Skip to content

Commit

Permalink
Added CSRF token protection
Browse files Browse the repository at this point in the history
  • Loading branch information
Peter Featherstone committed May 22, 2017
1 parent b08009a commit 439a640
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 3 deletions.
7 changes: 5 additions & 2 deletions app/Controllers/AdminController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,13 @@ public function rebuild($nav_menus, $location_menus) {
);
}

public function update($new_options, $nav_menus, $location_menus) {
public function update($valid_nonce, $new_options, $nav_menus, $location_menus) {
$validator = new Validator();
$errors = [];
if($validator->validate($new_options)):
if(!$valid_nonce):
$alert = ['danger' => 'CSRF token not valid'];
$options = new OptionsCollection($new_options);
elseif($validator->validate($new_options)):
try {
$options = $this->manager->updateOptions($new_options);
$task = new UpdateOptionsTask;
Expand Down
3 changes: 2 additions & 1 deletion config/routing.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ function() {
update_option('responsive_menu_current_page', $_POST['responsive-menu-current-page']);

if(isset($_POST['responsive-menu-submit'])):
echo $controller->update($_POST['menu'], $menus_array, $location_menus);
$valid_nonce = wp_verify_nonce($_POST['responsive-menu-nonce'], 'update');
echo $controller->update($valid_nonce, $_POST['menu'], $menus_array, $location_menus);
elseif(isset($_POST['responsive-menu-reset'])):
echo $controller->reset(get_responsive_menu_default_options(), $menus_array, $location_menus);
elseif(isset($_POST['responsive-menu-import'])):
Expand Down
4 changes: 4 additions & 0 deletions config/twig.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@
return $items;
}));

$twig->addFunction(new Twig_SimpleFunction('csrf', function() {
return wp_nonce_field('update', 'responsive-menu-nonce', true, false);
}));

$twig->addFunction(new Twig_SimpleFunction('build_menu', function($env, $options) {

$translator = $env->getFilter('translate')->getCallable();
Expand Down
1 change: 1 addition & 0 deletions views/admin/main.html.twig
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
<div class='container-fluid'>
<form class='form-horizontal form-inline' id='responsive-menu-form' action='' method='post' enctype='multipart/form-data'>
{{ csrf() }}
{% include 'admin/alerts.html.twig' %}
{% include 'admin/tabs.html.twig' %}
<div id='options-area'>
Expand Down

0 comments on commit 439a640

Please sign in to comment.