Skip to content

Commit 4a6e0e1

Browse files
committed
Implement CSRF token by default
Implement CSRF protection on CMS for postback handling
1 parent 08989ff commit 4a6e0e1

File tree

2 files changed

+30
-1
lines changed

2 files changed

+30
-1
lines changed

Diff for: config/cms.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -332,7 +332,7 @@
332332
|
333333
*/
334334

335-
'enableCsrfProtection' => false,
335+
'enableCsrfProtection' => true,
336336

337337
/*
338338
|--------------------------------------------------------------------------

Diff for: modules/cms/classes/Controller.php

+29
Original file line numberDiff line numberDiff line change
@@ -337,6 +337,7 @@ public function runPage($page, $useAjax = true)
337337
if (
338338
$useAjax &&
339339
($handler = post('_handler')) &&
340+
($this->verifyCsrfToken()) &&
340341
($handlerResponse = $this->runAjaxHandler($handler)) &&
341342
$handlerResponse !== true
342343
) {
@@ -1355,4 +1356,32 @@ protected function setComponentPropertiesFromParams($component, $parameters = []
13551356
}
13561357
}
13571358
}
1359+
1360+
//
1361+
// Security
1362+
//
1363+
1364+
/**
1365+
* Checks the request data / headers for a valid CSRF token.
1366+
* Returns false if a valid token is not found. Override this
1367+
* method to disable the check.
1368+
* @return bool
1369+
*/
1370+
protected function verifyCsrfToken()
1371+
{
1372+
if (!Config::get('cms.enableCsrfProtection')) {
1373+
return true;
1374+
}
1375+
1376+
if (in_array(Request::method(), ['HEAD', 'GET', 'OPTIONS'])) {
1377+
return true;
1378+
}
1379+
1380+
$token = Request::input('_token') ?: Request::header('X-CSRF-TOKEN');
1381+
1382+
return hash_equals(
1383+
Session::token(),
1384+
$token
1385+
);
1386+
}
13581387
}

0 commit comments

Comments
 (0)