LINE__); 639 // Always append session because some browsers do not send cookie when crossing to SSL URL. 640 dieURL('https://' . $CFG->ssl_domain . getenv('REQUEST_URI'), null, true); 641 } 642 } 643 644 645 /** 646 * to enforce the user to connect via http (port 80) by redirecting them to 647 * a http version of the current url. 723 logMsg(sprintf('sslOn was called and ignored.', null), LOG_DEBUG, __FILE__, __LINE__); 724 } 725 726 /** 727 * This function has changed to do nothing. There is no reason to prefer a non-SSL connection, and doing so may result in a redirect loop. 648 728 */ 649 729 function sslOff() 650 730 { 651 if ('on' == getenv('HTTPS')) { 652 dieURL('http://' . getenv('HTTP_HOST') . getenv('REQUEST_URI'), null, true); 653 } 731 logMsg(sprintf('sslOff was called and ignored.', null), LOG_DEBUG, __FILE__, __LINE__); 654 732 } 655 733
Note: See TracChangeset
for help on using the changeset viewer.