From 08d28f037c1f18c4144d621d93a88b73b42bab4d Mon Sep 17 00:00:00 2001
From: Joshua Ramon Enslin <joshua@museum-digital.de>
Date: Thu, 10 Dec 2020 00:49:46 +0100
Subject: [PATCH] Use MD_STD_SEC's anti CSRF functions

---
 functions/functions.php | 36 ------------------------------------
 public/index.php        |  2 +-
 public/index3.php       |  1 +
 public/upload.php       |  2 +-
 4 files changed, 3 insertions(+), 38 deletions(-)

diff --git a/functions/functions.php b/functions/functions.php
index 602a54e..3e33238 100644
--- a/functions/functions.php
+++ b/functions/functions.php
@@ -333,39 +333,3 @@ function identical_values(array $arrayA, array $arrayB):bool {
 
 }
 
-/**
- * Function for retrieving the anti-csrf token or generating it if need be.
- *
- * @return string
- */
-function getAntiCsrfToken():string {
-
-    if (empty($_SESSION['csrf-token'])) {
-        $_SESSION['csrf-token'] = bin2hex(random_bytes(32));
-    }
-
-    return $_SESSION['csrf-token'];
-
-}
-
-/**
- * Function for validating anti-csrf tokens. Each anti-csrf token is removed
- * after use.
- *
- * @return boolean
- */
-function validateAntiCsrfToken():bool {
-
-    $validity = false;
-    if (!empty($_POST['csrf-token'])
-        && !empty($_SESSION['csrf-token'])
-        && hash_equals($_SESSION['csrf-token'], $_POST['csrf-token']) === true
-    ) {
-        $validity = true;
-    }
-    $_SESSION['csrf-token'] = null; unset($_SESSION['csrf-token']);
-
-    return $validity;
-
-}
-
diff --git a/public/index.php b/public/index.php
index dc6cbba..b6c7c72 100644
--- a/public/index.php
+++ b/public/index.php
@@ -38,7 +38,7 @@ echo '
 
 <div class="uploader">
     <form enctype="multipart/form-data" action="upload.php" method="POST">
-        <input type="hidden" id="csrf-token" name="csrf-token" aria-label="Anti-CSRF Token" value="' . htmlspecialchars(getAntiCsrfToken()) . '" />
+        <input type="hidden" id="csrf-token" name="csrf-token" aria-label="Anti-CSRF Token" value="' . htmlspecialchars(MD_STD_SEC::getAntiCsrfToken()) . '" />
         <label for="fileToUpload">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'select_csv_file_for_upload') . '</label>
         <input name="uploaded" type="file" accept=".csv" id="fileToUpload" required />
         <button type="submit">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'upload') . '</button>
diff --git a/public/index3.php b/public/index3.php
index b75f89b..99ddd4f 100644
--- a/public/index3.php
+++ b/public/index3.php
@@ -381,6 +381,7 @@ echo '<hr>';
 if ($error + $depcon_error > 0) {
     echo '
     <p>Error(s) found: ' . ($error + $depcon_error) . '</p>';
+    echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';
 }
 else {
     echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';
diff --git a/public/upload.php b/public/upload.php
index 2a8c88e..a9148aa 100644
--- a/public/upload.php
+++ b/public/upload.php
@@ -15,7 +15,7 @@ if (session_status() != PHP_SESSION_ACTIVE) {
     session_start();
 }
 
-if (validateAntiCsrfToken() === false) {
+if (MD_STD_SEC::validateAntiCsrfToken() === false) {
     throw new MDWrongCsrfTokenException();
 }