Lanmikeman/chandler
1
1
Fork 0
mirror of https://github.com/openvk/chandler.git synced 2024-11-15 03:31:12 +03:00
Code Issues Projects Releases Packages Wiki Activity

Add CSRF protection options

Browse source
This commit is contained in:
Jill Stingray 2020-08-20 17:08:48 +00:00
parent 3cc25bec51
commit f64b7ad339
2 changed files with 22 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
chandler-example.yml
View file

@ -15,4 +15,5 @@ chandler:
security:
secret: ""
csrfProtection: "permissive"
sessionDuration: 14

32
chandler/MVC/Routing/Router.php
View file

@ -74,19 +74,29 @@ class Router
private function setCSRFStatus(Route $route): void
{
$GLOBALS["csrfCheck"] = false;
$hash = ($_GET["hash"] ?? ($_POST["hash"] ?? false));
if($hash !== false) {
$data = explode("#", $hash);
if(CHANDLER_ROOT_CONF["security"]["csrfProtection"] === "disabled") {
$GLOBALS["csrfCheck"] = true;
} else {
$GLOBALS["csrfCheck"] = false;
try {
if(!isset($data[0]) || !isset($data[1])) throw new \SodiumException;
[$hash, $nonce] = $data;
$hash = ($_GET["hash"] ?? ($_POST["hash"] ?? false));
if($hash !== false) {
$data = explode("#", $hash);
if(sodium_memcmp($this->makeCSRFToken($route, hex2bin($nonce)), "$hash#$nonce") === 0)
$GLOBALS["csrfCheck"] = parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST) === parse_url($_SERVER["HTTP_HOST"], PHP_URL_HOST);
} catch(\SodiumException $ex) {}
try {
if(!isset($data[0]) || !isset($data[1])) throw new \SodiumException;
[$hash, $nonce] = $data;
if(sodium_memcmp($this->makeCSRFToken($route, hex2bin($nonce)), "$hash#$nonce") === 0) {
if(CHANDLER_ROOT_CONF["security"]["csrfProtection"] === "permissive")
$GLOBALS["csrfCheck"] = true;
else if(CHANDLER_ROOT_CONF["security"]["csrfProtection"] === "strict")
$GLOBALS["csrfCheck"] = parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST) === $_SERVER["HTTP_HOST"];
else
trigger_error("Bad value for chandler.security.csrfProtection: disabled, permissive or strict expected.", E_USER_ERROR);
}
} catch(\SodiumException $ex) {}
}
}
$GLOBALS["csrfToken"] = $this->makeCSRFToken($route, openssl_random_pseudo_bytes(4));