csrf : Split CSRF from form to external package
form : require the external csrf file git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@2736 bf3deb0d-5f1a-0410-827f-c0cc1f45334c
This commit is contained in:
71
csrf.php
Normal file
71
csrf.php
Normal file
@@ -0,0 +1,71 @@
|
||||
<?php
|
||||
/** DomFramework
|
||||
@package domframework
|
||||
@author Dominique Fournier <dominique@fournier38.fr> */
|
||||
|
||||
/** CSRF protection
|
||||
* By default, the CSRF protection is active if a SESSION is active too.
|
||||
* It can be disabled if needed. An Exception is raised if the form is send
|
||||
* back without the token */
|
||||
class csrf
|
||||
{
|
||||
/** Allow to disable the csrf protection */
|
||||
public $csrf=TRUE;
|
||||
/** This hidden field name in HTML */
|
||||
public $field = "CSRF_TOKEN";
|
||||
/** The created token */
|
||||
private $csrfToken = "";
|
||||
/** Timeout of the CSRF token : 3600s by default (maximum time allowed to
|
||||
* enter information in form and submit) */
|
||||
private $csrfTimeout = 3600;
|
||||
|
||||
/** This function return the token */
|
||||
public function createToken ()
|
||||
{
|
||||
$l = 30; // Number of chars in token
|
||||
$c = "abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
||||
for ($s = '',
|
||||
$cl = strlen($c)-1, $i = 0; $i < $l; $s .= $c[mt_rand(0, $cl)],
|
||||
++$i);
|
||||
$this->csrfToken = $s;
|
||||
$_SESSION["domframework"]["csrf"]["csrf"] = $this->csrfToken;
|
||||
$_SESSION["domframework"]["csrf"]["csrfStart"] = microtime (TRUE);
|
||||
return $this->csrfToken;
|
||||
}
|
||||
|
||||
/** Check if the provided token is the right token, defined last displayed
|
||||
* page
|
||||
* @param string $tokenFromUser The value csrf the user's token */
|
||||
public function checkToken ($tokenFromUser)
|
||||
{
|
||||
if ($this->csrf === FALSE )
|
||||
return TRUE;
|
||||
if (! isset ($_SESSION["domframework"]["csrf"]["csrf"]))
|
||||
{
|
||||
throw new Exception (dgettext("domframework",
|
||||
"No previous CSRF token : abort"));
|
||||
}
|
||||
if ($_SESSION["domframework"]["csrf"]["csrf"] !== $tokenFromUser)
|
||||
{
|
||||
throw new Exception (dgettext("domframework",
|
||||
"Invalid CSRF token provided"));
|
||||
}
|
||||
if (($_SESSION["domframework"]["csrf"]["csrfStart"] + $this->csrfTimeout) <
|
||||
microtime (TRUE))
|
||||
{
|
||||
throw new Exception (dgettext("domframework",
|
||||
"Obsolete CSRF token provided"));
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/** Return the CSRF token in a hidden field */
|
||||
public function displayFormCSRF ()
|
||||
{
|
||||
if ($this->csrfToken == "")
|
||||
$this->createToken ();
|
||||
$res = "<input type='hidden' name='$this->field' ";
|
||||
$res .= "value='$this->csrfToken'/>\n";
|
||||
return $res;
|
||||
}
|
||||
}
|
||||
69
form.php
69
form.php
@@ -3,6 +3,8 @@
|
||||
@package domframework
|
||||
@author Dominique Fournier <dominique@fournier38.fr> */
|
||||
|
||||
require_once ("domframework/csrf.php");
|
||||
|
||||
/** This class permit to create easily some forms to HTML (or text mode in
|
||||
* future).
|
||||
* Each field can be checked in AJAX or HTML. */
|
||||
@@ -891,70 +893,3 @@ class formfield
|
||||
return $res;
|
||||
}
|
||||
}
|
||||
|
||||
/** CSRF protection
|
||||
* By default, the CSRF protection is active if a SESSION is active too.
|
||||
* It can be disabled if needed. An Exception is raised if the form is send
|
||||
* back without the token */
|
||||
class csrf
|
||||
{
|
||||
/** Allow to disable the csrf protection */
|
||||
public $csrf=TRUE;
|
||||
/** This hidden field name in HTML */
|
||||
public $field = "CSRF_TOKEN";
|
||||
/** The created token */
|
||||
private $csrfToken = "";
|
||||
/** Timeout of the CSRF token : 3600s by default (maximum time allowed to
|
||||
* enter information in form and submit) */
|
||||
private $csrfTimeout = 3600;
|
||||
|
||||
/** This function return the token */
|
||||
public function createToken ()
|
||||
{
|
||||
$l = 30; // Number of chars in token
|
||||
$c = "abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
||||
for ($s = '',
|
||||
$cl = strlen($c)-1, $i = 0; $i < $l; $s .= $c[mt_rand(0, $cl)],
|
||||
++$i);
|
||||
$this->csrfToken = $s;
|
||||
$_SESSION["domframework"]["form"]["csrf"] = $this->csrfToken;
|
||||
$_SESSION["domframework"]["form"]["csrfStart"] = microtime (TRUE);
|
||||
return $this->csrfToken;
|
||||
}
|
||||
|
||||
/** Check if the provided token is the right token, defined last displayed
|
||||
* page
|
||||
* @param string $tokenFromUser The value form the user's token */
|
||||
public function checkToken ($tokenFromUser)
|
||||
{
|
||||
if ($this->csrf === FALSE )
|
||||
return TRUE;
|
||||
if (! isset ($_SESSION["domframework"]["form"]["csrf"]))
|
||||
{
|
||||
throw new Exception (dgettext("domframework",
|
||||
"No previous CSRF token : abort"));
|
||||
}
|
||||
if ($_SESSION["domframework"]["form"]["csrf"] !== $tokenFromUser)
|
||||
{
|
||||
throw new Exception (dgettext("domframework",
|
||||
"Invalid CSRF token provided"));
|
||||
}
|
||||
if (($_SESSION["domframework"]["form"]["csrfStart"] + $this->csrfTimeout) <
|
||||
microtime (TRUE))
|
||||
{
|
||||
throw new Exception (dgettext("domframework",
|
||||
"Obsolete CSRF token provided"));
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/** Return the CSRF token in a hidden field */
|
||||
public function displayFormCSRF ()
|
||||
{
|
||||
if ($this->csrfToken == "")
|
||||
$this->createToken ();
|
||||
$res = "<input type='hidden' name='$this->field' ";
|
||||
$res .= "value='$this->csrfToken'/>\n";
|
||||
return $res;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user