Overview
Comment:Utilisation de KD2\Security pour les tokens CSRF
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | dev
Files: files | file ages | folders
SHA1: 6fa02716f8d331c971c14f6271cb03b41ccdd654
User & Date: bohwaz on 2017-05-11 06:11:30
Other Links: branch diff | manifest | tags
Context
2017-05-11
06:12
Corrections et utilisation concrète de la session permanente check-in: e744ecebef user: bohwaz tags: dev
06:11
Utilisation de KD2\Security pour les tokens CSRF check-in: 6fa02716f8 user: bohwaz tags: dev
05:14
Garradin a désormais besoin d'un secret unique pour chaque installation check-in: f2346dbb66 user: bohwaz tags: dev
Changes

Modified src/include/lib/Garradin/Template.php from [bdc7529178] to [58ab6469f8].

1
2
3


4
5
6
7
8
9
10
..
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php

namespace Garradin;



class Template extends \KD2\Smartyer
{
    static protected $_instance = null;

    static public function getInstance()
    {
................................................................................
    }
}

$tpl = Template::getInstance();

function tpl_csrf_field($params)
{
    $name = Utils::CSRF_field_name($params['key']);
    $value = Utils::CSRF_create($params['key']);

    return '<input type="hidden" name="'.$name.'" value="'.$value.'" />';
}

function tpl_form_field($params)
{
    if (!isset($params['name']))
        throw new \BadFunctionCallException('name argument is mandatory');




>
>







 







<
|
<
<







1
2
3
4
5
6
7
8
9
10
11
12
..
32
33
34
35
36
37
38

39


40
41
42
43
44
45
46
<?php

namespace Garradin;

use KD2\Security;

class Template extends \KD2\Smartyer
{
    static protected $_instance = null;

    static public function getInstance()
    {
................................................................................
    }
}

$tpl = Template::getInstance();

function tpl_csrf_field($params)
{

    return Security::tokenHTML($params['key']);


}

function tpl_form_field($params)
{
    if (!isset($params['name']))
        throw new \BadFunctionCallException('name argument is mandatory');

Modified src/include/lib/Garradin/Utils.php from [51958d7a51] to [fbd4916050].

1
2
3
4


5
6
7
8
9
10
11
...
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229

230
231
232
233
234
235
236
237
238
239
240
241
...
713
714
715
716
717
718
719
720
721
<?php

namespace Garradin;



class Utils
{
    static protected $country_list = null;

    static protected $skriv = null;

    static private $french_date_names = [
................................................................................

        header("Location: " . $destination);

        if ($exit)
          exit();
    }


    static protected function _sessionStart($force = false)
    {
        if (!isset($_SESSION) && ($force || isset($_COOKIE[session_name()])))
        {
            session_start();
        }
        return true;
    }

    static public function CSRF_create($key)
    {
        self::_sessionStart(true);


        if (!isset($_SESSION['csrf']))
        {
            $_SESSION['csrf'] = [];
        }

        $_SESSION['csrf'][$key] = sha1($key . uniqid($key, true) . time());
        return $_SESSION['csrf'][$key];
    }

    static public function CSRF_check($key, $hash=null)
    {
        self::_sessionStart();

        if (is_null($hash))
        {
            $name = self::CSRF_field_name($key);

            if (!isset($_POST[$name]))
                return false;

            $hash = $_POST[$name];
        }

        if (empty($_SESSION['csrf'][$key]))
            return false;

        if ($_SESSION['csrf'][$key] != $hash)
            return false;

        unset($_SESSION['csrf'][$key]);

        return true;

    }

    static public function CSRF_field_name($key)
    {
        return 'gecko/'.base64_encode(sha1($key, true));
    }

    static public function post($key)
    {
        return isset($_POST[$key]) ? $_POST[$key] : '';
    }

................................................................................

        arsort($delims);
        reset($delims);

        rewind($fp);
        return key($delims);
    }

}




>
>







 







<
<
<
<
<
<
<
<
<
<


<
>
|
<
|
<
<
<
<
<
<
<


<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
>




|







 







|
<
1
2
3
4
5
6
7
8
9
10
11
12
13
...
179
180
181
182
183
184
185










186
187

188
189

190







191
192





















193
194
195
196
197
198
199
200
201
202
203
204
205
...
677
678
679
680
681
682
683
684

<?php

namespace Garradin;

use KD2\Security;

class Utils
{
    static protected $country_list = null;

    static protected $skriv = null;

    static private $french_date_names = [
................................................................................

        header("Location: " . $destination);

        if ($exit)
          exit();
    }











    static public function CSRF_create($key)
    {

        return Security::tokenGenerate($key);
    }









    static public function CSRF_check($key, $hash=null)
    {





















        return Security::tokenCheck($key, $hash);
    }

    static public function CSRF_field_name($key)
    {
        return Security::tokenFieldName($key);
    }

    static public function post($key)
    {
        return isset($_POST[$key]) ? $_POST[$key] : '';
    }

................................................................................

        arsort($delims);
        reset($delims);

        rewind($fp);
        return key($delims);
    }
}