museum-digital/csvxml
museum-digital/csvxml
33
0
Fork 0
Code Issues 3 Pull Requests Releases Activity

Use MD_STD_SEC's anti CSRF functions

Browse Source
This commit is contained in:
Joshua Ramon Enslin 2020-12-10 00:49:46 +01:00
parent b8643e0d04
commit 08d28f037c
Signed by: jrenslin
GPG Key ID: 46016F84501B70AE
4 changed files with 3 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
functions/functions.php
View File

@ -333,39 +333,3 @@ function identical_values(array $arrayA, array $arrayB):bool {
} }
/**
* Function for retrieving the anti-csrf token or generating it if need be.
*
* @return string
*/
function getAntiCsrfToken():string {
if (empty($_SESSION['csrf-token'])) {
$_SESSION['csrf-token'] = bin2hex(random_bytes(32));
}
return $_SESSION['csrf-token'];
}
/**
* Function for validating anti-csrf tokens. Each anti-csrf token is removed
* after use.
*
* @return boolean
*/
function validateAntiCsrfToken():bool {
$validity = false;
if (!empty($_POST['csrf-token'])
&& !empty($_SESSION['csrf-token'])
&& hash_equals($_SESSION['csrf-token'], $_POST['csrf-token']) === true
) {
$validity = true;
}
$_SESSION['csrf-token'] = null; unset($_SESSION['csrf-token']);
return $validity;
}

2
public/index.php
View File

@ -38,7 +38,7 @@ echo '
<div class="uploader"> <div class="uploader">
<form enctype="multipart/form-data" action="upload.php" method="POST"> <form enctype="multipart/form-data" action="upload.php" method="POST">
<input type="hidden" id="csrf-token" name="csrf-token" aria-label="Anti-CSRF Token" value="' . htmlspecialchars(getAntiCsrfToken()) . '" /> <input type="hidden" id="csrf-token" name="csrf-token" aria-label="Anti-CSRF Token" value="' . htmlspecialchars(MD_STD_SEC::getAntiCsrfToken()) . '" />
<label for="fileToUpload">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'select_csv_file_for_upload') . '</label> <label for="fileToUpload">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'select_csv_file_for_upload') . '</label>
<input name="uploaded" type="file" accept=".csv" id="fileToUpload" required /> <input name="uploaded" type="file" accept=".csv" id="fileToUpload" required />
<button type="submit">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'upload') . '</button> <button type="submit">' . $tlLoader->tl("csvxml-overview", "csvxml_overview", 'upload') . '</button>

1
public/index3.php
View File

@ -381,6 +381,7 @@ echo '<hr>';
if ($error + $depcon_error > 0) { if ($error + $depcon_error > 0) {
echo ' echo '
<p>Error(s) found: ' . ($error + $depcon_error) . '</p>'; <p>Error(s) found: ' . ($error + $depcon_error) . '</p>';
echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';
} }
else { else {
echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>'; echo '<a href="index6.php?fnam=' . htmlspecialchars($_GET['fnam']) . '" class="buttonLike">Create XML for md:import (utf8)</a><br>';

2
public/upload.php
View File

@ -15,7 +15,7 @@ if (session_status() != PHP_SESSION_ACTIVE) {
session_start(); session_start();
} }
if (validateAntiCsrfToken() === false) { if (MD_STD_SEC::validateAntiCsrfToken() === false) {
throw new MDWrongCsrfTokenException(); throw new MDWrongCsrfTokenException();
} }