Dominique Fournier
6d41eab506
git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@3410 bf3deb0d-5f1a-0410-827f-c0cc1f45334c
95 lines
2.9 KiB
PHP
95 lines
2.9 KiB
PHP
<?php
|
|
/** DomFramework
|
|
@package domframework
|
|
@author Dominique Fournier <dominique@fournier38.fr> */
|
|
|
|
/** CSRF protection
|
|
* By default, the CSRF protection is active if a SESSION is active too.
|
|
* It can be disabled if needed. An Exception is raised if the form is send
|
|
* back without the token */
|
|
class csrf
|
|
{
|
|
/** Allow to disable the csrf protection */
|
|
public $csrf=TRUE;
|
|
/** This hidden field name in HTML */
|
|
public $field = "CSRF_TOKEN";
|
|
/** The created token */
|
|
private $csrfToken = "";
|
|
/** Timeout of the CSRF token : 3600s by default (maximum time allowed to
|
|
* enter information in form and submit) */
|
|
private $csrfTimeout = 3600;
|
|
|
|
/** Manage the singleton */
|
|
public function __construct ()
|
|
{
|
|
if (isset ($GLOBALS["domframework"]["csrf"]))
|
|
{
|
|
$this->csrfToken = $GLOBALS["domframework"]["csrf"]->csrfToken;
|
|
$this->field = $GLOBALS["domframework"]["csrf"]->field;
|
|
$this->csrfTimeout = $GLOBALS["domframework"]["csrf"]->csrfTimeout;
|
|
}
|
|
else
|
|
{
|
|
$GLOBALS["domframework"]["csrf"] = $this;
|
|
}
|
|
}
|
|
|
|
/** This function return the token */
|
|
public function createToken ()
|
|
{
|
|
$l = 30; // Number of chars in token
|
|
$c = "abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
|
for ($s = '',
|
|
$cl = strlen($c)-1, $i = 0; $i < $l; $s .= $c[mt_rand(0, $cl)],
|
|
++$i);
|
|
$this->csrfToken = $s;
|
|
$_SESSION["domframework"]["csrf"]["csrf"] = $this->csrfToken;
|
|
$_SESSION["domframework"]["csrf"]["csrfStart"] = microtime (TRUE);
|
|
return $this->csrfToken;
|
|
}
|
|
|
|
/** Check if the provided token is the right token, defined last displayed
|
|
* page
|
|
* @param string $tokenFromUser The value csrf the user's token */
|
|
public function checkToken ($tokenFromUser)
|
|
{
|
|
if ($this->csrf === FALSE )
|
|
return TRUE;
|
|
if (! isset ($_SESSION["domframework"]["csrf"]["csrf"]))
|
|
{
|
|
throw new Exception (dgettext("domframework",
|
|
"No previous CSRF token : abort"), 406);
|
|
}
|
|
if ($_SESSION["domframework"]["csrf"]["csrf"] !== $tokenFromUser)
|
|
{
|
|
throw new Exception (dgettext("domframework",
|
|
"Invalid CSRF token provided"), 406);
|
|
}
|
|
if (($_SESSION["domframework"]["csrf"]["csrfStart"] + $this->csrfTimeout) <
|
|
microtime (TRUE))
|
|
{
|
|
throw new Exception (dgettext("domframework",
|
|
"Obsolete CSRF token provided"), 406);
|
|
}
|
|
return TRUE;
|
|
}
|
|
|
|
/** Return the CSRF token in a hidden field */
|
|
public function displayFormCSRF ()
|
|
{
|
|
if ($this->csrfToken == "")
|
|
$this->createToken ();
|
|
$res = "<input type='hidden' name='$this->field' ";
|
|
$res .= "value='$this->csrfToken'/>\n";
|
|
return $res;
|
|
}
|
|
|
|
/** Return the token if exists or create a new one if needed */
|
|
public function getToken ()
|
|
{
|
|
if ($this->csrfToken === "")
|
|
$this->createToken ();
|
|
return $this->csrfToken;
|
|
}
|
|
}
|