Use MD_STD_SEC's anti CSRF functions
This commit is contained in:
parent
b8643e0d04
commit
08d28f037c
|
@ -333,39 +333,3 @@ function identical_values(array $arrayA, array $arrayB):bool {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Function for retrieving the anti-csrf token or generating it if need be.
|
|
||||||
*
|
|
||||||
* @return string
|
|
||||||
*/
|
|
||||||
function getAntiCsrfToken():string {
|
|
||||||
|
|
||||||
if (empty($_SESSION['csrf-token'])) {
|
|
||||||
$_SESSION['csrf-token'] = bin2hex(random_bytes(32));
|
|
||||||
}
|
|
||||||
|
|
||||||
return $_SESSION['csrf-token'];
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Function for validating anti-csrf tokens. Each anti-csrf token is removed
|
|
||||||
* after use.
|
|
||||||
*
|
|
||||||
* @return boolean
|
|
||||||
*/
|
|
||||||
function validateAntiCsrfToken():bool {
|
|
||||||
|
|
||||||
$validity = false;
|
|
||||||
if (!empty($_POST['csrf-token'])
|
|
||||||
&& !empty($_SESSION['csrf-token'])
|
|
||||||
&& hash_equals($_SESSION['csrf-token'], $_POST['csrf-token']) === true
|
|
||||||
) {
|
|
||||||
$validity = true;
|
|
||||||
}
|
|
||||||
$_SESSION['csrf-token'] = null; unset($_SESSION['csrf-token']);
|
|
||||||
|
|
||||||
return $validity;
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -38,7 +38,7 @@ echo '
|
||||||
|
|
||||||
<div class="uploader">
|
<div class="uploader">
|
||||||
<form enctype="multipart/form-data" action="upload.php" method="POST">
|
<form enctype="multipart/form-data" action="upload.php" method="POST">
|
||||||
<input type="hidden" id="csrf-token" name="csrf-token" aria-label="Anti-CSRF Token" value="' . htmlspecialchars(getAntiCsrfToken()) . '" />
|
<input type="hidden" id="csrf-token" name="csrf-token" aria-label="Anti-CSRF Token" value="' . htmlspecialchars(MD_STD_SEC::getAntiCsrfToken()) . '" />
|
||||||
<label for="fileToUpload">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'select_csv_file_for_upload') . '</label>
|
<label for="fileToUpload">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'select_csv_file_for_upload') . '</label>
|
||||||
<input name="uploaded" type="file" accept=".csv" id="fileToUpload" required />
|
<input name="uploaded" type="file" accept=".csv" id="fileToUpload" required />
|
||||||
<button type="submit">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'upload') . '</button>
|
<button type="submit">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'upload') . '</button>
|
||||||
|
|
|
@ -381,6 +381,7 @@ echo '<hr>';
|
||||||
if ($error + $depcon_error > 0) {
|
if ($error + $depcon_error > 0) {
|
||||||
echo '
|
echo '
|
||||||
<p>Error(s) found: ' . ($error + $depcon_error) . '</p>';
|
<p>Error(s) found: ' . ($error + $depcon_error) . '</p>';
|
||||||
|
echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';
|
echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';
|
||||||
|
|
|
@ -15,7 +15,7 @@ if (session_status() != PHP_SESSION_ACTIVE) {
|
||||||
session_start();
|
session_start();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (validateAntiCsrfToken() === false) {
|
if (MD_STD_SEC::validateAntiCsrfToken() === false) {
|
||||||
throw new MDWrongCsrfTokenException();
|
throw new MDWrongCsrfTokenException();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user