Dominique.Fournier/DomFramework
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

csrf : Split CSRF from form to external package

Browse Source 
form : require the external csrf file


git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@2736 bf3deb0d-5f1a-0410-827f-c0cc1f45334c
This commit is contained in:
Dominique Fournier
2016-05-24 10:28:21 +00:00
parent 1aea4d337c
commit fb56a83583
2 changed files with 73 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
csrf.php Normal file
View File

@@ -0,0 +1,71 @@
<?php
/** DomFramework
@package domframework
@author Dominique Fournier <dominique@fournier38.fr> */
/** CSRF protection
* By default, the CSRF protection is active if a SESSION is active too.
* It can be disabled if needed. An Exception is raised if the form is send
* back without the token */
class csrf
{
/** Allow to disable the csrf protection */
public $csrf=TRUE;
/** This hidden field name in HTML */
public $field = "CSRF_TOKEN";
/** The created token */
private $csrfToken = "";
/** Timeout of the CSRF token : 3600s by default (maximum time allowed to
* enter information in form and submit) */
private $csrfTimeout = 3600;
/** This function return the token */
public function createToken ()
{
$l = 30; // Number of chars in token
$c = "abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";
for ($s = '',
$cl = strlen($c)-1, $i = 0; $i < $l; $s .= $c[mt_rand(0, $cl)],
++$i);
$this->csrfToken = $s;
$_SESSION["domframework"]["csrf"]["csrf"] = $this->csrfToken;
$_SESSION["domframework"]["csrf"]["csrfStart"] = microtime (TRUE);
return $this->csrfToken;
}
/** Check if the provided token is the right token, defined last displayed
* page
* @param string $tokenFromUser The value csrf the user's token */
public function checkToken ($tokenFromUser)
{
if ($this->csrf === FALSE )
return TRUE;
if (! isset ($_SESSION["domframework"]["csrf"]["csrf"]))
{
throw new Exception (dgettext("domframework",
"No previous CSRF token : abort"));
}
if ($_SESSION["domframework"]["csrf"]["csrf"] !== $tokenFromUser)
{
throw new Exception (dgettext("domframework",
"Invalid CSRF token provided"));
}
if (($_SESSION["domframework"]["csrf"]["csrfStart"] + $this->csrfTimeout) <
microtime (TRUE))
{
throw new Exception (dgettext("domframework",
"Obsolete CSRF token provided"));
}
return TRUE;
}
/** Return the CSRF token in a hidden field */
public function displayFormCSRF ()
{
if ($this->csrfToken == "")
$this->createToken ();
$res = "<input type='hidden' name='$this->field' ";
$res .= "value='$this->csrfToken'/>\n";
return $res;
}
}

69
form.php
View File

@@ -3,6 +3,8 @@
@package domframework @package domframework
@author Dominique Fournier <dominique@fournier38.fr> */ @author Dominique Fournier <dominique@fournier38.fr> */
require_once ("domframework/csrf.php");
/** This class permit to create easily some forms to HTML (or text mode in /** This class permit to create easily some forms to HTML (or text mode in
* future). * future).
* Each field can be checked in AJAX or HTML. */ * Each field can be checked in AJAX or HTML. */
@@ -891,70 +893,3 @@ class formfield
return $res; return $res;
} }
} }
/** CSRF protection
* By default, the CSRF protection is active if a SESSION is active too.
* It can be disabled if needed. An Exception is raised if the form is send
* back without the token */
class csrf
{
/** Allow to disable the csrf protection */
public $csrf=TRUE;
/** This hidden field name in HTML */
public $field = "CSRF_TOKEN";
/** The created token */
private $csrfToken = "";
/** Timeout of the CSRF token : 3600s by default (maximum time allowed to
* enter information in form and submit) */
private $csrfTimeout = 3600;
/** This function return the token */
public function createToken ()
{
$l = 30; // Number of chars in token
$c = "abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";
for ($s = '',
$cl = strlen($c)-1, $i = 0; $i < $l; $s .= $c[mt_rand(0, $cl)],
++$i);
$this->csrfToken = $s;
$_SESSION["domframework"]["form"]["csrf"] = $this->csrfToken;
$_SESSION["domframework"]["form"]["csrfStart"] = microtime (TRUE);
return $this->csrfToken;
}
/** Check if the provided token is the right token, defined last displayed
* page
* @param string $tokenFromUser The value form the user's token */
public function checkToken ($tokenFromUser)
{
if ($this->csrf === FALSE )
return TRUE;
if (! isset ($_SESSION["domframework"]["form"]["csrf"]))
{
throw new Exception (dgettext("domframework",
"No previous CSRF token : abort"));
}
if ($_SESSION["domframework"]["form"]["csrf"] !== $tokenFromUser)
{
throw new Exception (dgettext("domframework",
"Invalid CSRF token provided"));
}
if (($_SESSION["domframework"]["form"]["csrfStart"] + $this->csrfTimeout) <
microtime (TRUE))
{
throw new Exception (dgettext("domframework",
"Obsolete CSRF token provided"));
}
return TRUE;
}
/** Return the CSRF token in a hidden field */
public function displayFormCSRF ()
{
if ($this->csrfToken == "")
$this->createToken ();
$res = "<input type='hidden' name='$this->field' ";
$res .= "value='$this->csrfToken'/>\n";
return $res;
}
}