Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
# Conflicts: # CHANGELOG.md # core-bundle/src/Resources/contao/config/constants.php # core-bundle/src/Resources/contao/languages/cs/default.xlf # core-bundle/src/Resources/contao/languages/cs/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/de/default.xlf # core-bundle/src/Resources/contao/languages/de/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/es/default.xlf # core-bundle/src/Resources/contao/languages/es/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/fa/default.xlf # core-bundle/src/Resources/contao/languages/fa/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/fr/default.xlf # core-bundle/src/Resources/contao/languages/fr/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/it/default.xlf # core-bundle/src/Resources/contao/languages/it/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/ja/default.xlf # core-bundle/src/Resources/contao/languages/ja/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/nl/default.xlf # core-bundle/src/Resources/contao/languages/nl/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/pl/default.xlf # core-bundle/src/Resources/contao/languages/pl/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/ru/default.xlf # core-bundle/src/Resources/contao/languages/ru/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/sl/default.xlf # core-bundle/src/Resources/contao/languages/sl/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/sr/default.xlf # core-bundle/src/Resources/contao/languages/sr/tl_opt_in.xlf # core-bundle/src/Resources/contao/languages/zh/default.xlf # core-bundle/src/Resources/contao/languages/zh/tl_opt_in.xlf
- Loading branch information
Showing
35 changed files
with
847 additions
and
222 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
<?php | ||
|
||
declare(strict_types=1); | ||
|
||
/* | ||
* This file is part of Contao. | ||
* | ||
* (c) Leo Feyer | ||
* | ||
* @license LGPL-3.0-or-later | ||
*/ | ||
|
||
namespace Contao\CoreBundle\EventListener; | ||
|
||
use Contao\Config; | ||
use Contao\CoreBundle\Exception\InvalidRequestTokenException; | ||
use Contao\CoreBundle\Framework\ContaoFramework; | ||
use Contao\CoreBundle\Routing\ScopeMatcher; | ||
use Symfony\Component\HttpKernel\Event\GetResponseEvent; | ||
use Symfony\Component\Security\Csrf\CsrfToken; | ||
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; | ||
|
||
/** | ||
* Validates the request token if the request is a Contao request. | ||
*/ | ||
class RequestTokenListener | ||
{ | ||
/** | ||
* @var ContaoFramework | ||
*/ | ||
private $framework; | ||
|
||
/** | ||
* @var ScopeMatcher | ||
*/ | ||
private $scopeMatcher; | ||
|
||
/** | ||
* @var CsrfTokenManagerInterface | ||
*/ | ||
private $csrfTokenManager; | ||
|
||
/** | ||
* @var string | ||
*/ | ||
private $csrfTokenName; | ||
|
||
public function __construct(ContaoFramework $framework, ScopeMatcher $scopeMatcher, CsrfTokenManagerInterface $csrfTokenManager, string $csrfTokenName) | ||
{ | ||
$this->framework = $framework; | ||
$this->scopeMatcher = $scopeMatcher; | ||
$this->csrfTokenManager = $csrfTokenManager; | ||
$this->csrfTokenName = $csrfTokenName; | ||
} | ||
|
||
/** | ||
* @throws InvalidRequestTokenException | ||
*/ | ||
public function onKernelRequest(GetResponseEvent $event): void | ||
{ | ||
$request = $event->getRequest(); | ||
|
||
// Only check the request token if a) the request is a POST request, b) | ||
// the request is not an Ajax request, c) the _token_check attribute is | ||
// not false and d) the _token_check attribute is set or the request is | ||
// a Contao request | ||
if ( | ||
'POST' !== $request->getRealMethod() | ||
|| $request->isXmlHttpRequest() | ||
|| false === $request->attributes->get('_token_check') | ||
|| (!$request->attributes->has('_token_check') && !$this->scopeMatcher->isContaoRequest($request)) | ||
) { | ||
return; | ||
} | ||
|
||
/** @var Config $config */ | ||
$config = $this->framework->getAdapter(Config::class); | ||
|
||
if (\defined('BYPASS_TOKEN_CHECK')) { | ||
@trigger_error('Defining the BYPASS_TOKEN_CHECK constant has been deprecated and will no longer work in Contao 5.0.', E_USER_DEPRECATED); | ||
|
||
return; | ||
} | ||
|
||
if ($config->get('disableRefererCheck')) { | ||
@trigger_error('Using the "disableRefererCheck" setting has been deprecated and will no longer work in Contao 5.0.', E_USER_DEPRECATED); | ||
|
||
return; | ||
} | ||
|
||
if ($config->get('requestTokenWhitelist')) { | ||
@trigger_error('Using the "requestTokenWhitelist" setting has been deprecated and will no longer work in Contao 5.0.', E_USER_DEPRECATED); | ||
|
||
$hostname = gethostbyaddr($request->getClientIp()); | ||
|
||
foreach ($config->get('requestTokenWhitelist') as $domain) { | ||
if ($domain === $hostname || preg_match('/\.' . preg_quote($domain, '/') . '$/', $hostname)) { | ||
return; | ||
} | ||
} | ||
} | ||
|
||
$token = new CsrfToken($this->csrfTokenName, $request->request->get('REQUEST_TOKEN')); | ||
|
||
if ($this->csrfTokenManager->isTokenValid($token)) { | ||
return; | ||
} | ||
|
||
throw new InvalidRequestTokenException('Invalid CSRF token. Please reload the page and try again.'); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.