From 86f2c59faa16b534dd3c22c06a1fc524215804f4 Mon Sep 17 00:00:00 2001
From: Dmitriy Simushev <simushevds@ossg.ru>
Date: Mon, 19 May 2014 09:36:17 +0000
Subject: [PATCH] Make "csrf_check_token" function compatible with new requests
 logic

---
 src/mibew/libs/common/csrf.php | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/src/mibew/libs/common/csrf.php b/src/mibew/libs/common/csrf.php
index 0699df35..eb554c3b 100644
--- a/src/mibew/libs/common/csrf.php
+++ b/src/mibew/libs/common/csrf.php
@@ -15,11 +15,36 @@
  * limitations under the License.
  */
 
-/* authorization token check for CSRF attack */
-function csrf_check_token()
+use Symfony\Component\HttpFoundation\Request;
+use Mibew\Http\Exception\BadRequestException;
+
+/**
+ * Checks authorization token for CSRF attack.
+ *
+ * @param Request $request Incoming request. If it is not specified values from
+ * $_POST and $_GET arrays will be used.
+ *
+ * @throws BadRequestException If CSRF token check is faild.
+ *
+ * @todo Remove legacy code, related with $_POST and $_GET arrays.
+ */
+function csrf_check_token(Request $request = null)
 {
     set_csrf_token();
 
+    // If the request instance is provided use it to get the token.
+    if ($request) {
+        $token = $request->isMethod('POST')
+            ? $token = $request->request->get('csrf_token', false)
+            : $token = $request->query->get('csrf_token', false);
+
+        if ($token !== $_SESSION['csrf_token']) {
+            throw new BadRequestException('CSRF failure');
+        }
+
+        return;
+    }
+
     // Check the turing code for post requests and del requests
     if ($_SERVER['REQUEST_METHOD'] == 'POST') {
         // If token match