diff options
Diffstat (limited to 'core/libraries')
| -rw-r--r-- | core/libraries/MY_Forge.php | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/core/libraries/MY_Forge.php b/core/libraries/MY_Forge.php index 4840da1e..c3d0ca71 100644 --- a/core/libraries/MY_Forge.php +++ b/core/libraries/MY_Forge.php @@ -19,7 +19,26 @@ */ class Forge extends Forge_Core { + /** + * Force a CSRF element into every form. + */ + public function __construct($action=null, $title='', $method=null, $attr=array()) { + parent::__construct($action, $title, $method, $attr); + $this->input("csrf")->type("hidden")->value(""); + } + + /** + * Use our own template + */ public function render($template="form.html", $custom=false) { + $session = Session::instance(); + $csrf = $session->get("csrf"); + if (empty($csrf)) { + $csrf = md5(rand()); + $session->set("csrf", $csrf); + } + + $this->inputs["csrf"]->value($csrf); return parent::render($template, $custom); } @@ -36,4 +55,21 @@ class Forge extends Forge_Core { } } } + + /** + * Validate our CSRF value as a mandatory part of all form validation. + */ + public function validate() { + $status = parent::validate(); + + $type = $this->type; + if (empty($type)) { + $csrf_value = $this->csrf->value; + if (empty($csrf_value) || $csrf_value !== Session::instance()->get("csrf")) { + throw new Exception("@todo SECURITY_INVALID_CSRF_TOKEN"); + } + } + + return $status; + } }
\ No newline at end of file |