Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2024-11-16 09:04:11 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Remove legacy code from csrf_check_token function

Browse Source
This commit is contained in:
Dmitriy Simushev 2014-06-03 13:18:00 +00:00
parent 3346a0c90f
commit 457045d81a
1 changed files with 7 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/mibew/libs/common/csrf.php
View File

@ -25,37 +25,20 @@ use Mibew\Http\Exception\BadRequestException;
* $_POST and $_GET arrays will be used. * $_POST and $_GET arrays will be used.
* *
* @throws BadRequestException If CSRF token check is faild. * @throws BadRequestException If CSRF token check is faild.
*
* @todo Remove legacy code, related with $_POST and $_GET arrays.
*/ */
function csrf_check_token(Request $request = null) function csrf_check_token(Request $request)
{ {
set_csrf_token(); set_csrf_token();
// If the request instance is provided use it to get the token. $token = $request->isMethod('POST')
if ($request) { ? $token = $request->request->get('csrf_token', false)
$token = $request->isMethod('POST') : $token = $request->query->get('csrf_token', false);
? $token = $request->request->get('csrf_token', false)
: $token = $request->query->get('csrf_token', false);
if ($token !== $_SESSION['csrf_token']) { if ($token !== $_SESSION['csrf_token']) {
throw new BadRequestException('CSRF failure'); throw new BadRequestException('CSRF failure');
}
return;
} }
// Check the turing code for post requests and del requests return;
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// If token match
if (!isset($_POST['csrf_token']) || ($_POST['csrf_token'] != $_SESSION['csrf_token'])) {
die("CSRF failure");
}
} elseif (isset($_GET['act'])) {
if (($_GET['act'] == 'del' || $_GET['act'] == 'delete') && $_GET['csrf_token'] != $_SESSION['csrf_token']) {
die("CSRF failure");
}
}
} }
function get_csrf_token_input() function get_csrf_token_input()