Fix bug in crsf token handling
phpcs-errors:238 phpunit-status:successful
This commit is contained in:
parent
c8cce85893
commit
ef638ee9c4
|
@ -258,11 +258,11 @@ function identical_values(array $arrayA, array $arrayB):bool {
|
||||||
*/
|
*/
|
||||||
function getAntiCsrfToken():string {
|
function getAntiCsrfToken():string {
|
||||||
|
|
||||||
if (empty($_SESSION['anti-csrf-token'])) {
|
if (empty($_SESSION['csrf-token'])) {
|
||||||
$_SESSION['anti-csrf-token'] = bin2hex(random_bytes(32));
|
$_SESSION['csrf-token'] = bin2hex(random_bytes(32));
|
||||||
}
|
}
|
||||||
|
|
||||||
return $_SESSION['anti-csrf-token'];
|
return $_SESSION['csrf-token'];
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -275,14 +275,15 @@ function getAntiCsrfToken():string {
|
||||||
function validateAntiCsrfToken():bool {
|
function validateAntiCsrfToken():bool {
|
||||||
|
|
||||||
$validity = false;
|
$validity = false;
|
||||||
if (!empty($_POST['anti-csrf-token'])
|
if (!empty($_POST['csrf-token'])
|
||||||
&& !empty($_SESSION['anti-csrf-token'])
|
&& !empty($_SESSION['csrf-token'])
|
||||||
&& hash_equals($_SESSION['anti-csrf-token'], $_POST['anti-csrf-token']) === true
|
&& hash_equals($_SESSION['csrf-token'], $_POST['csrf-token']) === true
|
||||||
) {
|
) {
|
||||||
$validity = true;
|
$validity = true;
|
||||||
}
|
}
|
||||||
$_SESSION['anti-csrf-token'] = null; unset($_SESSION['anti-csrf-token']);
|
$_SESSION['csrf-token'] = null; unset($_SESSION['csrf-token']);
|
||||||
|
|
||||||
return $validity;
|
return $validity;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -6,6 +6,10 @@ $target = "csv/";
|
||||||
$target .= basename($_FILES['uploaded']['name']);
|
$target .= basename($_FILES['uploaded']['name']);
|
||||||
$targetpart = basename($_FILES['uploaded']['name']);
|
$targetpart = basename($_FILES['uploaded']['name']);
|
||||||
|
|
||||||
|
if (session_status() != PHP_SESSION_ACTIVE) {
|
||||||
|
session_start();
|
||||||
|
}
|
||||||
|
|
||||||
if (validateAntiCsrfToken() === false) {
|
if (validateAntiCsrfToken() === false) {
|
||||||
throw new WrongCsrfTokenException();
|
throw new WrongCsrfTokenException();
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user