Révision 29732bc3
Ajouté par Renato Botelho il y a presque 10 ans
| usr/local/www/csrf/csrf-magic.js | ||
|---|---|---|
| 142 | 142 |
} |
| 143 | 143 |
return jQuery.csrf_ajax( s ); |
| 144 | 144 |
} |
| 145 |
} else if (window.Prototype) {
|
|
| 145 |
} |
|
| 146 |
if (window.Prototype) {
|
|
| 146 | 147 |
// This works for script.aculo.us too |
| 147 | 148 |
Ajax.csrf_getTransport = Ajax.getTransport; |
| 148 | 149 |
Ajax.getTransport = function() {
|
| 149 | 150 |
return new CsrfMagic(Ajax.csrf_getTransport()); |
| 150 | 151 |
} |
| 151 |
} else if (window.MooTools) {
|
|
| 152 |
} |
|
| 153 |
if (window.MooTools) {
|
|
| 152 | 154 |
Browser.csrf_Request = Browser.Request; |
| 153 | 155 |
Browser.Request = function () {
|
| 154 | 156 |
return new CsrfMagic(Browser.csrf_Request()); |
| 155 | 157 |
} |
| 156 |
} else if (window.YAHOO) {
|
|
| 158 |
} |
|
| 159 |
if (window.YAHOO) {
|
|
| 160 |
// old YUI API |
|
| 157 | 161 |
YAHOO.util.Connect.csrf_createXhrObject = YAHOO.util.Connect.createXhrObject; |
| 158 | 162 |
YAHOO.util.Connect.createXhrObject = function (transaction) {
|
| 159 | 163 |
obj = YAHOO.util.Connect.csrf_createXhrObject(transaction); |
| 160 | 164 |
obj.conn = new CsrfMagic(obj.conn); |
| 161 | 165 |
return obj; |
| 162 | 166 |
} |
| 163 |
} else if (window.Ext) {
|
|
| 167 |
} |
|
| 168 |
if (window.Ext) {
|
|
| 164 | 169 |
// Ext can use other js libraries as loaders, so it has to come last |
| 165 | 170 |
// Ext's implementation is pretty identical to Yahoo's, but we duplicate |
| 166 | 171 |
// it for comprehensiveness's sake. |
| ... | ... | |
| 170 | 175 |
obj.conn = new CsrfMagic(obj.conn); |
| 171 | 176 |
return obj; |
| 172 | 177 |
} |
| 173 |
} else if (window.dojo) {
|
|
| 178 |
} |
|
| 179 |
if (window.dojo) {
|
|
| 180 |
// NOTE: this doesn't work with latest dojo |
|
| 174 | 181 |
dojo.csrf__xhrObj = dojo._xhrObj; |
| 175 | 182 |
dojo._xhrObj = function () {
|
| 176 | 183 |
return new CsrfMagic(dojo.csrf__xhrObj()); |
| usr/local/www/csrf/csrf-magic.php | ||
|---|---|---|
| 53 | 53 |
* will become invalid. |
| 54 | 54 |
*/ |
| 55 | 55 |
$GLOBALS['csrf']['secret'] = ''; |
| 56 |
// nota bene: library code should use csrf_get_secret() and not access |
|
| 57 |
// this global directly |
|
| 56 | 58 |
|
| 57 | 59 |
/** |
| 58 | 60 |
* Set this to false to disable csrf-magic's output handler, and therefore, |
| ... | ... | |
| 129 | 131 |
// FUNCTIONS: |
| 130 | 132 |
|
| 131 | 133 |
// Don't edit this! |
| 132 |
$GLOBALS['csrf']['version'] = '1.0.1';
|
|
| 134 |
$GLOBALS['csrf']['version'] = '1.0.4';
|
|
| 133 | 135 |
|
| 134 | 136 |
/** |
| 135 | 137 |
* Rewrites <form> on the fly to add CSRF tokens to them. This can also |
| ... | ... | |
| 240 | 242 |
return 'invalid'; |
| 241 | 243 |
} |
| 242 | 244 |
|
| 245 |
function csrf_flattenpost($data) {
|
|
| 246 |
$ret = array(); |
|
| 247 |
foreach($data as $n => $v) {
|
|
| 248 |
$ret = array_merge($ret, csrf_flattenpost2(1, $n, $v)); |
|
| 249 |
} |
|
| 250 |
return $ret; |
|
| 251 |
} |
|
| 252 |
function csrf_flattenpost2($level, $key, $data) {
|
|
| 253 |
if(!is_array($data)) return array($key => $data); |
|
| 254 |
$ret = array(); |
|
| 255 |
foreach($data as $n => $v) {
|
|
| 256 |
$nk = $level >= 1 ? $key."[$n]" : "[$n]"; |
|
| 257 |
$ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v)); |
|
| 258 |
} |
|
| 259 |
return $ret; |
|
| 260 |
} |
|
| 261 |
|
|
| 243 | 262 |
/** |
| 244 | 263 |
* @param $tokens is safe for HTML consumption |
| 245 | 264 |
*/ |
| 246 | 265 |
function csrf_callback($tokens) {
|
| 266 |
// (yes, $tokens is safe to echo without escaping) |
|
| 247 | 267 |
header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); |
| 248 |
echo "<html><head><title>CSRF check failed</title></head><body>CSRF check failed. Either your session has expired, this page has been inactive too long, or you need to enable cookies.<br />Debug: ".$tokens."</body></html> |
|
| 268 |
$data = ''; |
|
| 269 |
foreach (csrf_flattenpost($_POST) as $key => $value) {
|
|
| 270 |
if ($key == $GLOBALS['csrf']['input-name']) continue; |
|
| 271 |
$data .= '<input type="hidden" name="'.htmlspecialchars($key).'" value="'.htmlspecialchars($value).'" />'; |
|
| 272 |
} |
|
| 273 |
echo "<html><head><title>CSRF check failed</title></head> |
|
| 274 |
<body> |
|
| 275 |
<p>CSRF check failed. Your form session may have expired, or you may not have |
|
| 276 |
cookies enabled.</p> |
|
| 277 |
<form method='post' action=''>$data<input type='submit' value='Try again' /></form> |
|
| 278 |
<p>Debug: $tokens</p></body></html> |
|
| 249 | 279 |
"; |
| 250 | 280 |
} |
| 251 | 281 |
|
| ... | ... | |
| 362 | 392 |
*/ |
| 363 | 393 |
function csrf_hash($value, $time = null) {
|
| 364 | 394 |
if (!$time) $time = time(); |
| 365 |
return sha1($GLOBALS['csrf']['secret'] . $value . $time) . ',' . $time;
|
|
| 395 |
return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
|
|
| 366 | 396 |
} |
| 367 | 397 |
|
| 368 | 398 |
// Load user configuration |
Formats disponibles : Unified diff
Update csrf-magic to 1.0.4