Révision 29732bc3
Ajouté par Renato Botelho il y a presque 10 ans
usr/local/www/csrf/csrf-magic.js | ||
---|---|---|
142 | 142 |
} |
143 | 143 |
return jQuery.csrf_ajax( s ); |
144 | 144 |
} |
145 |
} else if (window.Prototype) { |
|
145 |
} |
|
146 |
if (window.Prototype) { |
|
146 | 147 |
// This works for script.aculo.us too |
147 | 148 |
Ajax.csrf_getTransport = Ajax.getTransport; |
148 | 149 |
Ajax.getTransport = function() { |
149 | 150 |
return new CsrfMagic(Ajax.csrf_getTransport()); |
150 | 151 |
} |
151 |
} else if (window.MooTools) { |
|
152 |
} |
|
153 |
if (window.MooTools) { |
|
152 | 154 |
Browser.csrf_Request = Browser.Request; |
153 | 155 |
Browser.Request = function () { |
154 | 156 |
return new CsrfMagic(Browser.csrf_Request()); |
155 | 157 |
} |
156 |
} else if (window.YAHOO) { |
|
158 |
} |
|
159 |
if (window.YAHOO) { |
|
160 |
// old YUI API |
|
157 | 161 |
YAHOO.util.Connect.csrf_createXhrObject = YAHOO.util.Connect.createXhrObject; |
158 | 162 |
YAHOO.util.Connect.createXhrObject = function (transaction) { |
159 | 163 |
obj = YAHOO.util.Connect.csrf_createXhrObject(transaction); |
160 | 164 |
obj.conn = new CsrfMagic(obj.conn); |
161 | 165 |
return obj; |
162 | 166 |
} |
163 |
} else if (window.Ext) { |
|
167 |
} |
|
168 |
if (window.Ext) { |
|
164 | 169 |
// Ext can use other js libraries as loaders, so it has to come last |
165 | 170 |
// Ext's implementation is pretty identical to Yahoo's, but we duplicate |
166 | 171 |
// it for comprehensiveness's sake. |
... | ... | |
170 | 175 |
obj.conn = new CsrfMagic(obj.conn); |
171 | 176 |
return obj; |
172 | 177 |
} |
173 |
} else if (window.dojo) { |
|
178 |
} |
|
179 |
if (window.dojo) { |
|
180 |
// NOTE: this doesn't work with latest dojo |
|
174 | 181 |
dojo.csrf__xhrObj = dojo._xhrObj; |
175 | 182 |
dojo._xhrObj = function () { |
176 | 183 |
return new CsrfMagic(dojo.csrf__xhrObj()); |
usr/local/www/csrf/csrf-magic.php | ||
---|---|---|
53 | 53 |
* will become invalid. |
54 | 54 |
*/ |
55 | 55 |
$GLOBALS['csrf']['secret'] = ''; |
56 |
// nota bene: library code should use csrf_get_secret() and not access |
|
57 |
// this global directly |
|
56 | 58 |
|
57 | 59 |
/** |
58 | 60 |
* Set this to false to disable csrf-magic's output handler, and therefore, |
... | ... | |
129 | 131 |
// FUNCTIONS: |
130 | 132 |
|
131 | 133 |
// Don't edit this! |
132 |
$GLOBALS['csrf']['version'] = '1.0.1';
|
|
134 |
$GLOBALS['csrf']['version'] = '1.0.4';
|
|
133 | 135 |
|
134 | 136 |
/** |
135 | 137 |
* Rewrites <form> on the fly to add CSRF tokens to them. This can also |
... | ... | |
240 | 242 |
return 'invalid'; |
241 | 243 |
} |
242 | 244 |
|
245 |
function csrf_flattenpost($data) { |
|
246 |
$ret = array(); |
|
247 |
foreach($data as $n => $v) { |
|
248 |
$ret = array_merge($ret, csrf_flattenpost2(1, $n, $v)); |
|
249 |
} |
|
250 |
return $ret; |
|
251 |
} |
|
252 |
function csrf_flattenpost2($level, $key, $data) { |
|
253 |
if(!is_array($data)) return array($key => $data); |
|
254 |
$ret = array(); |
|
255 |
foreach($data as $n => $v) { |
|
256 |
$nk = $level >= 1 ? $key."[$n]" : "[$n]"; |
|
257 |
$ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v)); |
|
258 |
} |
|
259 |
return $ret; |
|
260 |
} |
|
261 |
|
|
243 | 262 |
/** |
244 | 263 |
* @param $tokens is safe for HTML consumption |
245 | 264 |
*/ |
246 | 265 |
function csrf_callback($tokens) { |
266 |
// (yes, $tokens is safe to echo without escaping) |
|
247 | 267 |
header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); |
248 |
echo "<html><head><title>CSRF check failed</title></head><body>CSRF check failed. Either your session has expired, this page has been inactive too long, or you need to enable cookies.<br />Debug: ".$tokens."</body></html> |
|
268 |
$data = ''; |
|
269 |
foreach (csrf_flattenpost($_POST) as $key => $value) { |
|
270 |
if ($key == $GLOBALS['csrf']['input-name']) continue; |
|
271 |
$data .= '<input type="hidden" name="'.htmlspecialchars($key).'" value="'.htmlspecialchars($value).'" />'; |
|
272 |
} |
|
273 |
echo "<html><head><title>CSRF check failed</title></head> |
|
274 |
<body> |
|
275 |
<p>CSRF check failed. Your form session may have expired, or you may not have |
|
276 |
cookies enabled.</p> |
|
277 |
<form method='post' action=''>$data<input type='submit' value='Try again' /></form> |
|
278 |
<p>Debug: $tokens</p></body></html> |
|
249 | 279 |
"; |
250 | 280 |
} |
251 | 281 |
|
... | ... | |
362 | 392 |
*/ |
363 | 393 |
function csrf_hash($value, $time = null) { |
364 | 394 |
if (!$time) $time = time(); |
365 |
return sha1($GLOBALS['csrf']['secret'] . $value . $time) . ',' . $time;
|
|
395 |
return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
|
|
366 | 396 |
} |
367 | 397 |
|
368 | 398 |
// Load user configuration |
Formats disponibles : Unified diff
Update csrf-magic to 1.0.4