Skip to content

Commit

Permalink
Add port handling to the CSRF check (fixes #54)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pageer
pageer committed Oct 8, 2023
1 parent 4a74231 commit 978b7f5
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 6 deletions.
12 changes: 10 additions & 2 deletions lib/BasePages.php
View file
Expand Up @@ -229,10 +229,18 @@ protected function validateOriginHeaders($server_vars) {
$target_origin_domain = $server_vars['HTTP_X_FORWARDED_HOST'];
}

$parse = function ($url) {
$parsed_data = parse_url($url);
$domain = $parsed_data['host'];
if (isset($parsed_data['port'])) {
$domain .= ':' . $parsed_data['port'];
}
return $domain;
};
if (!empty($server_vars['HTTP_ORIGIN'])) {
$source_origin_domain = parse_url($server_vars['HTTP_ORIGIN'], PHP_URL_HOST);
$source_origin_domain = $parse($server_vars['HTTP_ORIGIN']);
} elseif (!empty($server_vars['HTTP_REFERER'])) {
$source_origin_domain = parse_url($server_vars['HTTP_REFERER'], PHP_URL_HOST);
$source_origin_domain = $parse($server_vars['HTTP_REFERER']);
}

if (!$source_origin_domain && $this->shouldBlockOnMissingOrigin()) {
Expand Down
52 changes: 48 additions & 4 deletions tests/unit/pages/BasePagesTest.php
View file
Expand Up @@ -87,10 +87,6 @@ public function testRouteRequest_WhenActionIsNotInMap_CallsDefaultAction() {
$this->assertEquals('defaultAction', $this->page->method_called);
}

public function testRouteRequest_WhenActionIsScript_ReadsFileToOutput() {

}

public function testRouteRequest_WhenPostAndNoToken_ReturnsBadRequest() {
$_POST = ['foo' => 'bar'];
$_SERVER['HTTP_HOST'] = 'somedomain.com';
Expand Down Expand Up @@ -138,6 +134,54 @@ public function testRouteRequest_WhenPostAndTokenValid_ReturnsSuccess() {
$this->page->routeRequest();
}

public function testRouteRequest_WhenPostAndTokenValidWithPortInUrl_ReturnsSuccess() {
$token = $this->page->getCsrfToken();
$_POST = ['foo' => 'bar', BasePages::TOKEN_POST_FIELD => $token];
$_SERVER['HTTP_HOST'] = 'somedomain.com:1234';
$_SERVER['HTTP_ORIGIN'] = 'http://somedomain.com:1234/test';
$this->page->action_map = array('thing1' => 'thing2');

$this->page_mock->error(400)->shouldNotBeCalled();

$this->page->routeRequest();
}

public function testRouteRequest_WhenValidButPortInUrlDoesNotMatch_ReturnsBadRequest() {
$token = $this->page->getCsrfToken();
$_POST = ['foo' => 'bar', BasePages::TOKEN_POST_FIELD => $token];
$_SERVER['HTTP_HOST'] = 'somedomain.com:1234';
$_SERVER['HTTP_ORIGIN'] = 'http://somedomain.com:5678/test';
$this->page->action_map = array('thing1' => 'thing2');

$this->page_mock->error(400)->shouldBeCalled();

$this->page->routeRequest();
}

public function testRouteRequest_WhenValidButOnlyOriginHasPort_ReturnsBadRequest() {
$token = $this->page->getCsrfToken();
$_POST = ['foo' => 'bar', BasePages::TOKEN_POST_FIELD => $token];
$_SERVER['HTTP_HOST'] = 'somedomain.com';
$_SERVER['HTTP_ORIGIN'] = 'http://somedomain.com:5678/test';
$this->page->action_map = array('thing1' => 'thing2');

$this->page_mock->error(400)->shouldBeCalled();

$this->page->routeRequest();
}

public function testRouteRequest_WhenValidButOnlyHostHasPort_ReturnsBadRequest() {
$token = $this->page->getCsrfToken();
$_POST = ['foo' => 'bar', BasePages::TOKEN_POST_FIELD => $token];
$_SERVER['HTTP_HOST'] = 'somedomain.com:1234';
$_SERVER['HTTP_ORIGIN'] = 'http://somedomain.com/test';
$this->page->action_map = array('thing1' => 'thing2');

$this->page_mock->error(400)->shouldBeCalled();

$this->page->routeRequest();
}

public function testRouteRequest_WhenPostNoTokenRouteWhitelisted_ReturnsSuccess() {
$token = $this->page->getCsrfToken();
$_POST = ['foo' => 'bar'];
Expand Down

0 comments on commit 978b7f5

Please sign in to comment.