Browse Source

always verify csrf token for resource-modifying requests,

that is post, put, patch, delete
pull/356/head
glaszig 3 years ago
parent
commit
f989b8060b
  1. 20
      includes/functions.php
  2. 4
      index.php

20
includes/functions.php

@ -82,6 +82,26 @@ function CSRFValidate()
}
}
/**
* Should the request be CSRF-validated?
*/
function csrfValidateRequest()
{
$request_method = strtolower($_SERVER['REQUEST_METHOD']);
return in_array($request_method, [ "post", "put", "patch", "delete" ]);
}
/**
* Handle invalid CSRF
*/
function handleInvalidCSRFToken()
{
header('HTTP/1.1 500 Internal Server Error');
header('Content-Type: text/plain');
echo 'Invalid CSRF token';
exit;
}
/**
* Test whether array is associative
*/

4
index.php

@ -39,6 +39,10 @@ include_once('includes/about.php');
$output = $return = 0;
$page = $_GET['page'];
if (csrfValidateRequest() && !CSRFValidate()) {
handleInvalidCSRFToken();
}
if (empty($_SESSION['csrf_token'])) {
if (function_exists('mcrypt_create_iv')) {
$_SESSION['csrf_token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));

Loading…
Cancel
Save