Use MD_STD_SEC's anti CSRF functions

2020-12-10 00:49:46 +01:00 · 2020-12-10 00:49:46 +01:00 · 08d28f037c
commit 08d28f037c
parent b8643e0d04
4 changed files with 3 additions and 38 deletions
--- a/functions/functions.php
+++ b/functions/functions.php
@ -333,39 +333,3 @@ function identical_values(array $arrayA, array $arrayB):bool {

 }

-/**
- * Function for retrieving the anti-csrf token or generating it if need be.
- *
- * @return string
- */
-function getAntiCsrfToken():string {
-
-    if (empty($_SESSION['csrf-token'])) {
-        $_SESSION['csrf-token'] = bin2hex(random_bytes(32));
-    }
-
-    return $_SESSION['csrf-token'];
-
-}
-
-/**
- * Function for validating anti-csrf tokens. Each anti-csrf token is removed
- * after use.
- *
- * @return boolean
- */
-function validateAntiCsrfToken():bool {
-
-    $validity = false;
-    if (!empty($_POST['csrf-token'])
-        && !empty($_SESSION['csrf-token'])
-        && hash_equals($_SESSION['csrf-token'], $_POST['csrf-token']) === true
-    ) {
-        $validity = true;
-    }
-    $_SESSION['csrf-token'] = null; unset($_SESSION['csrf-token']);
-
-    return $validity;
-
-}
-
--- a/public/index.php
+++ b/public/index.php
@ -38,7 +38,7 @@ echo '

 <div class="uploader">
    <form enctype="multipart/form-data" action="upload.php" method="POST">
-        <input type="hidden" id="csrf-token" name="csrf-token" aria-label="Anti-CSRF Token" value="' . htmlspecialchars(getAntiCsrfToken()) . '" />
+        <input type="hidden" id="csrf-token" name="csrf-token" aria-label="Anti-CSRF Token" value="' . htmlspecialchars(MD_STD_SEC::getAntiCsrfToken()) . '" />
        <label for="fileToUpload">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'select_csv_file_for_upload') . '</label>
        <input name="uploaded" type="file" accept=".csv" id="fileToUpload" required />
        <button type="submit">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'upload') . '</button>
--- a/public/index3.php
+++ b/public/index3.php
@ -381,6 +381,7 @@ echo '<hr>';
 if ($error + $depcon_error > 0) {
    echo '
    <p>Error(s) found: ' . ($error + $depcon_error) . '</p>';
+    echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';
 }
 else {
    echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';
--- a/public/upload.php
+++ b/public/upload.php
@ -15,7 +15,7 @@ if (session_status() != PHP_SESSION_ACTIVE) {
    session_start();
 }

-if (validateAntiCsrfToken() === false) {
+if (MD_STD_SEC::validateAntiCsrfToken() === false) {
    throw new MDWrongCsrfTokenException();
 }