Overview
Comment: | Utilisation de KD2\Security pour les tokens CSRF |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | dev |
Files: | files | file ages | folders |
SHA1: |
6fa02716f8d331c971c14f6271cb03b4 |
User & Date: | bohwaz on 2017-05-11 06:11:30 |
Other Links: | branch diff | manifest | tags |
Context
2017-05-11
| ||
06:12 | Corrections et utilisation concrète de la session permanente check-in: e744ecebef user: bohwaz tags: dev | |
06:11 | Utilisation de KD2\Security pour les tokens CSRF check-in: 6fa02716f8 user: bohwaz tags: dev | |
05:14 | Garradin a désormais besoin d'un secret unique pour chaque installation check-in: f2346dbb66 user: bohwaz tags: dev | |
Changes
Modified src/include/lib/Garradin/Template.php from [bdc7529178] to [58ab6469f8].
1
2
3
4
5
6
7
8
9
10
..
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
<?php namespace Garradin; class Template extends \KD2\Smartyer { static protected $_instance = null; static public function getInstance() { ................................................................................ } } $tpl = Template::getInstance(); function tpl_csrf_field($params) { $name = Utils::CSRF_field_name($params['key']); $value = Utils::CSRF_create($params['key']); return '<input type="hidden" name="'.$name.'" value="'.$value.'" />'; } function tpl_form_field($params) { if (!isset($params['name'])) throw new \BadFunctionCallException('name argument is mandatory'); |
>
>
<
|
<
<
|
1
2
3
4
5
6
7
8
9
10
11
12
..
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
<?php namespace Garradin; use KD2\Security; class Template extends \KD2\Smartyer { static protected $_instance = null; static public function getInstance() { ................................................................................ } } $tpl = Template::getInstance(); function tpl_csrf_field($params) { return Security::tokenHTML($params['key']); } function tpl_form_field($params) { if (!isset($params['name'])) throw new \BadFunctionCallException('name argument is mandatory'); |
Modified src/include/lib/Garradin/Utils.php from [51958d7a51] to [fbd4916050].
1 2 3 4 5 6 7 8 9 10 11 ... 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 ... 713 714 715 716 717 718 719 720 721 |
<?php namespace Garradin; class Utils { static protected $country_list = null; static protected $skriv = null; static private $french_date_names = [ ................................................................................ header("Location: " . $destination); if ($exit) exit(); } static protected function _sessionStart($force = false) { if (!isset($_SESSION) && ($force || isset($_COOKIE[session_name()]))) { session_start(); } return true; } static public function CSRF_create($key) { self::_sessionStart(true); if (!isset($_SESSION['csrf'])) { $_SESSION['csrf'] = []; } $_SESSION['csrf'][$key] = sha1($key . uniqid($key, true) . time()); return $_SESSION['csrf'][$key]; } static public function CSRF_check($key, $hash=null) { self::_sessionStart(); if (is_null($hash)) { $name = self::CSRF_field_name($key); if (!isset($_POST[$name])) return false; $hash = $_POST[$name]; } if (empty($_SESSION['csrf'][$key])) return false; if ($_SESSION['csrf'][$key] != $hash) return false; unset($_SESSION['csrf'][$key]); return true; } static public function CSRF_field_name($key) { return 'gecko/'.base64_encode(sha1($key, true)); } static public function post($key) { return isset($_POST[$key]) ? $_POST[$key] : ''; } ................................................................................ arsort($delims); reset($delims); rewind($fp); return key($delims); } } |
> > < < < < < < < < < < < > | < | < < < < < < < < < < < < < < < < < < < < < < < < < < < < > | | < |
1 2 3 4 5 6 7 8 9 10 11 12 13 ... 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 ... 677 678 679 680 681 682 683 684 |
<?php namespace Garradin; use KD2\Security; class Utils { static protected $country_list = null; static protected $skriv = null; static private $french_date_names = [ ................................................................................ header("Location: " . $destination); if ($exit) exit(); } static public function CSRF_create($key) { return Security::tokenGenerate($key); } static public function CSRF_check($key, $hash=null) { return Security::tokenCheck($key, $hash); } static public function CSRF_field_name($key) { return Security::tokenFieldName($key); } static public function post($key) { return isset($_POST[$key]) ? $_POST[$key] : ''; } ................................................................................ arsort($delims); reset($delims); rewind($fp); return key($delims); } } |