Révision 29732bc3
Ajouté par Renato Botelho il y a presque 10 ans
usr/local/www/csrf/csrf-magic.php | ||
---|---|---|
53 | 53 |
* will become invalid. |
54 | 54 |
*/ |
55 | 55 |
$GLOBALS['csrf']['secret'] = ''; |
56 |
// nota bene: library code should use csrf_get_secret() and not access |
|
57 |
// this global directly |
|
56 | 58 |
|
57 | 59 |
/** |
58 | 60 |
* Set this to false to disable csrf-magic's output handler, and therefore, |
... | ... | |
129 | 131 |
// FUNCTIONS: |
130 | 132 |
|
131 | 133 |
// Don't edit this! |
132 |
$GLOBALS['csrf']['version'] = '1.0.1';
|
|
134 |
$GLOBALS['csrf']['version'] = '1.0.4';
|
|
133 | 135 |
|
134 | 136 |
/** |
135 | 137 |
* Rewrites <form> on the fly to add CSRF tokens to them. This can also |
... | ... | |
240 | 242 |
return 'invalid'; |
241 | 243 |
} |
242 | 244 |
|
245 |
function csrf_flattenpost($data) { |
|
246 |
$ret = array(); |
|
247 |
foreach($data as $n => $v) { |
|
248 |
$ret = array_merge($ret, csrf_flattenpost2(1, $n, $v)); |
|
249 |
} |
|
250 |
return $ret; |
|
251 |
} |
|
252 |
function csrf_flattenpost2($level, $key, $data) { |
|
253 |
if(!is_array($data)) return array($key => $data); |
|
254 |
$ret = array(); |
|
255 |
foreach($data as $n => $v) { |
|
256 |
$nk = $level >= 1 ? $key."[$n]" : "[$n]"; |
|
257 |
$ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v)); |
|
258 |
} |
|
259 |
return $ret; |
|
260 |
} |
|
261 |
|
|
243 | 262 |
/** |
244 | 263 |
* @param $tokens is safe for HTML consumption |
245 | 264 |
*/ |
246 | 265 |
function csrf_callback($tokens) { |
266 |
// (yes, $tokens is safe to echo without escaping) |
|
247 | 267 |
header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); |
248 |
echo "<html><head><title>CSRF check failed</title></head><body>CSRF check failed. Either your session has expired, this page has been inactive too long, or you need to enable cookies.<br />Debug: ".$tokens."</body></html> |
|
268 |
$data = ''; |
|
269 |
foreach (csrf_flattenpost($_POST) as $key => $value) { |
|
270 |
if ($key == $GLOBALS['csrf']['input-name']) continue; |
|
271 |
$data .= '<input type="hidden" name="'.htmlspecialchars($key).'" value="'.htmlspecialchars($value).'" />'; |
|
272 |
} |
|
273 |
echo "<html><head><title>CSRF check failed</title></head> |
|
274 |
<body> |
|
275 |
<p>CSRF check failed. Your form session may have expired, or you may not have |
|
276 |
cookies enabled.</p> |
|
277 |
<form method='post' action=''>$data<input type='submit' value='Try again' /></form> |
|
278 |
<p>Debug: $tokens</p></body></html> |
|
249 | 279 |
"; |
250 | 280 |
} |
251 | 281 |
|
... | ... | |
362 | 392 |
*/ |
363 | 393 |
function csrf_hash($value, $time = null) { |
364 | 394 |
if (!$time) $time = time(); |
365 |
return sha1($GLOBALS['csrf']['secret'] . $value . $time) . ',' . $time;
|
|
395 |
return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
|
|
366 | 396 |
} |
367 | 397 |
|
368 | 398 |
// Load user configuration |
Formats disponibles : Unified diff
Update csrf-magic to 1.0.4