diff --git a/csrf.php b/csrf.php new file mode 100644 index 0000000..1cfd0e4 --- /dev/null +++ b/csrf.php @@ -0,0 +1,71 @@ + */ + +/** CSRF protection + * By default, the CSRF protection is active if a SESSION is active too. + * It can be disabled if needed. An Exception is raised if the form is send + * back without the token */ +class csrf +{ + /** Allow to disable the csrf protection */ + public $csrf=TRUE; + /** This hidden field name in HTML */ + public $field = "CSRF_TOKEN"; + /** The created token */ + private $csrfToken = ""; + /** Timeout of the CSRF token : 3600s by default (maximum time allowed to + * enter information in form and submit) */ + private $csrfTimeout = 3600; + + /** This function return the token */ + public function createToken () + { + $l = 30; // Number of chars in token + $c = "abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + for ($s = '', + $cl = strlen($c)-1, $i = 0; $i < $l; $s .= $c[mt_rand(0, $cl)], + ++$i); + $this->csrfToken = $s; + $_SESSION["domframework"]["csrf"]["csrf"] = $this->csrfToken; + $_SESSION["domframework"]["csrf"]["csrfStart"] = microtime (TRUE); + return $this->csrfToken; + } + + /** Check if the provided token is the right token, defined last displayed + * page + * @param string $tokenFromUser The value csrf the user's token */ + public function checkToken ($tokenFromUser) + { + if ($this->csrf === FALSE ) + return TRUE; + if (! isset ($_SESSION["domframework"]["csrf"]["csrf"])) + { + throw new Exception (dgettext("domframework", + "No previous CSRF token : abort")); + } + if ($_SESSION["domframework"]["csrf"]["csrf"] !== $tokenFromUser) + { + throw new Exception (dgettext("domframework", + "Invalid CSRF token provided")); + } + if (($_SESSION["domframework"]["csrf"]["csrfStart"] + $this->csrfTimeout) < + microtime (TRUE)) + { + throw new Exception (dgettext("domframework", + "Obsolete CSRF token provided")); + } + return TRUE; + } + + /** Return the CSRF token in a hidden field */ + public function displayFormCSRF () + { + if ($this->csrfToken == "") + $this->createToken (); + $res = " */ +require_once ("domframework/csrf.php"); + /** This class permit to create easily some forms to HTML (or text mode in * future). * Each field can be checked in AJAX or HTML. */ @@ -891,70 +893,3 @@ class formfield return $res; } } - -/** CSRF protection - * By default, the CSRF protection is active if a SESSION is active too. - * It can be disabled if needed. An Exception is raised if the form is send - * back without the token */ -class csrf -{ - /** Allow to disable the csrf protection */ - public $csrf=TRUE; - /** This hidden field name in HTML */ - public $field = "CSRF_TOKEN"; - /** The created token */ - private $csrfToken = ""; - /** Timeout of the CSRF token : 3600s by default (maximum time allowed to - * enter information in form and submit) */ - private $csrfTimeout = 3600; - - /** This function return the token */ - public function createToken () - { - $l = 30; // Number of chars in token - $c = "abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"; - for ($s = '', - $cl = strlen($c)-1, $i = 0; $i < $l; $s .= $c[mt_rand(0, $cl)], - ++$i); - $this->csrfToken = $s; - $_SESSION["domframework"]["form"]["csrf"] = $this->csrfToken; - $_SESSION["domframework"]["form"]["csrfStart"] = microtime (TRUE); - return $this->csrfToken; - } - - /** Check if the provided token is the right token, defined last displayed - * page - * @param string $tokenFromUser The value form the user's token */ - public function checkToken ($tokenFromUser) - { - if ($this->csrf === FALSE ) - return TRUE; - if (! isset ($_SESSION["domframework"]["form"]["csrf"])) - { - throw new Exception (dgettext("domframework", - "No previous CSRF token : abort")); - } - if ($_SESSION["domframework"]["form"]["csrf"] !== $tokenFromUser) - { - throw new Exception (dgettext("domframework", - "Invalid CSRF token provided")); - } - if (($_SESSION["domframework"]["form"]["csrfStart"] + $this->csrfTimeout) < - microtime (TRUE)) - { - throw new Exception (dgettext("domframework", - "Obsolete CSRF token provided")); - } - return TRUE; - } - - /** Return the CSRF token in a hidden field */ - public function displayFormCSRF () - { - if ($this->csrfToken == "") - $this->createToken (); - $res = "