Skip to content
Permalink
Browse files

EZP-30161: Handle form token in both custom and also for historical r…

…easons default value (#1431)

* EZP-30161: Handle form token in both custom and also for historical reasons default value

Since 5.0 FormToken code has been operating in two modes:
- Default pure legacy mode using `ezxform_token` as form name
- Symfony mode using `_token` as form name

Hoewever quite some legacy code hard codes the default name.
In 5.x this inconsistancy was solved by setting Symfony to use `field_name: ezxform_token`

For Platform + legacy bridge that is no longer a good default, so this changes the logic
so that ezxFormToken is cable of handling both at the same time.

* Apply suggestions from code review

Co-Authored-By: Gunnstein Lye <gunnstein.lye@ez.no>
  • Loading branch information...
andrerom and glye committed May 14, 2019
1 parent c6f37e6 commit fd3b34c7e672b1fd906b1b4089f242cab4aa7df5
Showing with 20 additions and 6 deletions.
  1. +20 −6 extension/ezformtoken/event/ezxformtoken.php
@@ -38,7 +38,7 @@ class ezxFormToken
static protected $intention = 'legacy';
/**
* @var string
* @var string Custom Form field, by default set to system default form field (self::FORM_FIELD).
*/
static protected $formField = self::FORM_FIELD;
@@ -90,6 +90,8 @@ static public function setIntention( $intention )
}
/**
* Get the custom form field.
*
* @return string
*/
static protected function getFormField()
@@ -98,6 +100,8 @@ static protected function getFormField()
}
/**
* Set the custom form field.
*
* @param string $formField
*/
static public function setFormField( $formField )
@@ -137,6 +141,11 @@ static public function input( eZURI $uri )
{
$token = $_POST[self::getFormField()];
}
// For historical reasons also check the system default form field
else if ( !empty( $_POST[self::FORM_FIELD] ) )
{
$token = $_POST[self::FORM_FIELD];
}
// allow ajax calls using POST with other formats than forms (such as
// json or xml) to still validate using a custom http header
else if ( !empty( $_SERVER['HTTP_X_CSRF_TOKEN'] ) )
@@ -188,19 +197,22 @@ static public function output( $templateResult, $filterForms = true )
}
$token = self::getToken();
$field = self::getFormField();
$customfield = self::getFormField();
$defaultField = self::FORM_FIELD;
$replaceKey = self::REPLACE_KEY;
eZDebugSetting::writeDebug( 'ezformtoken', 'Output protected (all forms will be modified)', __METHOD__ );
// Inject token for programmatical use (also system default for historical reasons)
// If document has head tag, insert in a html5 valid and semi standard way
if ( strpos( $templateResult, '<head>' ) !== false )
{
$templateResult = str_replace(
'<head>',
"<head>\n"
. "<meta name=\"csrf-param\" content=\"{$field}\" />\n"
. "<meta name=\"csrf-token\" id=\"{$field}_js\" title=\"{$token}\" content=\"{$token}\" />\n",
. "<meta name=\"csrf-param\" content=\"{$customfield}\" />\n"
. "<meta name=\"csrf-token\" id=\"{$customfield}_js\" title=\"{$token}\" content=\"{$token}\" />\n"
. ($defaultField !== $customfield ? "<meta name=\"csrf-token-x\" id=\"{$defaultField}_js\" title=\"{$token}\" content=\"{$token}\" />\n" : ''),
$templateResult
);
}
@@ -209,16 +221,18 @@ static public function output( $templateResult, $filterForms = true )
{
$templateResult = preg_replace(
'/(<body[^>]*>)/i',
'\\1' . "\n<span style='display:none;' id=\"{$field}_js\" title=\"{$token}\"></span>\n",
'\\1' . "\n<span style='display:none;' id=\"{$customfield}_js\" title=\"{$token}\"></span>\n"
. ($defaultField !== $customfield ? "\n<span style='display:none;' id=\"{$defaultField}_js\" title=\"{$token}\"></span>\n" : ''),
$templateResult
);
}
// For forms we set the custom field which will be sent back to this class and evaluated
if ( $filterForms )
{
$templateResult = preg_replace(
'/(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)/i',
'\\1' . "\n<input type=\"hidden\" name=\"{$field}\" value=\"{$token}\" />\n",
'\\1' . "\n<input type=\"hidden\" name=\"{$customfield}\" value=\"{$token}\" />\n",
$templateResult
);
}

0 comments on commit fd3b34c

Please sign in to comment.
You can’t perform that action at this time.