Merge pull request #17 from eflorea/improve-csrf

improve csrf check
eflorea · Mar 23, 2018 · 424dbb7 · 424dbb7
2 parents b71faa1 + 6d4d771
commit 424dbb7
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 17 deletions.
diff --git a/src/RPC/HTTP/Request.php b/src/RPC/HTTP/Request.php
@@ -495,9 +495,13 @@ public function getHostName()
 	 */
 	public function validateCSRF( $method = 'post' )
 	{
-		if( $this->getMethod() == $method && @$this->{$method}['csrf_token'] !== \RPC\Util::csrf() )
+		if( $this->getMethod() == $method )
 		{
-            throw new \Exception( 'Token was not found. Please go back and refresh your page. Token: ' . @$this->{$method}['csrf_token'] );
+			$csrf_token_pieces = explode( '_', @$this->{$method}['csrf_token'] );
+			if( count( $csrf_token_pieces ) != 2 ||
+				$csrf_token_pieces[1] !== \RPC\Util::csrf( $csrf_token_pieces[0] ) ) {
+            	throw new \Exception( 'Token was not found. Please go back and refresh your page. Token: ' . @$this->{$method}['csrf_token'] );
+        	}
 		}
 
 		return true;

diff --git a/src/RPC/Util.php b/src/RPC/Util.php
@@ -269,22 +269,17 @@ public static function generatePasswordAdvanced( $length = 8, $allow_uppercase =
 		return $password;
 	}
 
-
-	public static function csrf()
+	/**
+	 * Retrieve or set session cookie for csrf_token based on name 
+	 */
+	public static function csrf( $name = 'general' )
 	{
-		$filename = CACHE_PATH . '/' . 'csrf_token.txt';
-
-		if( is_readable( $filename ) &&
-		    ( time() - filemtime( $filename ) ) < ( 3600* 48 ) )
+		if( ! isset( $_SESSION['csrf_token_' . $name] ) )
 		{
-			return file_get_contents( $filename );
+			$_SESSION['csrf_token_' . $name] = md5( $name . session_id() . rand() );
 		}
 
-		$token = self::generatePronouncablePassword( 8 );
-
-		file_put_contents( $filename, $token );
-
-		return $token;
+		return $_SESSION['csrf_token_' . $name];
 	}
 
 	/**

diff --git a/src/RPC/View/Filter/Form.php b/src/RPC/View/Filter/Form.php
@@ -75,10 +75,8 @@ public function filter( $source )
 		}
 
 		$regex  = new \RPC\Regex( '/<form.*?method="([^"]+)".*?(?<!\?)>/' );
-		$csrf_token = \RPC\Registry::get('csrf_token');
-		$source = $regex->replace( $source, '${0}<?php $form = new \RPC\View\Filter\Form; ?><?php $form->setMethod( \'${1}\' ); ?><input type="hidden" name="csrf_token" value="<?php echo $csrf_token; ?>">' );
+		$source = $regex->replace( $source, '${0}<?php $form = new \RPC\View\Filter\Form; ?><?php $form->setMethod( \'${1}\' ); if( strtolower( \'${1}\' ) === \'post\' ): $csrf_token_name = md5( $_SERVER[\'REQUEST_URI\'] ); ?><input type="hidden" name="csrf_token" value="<?php echo $csrf_token_name; ?>_<?php echo \RPC\Util::csrf( $csrf_token_name ); ?>"><?php endif; ?>' );
 
-		//$source = parent::filter( $source );
 
 		return $source;
 	}