Use MD_STD_SEC's anti CSRF functions
This commit is contained in:
@@ -333,39 +333,3 @@ function identical_values(array $arrayA, array $arrayB):bool {
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Function for retrieving the anti-csrf token or generating it if need be.
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
function getAntiCsrfToken():string {
|
||||
|
||||
if (empty($_SESSION['csrf-token'])) {
|
||||
$_SESSION['csrf-token'] = bin2hex(random_bytes(32));
|
||||
}
|
||||
|
||||
return $_SESSION['csrf-token'];
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Function for validating anti-csrf tokens. Each anti-csrf token is removed
|
||||
* after use.
|
||||
*
|
||||
* @return boolean
|
||||
*/
|
||||
function validateAntiCsrfToken():bool {
|
||||
|
||||
$validity = false;
|
||||
if (!empty($_POST['csrf-token'])
|
||||
&& !empty($_SESSION['csrf-token'])
|
||||
&& hash_equals($_SESSION['csrf-token'], $_POST['csrf-token']) === true
|
||||
) {
|
||||
$validity = true;
|
||||
}
|
||||
$_SESSION['csrf-token'] = null; unset($_SESSION['csrf-token']);
|
||||
|
||||
return $validity;
|
||||
|
||||
}
|
||||
|
||||
|
||||
@@ -38,7 +38,7 @@ echo '
|
||||
|
||||
<div class="uploader">
|
||||
<form enctype="multipart/form-data" action="upload.php" method="POST">
|
||||
<input type="hidden" id="csrf-token" name="csrf-token" aria-label="Anti-CSRF Token" value="' . htmlspecialchars(getAntiCsrfToken()) . '" />
|
||||
<input type="hidden" id="csrf-token" name="csrf-token" aria-label="Anti-CSRF Token" value="' . htmlspecialchars(MD_STD_SEC::getAntiCsrfToken()) . '" />
|
||||
<label for="fileToUpload">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'select_csv_file_for_upload') . '</label>
|
||||
<input name="uploaded" type="file" accept=".csv" id="fileToUpload" required />
|
||||
<button type="submit">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'upload') . '</button>
|
||||
|
||||
@@ -381,6 +381,7 @@ echo '<hr>';
|
||||
if ($error + $depcon_error > 0) {
|
||||
echo '
|
||||
<p>Error(s) found: ' . ($error + $depcon_error) . '</p>';
|
||||
echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';
|
||||
}
|
||||
else {
|
||||
echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';
|
||||
|
||||
@@ -15,7 +15,7 @@ if (session_status() != PHP_SESSION_ACTIVE) {
|
||||
session_start();
|
||||
}
|
||||
|
||||
if (validateAntiCsrfToken() === false) {
|
||||
if (MD_STD_SEC::validateAntiCsrfToken() === false) {
|
||||
throw new MDWrongCsrfTokenException();
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user