Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Added support for CSRF tokens.

  • Loading branch information...
commit bf81103c91cb74bea1e5ee4de71242192682c703 1 parent ff73acb
Neal Poole authored
View
1  index.php
@@ -80,6 +80,7 @@
echo cssLoadTemplate('themes/main-all.css');
echo jsCallTemplate($jsVar);
+echo jsCallTemplate('var csrfToken = "' . $_SESSION['csrfToken'] . '";');
// ExtJs Javascript core files
echo jsCallTemplate('document.getElementById("loading-msg").innerHTML = "Loading Core API...";');
View
7 js/main.js
@@ -44,6 +44,11 @@ var PhDOE = function()
{
// We load the configuration for this user
new ui.task.LoadConfigTask();
+
+ // Set up automatic CSRF token appending for most requests
+ Ext.Ajax.extraParams = { csrfToken: csrfToken };
+ Ext.data.Connection.prototype.extraParams = { csrfToken: csrfToken };
+ Ext.data.ScriptTagProxy.prototype.extraParams = { csrfToken: csrfToken };
},
notify : function (type, title, message) {
@@ -731,4 +736,4 @@ var PhDOE = function()
}; // Return
}();
-Ext.EventManager.onDocumentReady(PhDOE.init, PhDOE, true);
+Ext.EventManager.onDocumentReady(PhDOE.init, PhDOE, true);
View
3  js/util.js
@@ -65,6 +65,7 @@ function XHR(config)
config.url = './do/' + config.params.task;
delete config.params.task;
+ config.params = Ext.applyIf({csrfToken: csrfToken}, config.params);
config.failure = config.success = Ext.emptyFn;
config.callback = function(options, success, response)
{
@@ -91,4 +92,4 @@ function XHR(config)
};
Ext.Ajax.request(config);
-}
+}
View
7 php/AccountManager.php
@@ -301,7 +301,12 @@ public function login($project, $vcsLogin, $vcsPasswd, $email, $lang='en')
} else {
$cookieLogin = $_SESSION['vcsLogin'];
}
-
+
+ // We set up the CSRF token
+ $_SESSION['csrfToken'] = sha1(uniqid(rand(), true));
+
+ // Store some user info in cookies: we can use this to pre-fill the
+ // login page if the user's session expires.
setcookie("loginApp", $cookieLogin, time() + 3600*24*365, "/"); // One year ;)
setcookie("email", $email, time() + 3600*24*365, "/");
setcookie("lang", $this->vcsLang, time() + 3600*24*365, "/");
View
9 php/controller.php
@@ -14,7 +14,14 @@
$method = str_replace('-', '_', $controller->getRequestVariable('task'));
-if (method_exists($controller, $method)) {
+if (isset($_SESSION['csrfToken']) && (!isset($_POST['csrfToken']) || $_POST['csrfToken'] !== $_SESSION['csrfToken'])) {
+ $response = JsonResponseBuilder::failure(
+ array(
+ 'msg' => 'CSRF token missing or invalid'
+ )
+ );
+}
+else if (method_exists($controller, $method)) {
$response = $controller->$method();
} else {
$response = JsonResponseBuilder::failure(
Please sign in to comment.
Something went wrong with that request. Please try again.