New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lots of things ;-) #6

Merged
merged 46 commits into from Nov 14, 2018
Commits
File filter...
Filter file types
Jump to file or symbol
Failed to load files and symbols.
+28 −2
Diff settings

Always

Just for now

security: add protection against XSRF (Cross Site Request Forgery) on…

… all POST requests
  • Loading branch information...
max-weller committed Nov 7, 2018
commit bdeff81bd4baff9463d46b90fb1889e7ac7ec4ed
Copy path View file
@@ -2,13 +2,28 @@
class login
{
private $database;
public $token;
function __construct ($database)
{
if (session_id() == "") session_start();
if (empty($_SESSION['token'])) {
if (function_exists('mcrypt_create_iv')) {
$_SESSION['token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
} else {
$_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
}
}
$this->database = $database;
}
function xsrfCheck() {
if ($_POST['xsrf_token'] !== $_SESSION['token']) {
http_response_code(403);
throw new Exception("XSRF Token missing or mismatch");
}
}
function isLoggedIn ()
{
Copy path View file
@@ -22,6 +22,15 @@
exit;
}
if (count($_POST)) {
try {
$login->xsrfCheck();
} catch(Exception $ex) {
$json->print_exception($ex);
exit;
}
}
if(!$login->isLoggedIn())
// THE USER IS NOT LOGGED IN
{
Copy path View file
@@ -36,6 +36,7 @@ function updateHash(hash) {
}

function apiPost(functionCall, postParameters, callbackFunction) {
postParameters['xsrf_token'] = window.xsrf_token;
new Ajax.Request(baseurl+"?p="+encodeURIComponent(functionCall),
{
method:"post",
Copy path View file
@@ -13,6 +13,7 @@
<?php
echo "var userlevel='".$_SESSION['level']."';\n";
echo "var myUserId='".$_SESSION['userId']."';\n";
echo "var xsrf_token='".$_SESSION['token']."';\n";
?>
</script>
<link rel="stylesheet" href="vendor/bootstrap/css/bootstrap.min.css">
ProTip! Use n and p to navigate between commits in a pull request.