Ignore:
Timestamp:
Mar 12, 2018, 8:53:21 PM (6 years ago)
Author:
roby
Message:
 
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/client/inc/csrf-magic/csrf-magic.php

    r153 r253  
    5454 */
    5555$GLOBALS['csrf']['secret'] = '';
     56// nota bene: library code should use csrf_get_secret() and not access
     57// this global directly
    5658
    5759/**
     
    130132
    131133// Don't edit this!
    132 $GLOBALS['csrf']['version'] = '1.0.1';
     134$GLOBALS['csrf']['version'] = '1.0.4';
    133135
    134136/**
     
    152154    $name = $GLOBALS['csrf']['input-name'];
    153155    $endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : '';
    154     $input = "\n<div><input type='hidden' name='$name' value=\"$tokens\"$endslash></div>";
     156    $input = "<input type='hidden' name='$name' value=\"$tokens\"$endslash>";
    155157    $buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer);
    156158    if ($GLOBALS['csrf']['frame-breaker']) {
     
    216218    if (!$has_cookies && $secret) {
    217219        // :TODO: Harden this against proxy-spoofing attacks
    218         $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
     220        $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
     221        $ip = ';ip:' . csrf_hash($IP_ADDRESS);
    219222    } else {
    220223        $ip = '';
     
    241244}
    242245
     246function csrf_flattenpost($data) {
     247    $ret = array();
     248    foreach($data as $n => $v) {
     249        $ret = array_merge($ret, csrf_flattenpost2(1, $n, $v));
     250    }
     251    return $ret;
     252}
     253function csrf_flattenpost2($level, $key, $data) {
     254    if(!is_array($data)) return array($key => $data);
     255    $ret = array();
     256    foreach($data as $n => $v) {
     257        $nk = $level >= 1 ? $key."[$n]" : "[$n]";
     258        $ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v));
     259    }
     260    return $ret;
     261}
     262
    243263/**
    244264 * @param $tokens is safe for HTML consumption
    245265 */
    246266function csrf_callback($tokens) {
     267    // (yes, $tokens is safe to echo without escaping)
    247268    header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
    248     echo "<html><head><title>CSRF check failed</title></head><body>CSRF check failed. Please enable cookies.<br />Debug: ".$tokens."</body></html>
     269    $data = '';
     270    foreach (csrf_flattenpost($_POST) as $key => $value) {
     271        if ($key == $GLOBALS['csrf']['input-name']) continue;
     272        $data .= '<input type="hidden" name="'.htmlspecialchars($key).'" value="'.htmlspecialchars($value).'" />';
     273    }
     274    echo "<html><head><title>CSRF check failed</title></head>
     275        <body>
     276        <p>CSRF check failed. Your form session may have expired, or you may not have
     277        cookies enabled.</p>
     278        <form method='post' action=''>$data<input type='submit' value='Try again' /></form>
     279        <p>Debug: $tokens</p></body></html>
    249280";
    250281}
     
    298329            if (!empty($_COOKIE)) return false;
    299330            if (!$GLOBALS['csrf']['allow-ip']) return false;
    300             return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time);
     331            $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
     332            return $value === csrf_hash($IP_ADDRESS, $time);
    301333    }
    302334    return false;
     
    328360function csrf_get_secret() {
    329361    if ($GLOBALS['csrf']['secret']) return $GLOBALS['csrf']['secret'];
    330     // secret by db l.apolito
    331     global $prefix,$dbi;
    332     # crea campo secret nella tabella _config se non esiste             
    333     $campo= mysql_query("SHOW COLUMNS FROM ".$prefix."_config LIKE 'secret' ",$dbi);
    334     $esiste=mysql_num_rows($campo);
    335         if ($esiste==0) {
    336                 $result=mysql_query("ALTER TABLE ".$prefix."_config ADD secret VARCHAR(30);",$dbi);
    337         }
    338 
    339     $res_secret =  mysql_query("SELECT * FROM ".$prefix."_config" , $dbi);
    340     $row = mysql_fetch_array($res_secret);
    341     $secret = $row['secret'];   
    342     if (isset($secret)){ return $secret;
    343 
    344     }else{
    345         $secret = csrf_generate_secret();
    346         mysql_query("UPDATE ".$prefix."_config SET secret='$secret'" , $dbi);
    347         return $secret;
    348     }
    349          return '';
    350 
    351        
    352     /* nel caso di registrazione del file                               
    353362    $dir = dirname(__FILE__);
    354363    $file = $dir . '/csrf-secret.php';
     
    358367        return $secret;
    359368    }
    360        
    361369    if (is_writable($dir)) {
    362370        $secret = csrf_generate_secret();
     
    367375    }
    368376    return '';
    369     */ 
    370377}
    371378
     
    375382function csrf_generate_secret($len = 32) {
    376383    $r = '';
    377     for ($i = 0; $i < 32; $i++) {
     384    for ($i = 0; $i < $len; $i++) {
    378385        $r .= chr(mt_rand(0, 255));
    379386    }
     
    388395function csrf_hash($value, $time = null) {
    389396    if (!$time) $time = time();
    390     return sha1($GLOBALS['csrf']['secret'] . $value . $time) . ',' . $time;
     397    return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
    391398}
    392399
Note: See TracChangeset for help on using the changeset viewer.