From 9cf2c5792111570fd831abfad9fc7496995d2e8b Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Mon, 22 Dec 2008 04:33:18 +0000 Subject: Normalize CSRF handling into the access helper. Probably not the best place for it, but it'll do for now. Do CSRF checking in the Admin controller so that we're safe across the board on the admin side. --- core/controllers/admin.php | 4 ++++ core/controllers/admin_dashboard.php | 2 +- core/helpers/access.php | 31 +++++++++++++++++++++++++++++++ core/libraries/MY_Forge.php | 19 ++----------------- 4 files changed, 38 insertions(+), 18 deletions(-) (limited to 'core') diff --git a/core/controllers/admin.php b/core/controllers/admin.php index 2a6bae7e..6e44c54e 100644 --- a/core/controllers/admin.php +++ b/core/controllers/admin.php @@ -33,6 +33,10 @@ class Admin_Controller extends Controller { } public function __call($controller_name, $args) { + if (request::method() == "post") { + access::verify_csrf(); + } + if ($controller_name == "index") { $controller_name = "dashboard"; } diff --git a/core/controllers/admin_dashboard.php b/core/controllers/admin_dashboard.php index a29c2167..13ec5d82 100644 --- a/core/controllers/admin_dashboard.php +++ b/core/controllers/admin_dashboard.php @@ -19,7 +19,7 @@ */ class Admin_Dashboard_Controller extends Admin_Controller { public function index() { - return $this->theme()->dashboard_blocks(); + return $this->theme()->admin_dashboard_blocks(); } } diff --git a/core/helpers/access.php b/core/helpers/access.php index 0d44a074..ab113375 100644 --- a/core/helpers/access.php +++ b/core/helpers/access.php @@ -288,6 +288,37 @@ class access_Core { ORM::factory("access_cache")->where("item_id", $item->id)->find()->delete(); } + /** + * Verify our Cross Site Request Forgery token is valid, else throw an exception. + */ + public static function verify_csrf() { + if (Input::instance()->post("csrf") !== Session::instance()->get("csrf")) { + access::forbidden(); + } + } + + /** + * Get the Cross Site Request Forgery token for this session. + * @return string + */ + public static function csrf_token() { + $session = Session::instance(); + $csrf = $session->get("csrf"); + if (empty($csrf)) { + $csrf = md5(rand()); + $session->set("csrf", $csrf); + } + return $csrf; + } + + /** + * Generate an element containing the Cross Site Request Forgery token for this session. + * @return string + */ + public static function csrf_form_field() { + return ""; + } + /** * Internal method to get all available groups. * diff --git a/core/libraries/MY_Forge.php b/core/libraries/MY_Forge.php index c3d0ca71..877fe62c 100644 --- a/core/libraries/MY_Forge.php +++ b/core/libraries/MY_Forge.php @@ -31,14 +31,7 @@ class Forge extends Forge_Core { * Use our own template */ public function render($template="form.html", $custom=false) { - $session = Session::instance(); - $csrf = $session->get("csrf"); - if (empty($csrf)) { - $csrf = md5(rand()); - $session->set("csrf", $csrf); - } - - $this->inputs["csrf"]->value($csrf); + $this->inputs["csrf"]->value(access::csrf_token()); return parent::render($template, $custom); } @@ -61,15 +54,7 @@ class Forge extends Forge_Core { */ public function validate() { $status = parent::validate(); - - $type = $this->type; - if (empty($type)) { - $csrf_value = $this->csrf->value; - if (empty($csrf_value) || $csrf_value !== Session::instance()->get("csrf")) { - throw new Exception("@todo SECURITY_INVALID_CSRF_TOKEN"); - } - } - + access::verify_csrf(); return $status; } } \ No newline at end of file -- cgit v1.2.3