[153] | 1 | <?php
|
---|
| 2 |
|
---|
| 3 | /**
|
---|
| 4 | * @file
|
---|
| 5 | *
|
---|
| 6 | * csrf-magic is a PHP library that makes adding CSRF-protection to your
|
---|
| 7 | * web applications a snap. No need to modify every form or create a database
|
---|
| 8 | * of valid nonces; just include this file at the top of every
|
---|
| 9 | * web-accessible page (or even better, your common include file included
|
---|
| 10 | * in every page), and forget about it! (There are, of course, configuration
|
---|
| 11 | * options for advanced users).
|
---|
| 12 | *
|
---|
| 13 | * This library is PHP4 and PHP5 compatible.
|
---|
| 14 | */
|
---|
| 15 |
|
---|
| 16 | // CONFIGURATION:
|
---|
| 17 |
|
---|
| 18 | /**
|
---|
| 19 | * By default, when you include this file csrf-magic will automatically check
|
---|
| 20 | * and exit if the CSRF token is invalid. This will defer executing
|
---|
| 21 | * csrf_check() until you're ready. You can also pass false as a parameter to
|
---|
| 22 | * that function, in which case the function will not exit but instead return
|
---|
| 23 | * a boolean false if the CSRF check failed. This allows for tighter integration
|
---|
| 24 | * with your system.
|
---|
| 25 | */
|
---|
| 26 | $GLOBALS['csrf']['defer'] = false;
|
---|
| 27 |
|
---|
| 28 | /**
|
---|
| 29 | * This is the amount of seconds you wish to allow before any token becomes
|
---|
| 30 | * invalid; the default is two hours, which should be more than enough for
|
---|
| 31 | * most websites.
|
---|
| 32 | */
|
---|
| 33 | $GLOBALS['csrf']['expires'] = 7200;
|
---|
| 34 |
|
---|
| 35 | /**
|
---|
| 36 | * Callback function to execute when there's the CSRF check fails and
|
---|
| 37 | * $fatal == true (see csrf_check). This will usually output an error message
|
---|
| 38 | * about the failure.
|
---|
| 39 | */
|
---|
| 40 | $GLOBALS['csrf']['callback'] = 'csrf_callback';
|
---|
| 41 |
|
---|
| 42 | /**
|
---|
| 43 | * Whether or not to include our JavaScript library which also rewrites
|
---|
| 44 | * AJAX requests on this domain. Set this to the web path. This setting only works
|
---|
| 45 | * with supported JavaScript libraries in Internet Explorer; see README.txt for
|
---|
| 46 | * a list of supported libraries.
|
---|
| 47 | */
|
---|
| 48 | $GLOBALS['csrf']['rewrite-js'] = false;
|
---|
| 49 |
|
---|
| 50 | /**
|
---|
| 51 | * A secret key used when hashing items. Please generate a random string and
|
---|
| 52 | * place it here. If you change this value, all previously generated tokens
|
---|
| 53 | * will become invalid.
|
---|
| 54 | */
|
---|
| 55 | $GLOBALS['csrf']['secret'] = '';
|
---|
[253] | 56 | // nota bene: library code should use csrf_get_secret() and not access
|
---|
| 57 | // this global directly
|
---|
[153] | 58 |
|
---|
| 59 | /**
|
---|
| 60 | * Set this to false to disable csrf-magic's output handler, and therefore,
|
---|
| 61 | * its rewriting capabilities. If you're serving non HTML content, you should
|
---|
| 62 | * definitely set this false.
|
---|
| 63 | */
|
---|
| 64 | $GLOBALS['csrf']['rewrite'] = true;
|
---|
| 65 |
|
---|
| 66 | /**
|
---|
| 67 | * Whether or not to use IP addresses when binding a user to a token. This is
|
---|
| 68 | * less reliable and less secure than sessions, but is useful when you need
|
---|
| 69 | * to give facilities to anonymous users and do not wish to maintain a database
|
---|
| 70 | * of valid keys.
|
---|
| 71 | */
|
---|
| 72 | $GLOBALS['csrf']['allow-ip'] = true;
|
---|
| 73 |
|
---|
| 74 | /**
|
---|
| 75 | * If this information is available, use the cookie by this name to determine
|
---|
| 76 | * whether or not to allow the request. This is a shortcut implementation
|
---|
| 77 | * very similar to 'key', but we randomly set the cookie ourselves.
|
---|
| 78 | */
|
---|
| 79 | $GLOBALS['csrf']['cookie'] = '__csrf_cookie';
|
---|
| 80 |
|
---|
| 81 | /**
|
---|
| 82 | * If this information is available, set this to a unique identifier (it
|
---|
| 83 | * can be an integer or a unique username) for the current "user" of this
|
---|
| 84 | * application. The token will then be globally valid for all of that user's
|
---|
| 85 | * operations, but no one else. This requires that 'secret' be set.
|
---|
| 86 | */
|
---|
| 87 | $GLOBALS['csrf']['user'] = false;
|
---|
| 88 |
|
---|
| 89 | /**
|
---|
| 90 | * This is an arbitrary secret value associated with the user's session. This
|
---|
| 91 | * will most probably be the contents of a cookie, as an attacker cannot easily
|
---|
| 92 | * determine this information. Warning: If the attacker knows this value, they
|
---|
| 93 | * can easily spoof a token. This is a generic implementation; sessions should
|
---|
| 94 | * work in most cases.
|
---|
| 95 | *
|
---|
| 96 | * Why would you want to use this? Lets suppose you have a squid cache for your
|
---|
| 97 | * website, and the presence of a session cookie bypasses it. Let's also say
|
---|
| 98 | * you allow anonymous users to interact with the website; submitting forms
|
---|
| 99 | * and AJAX. Previously, you didn't have any CSRF protection for anonymous users
|
---|
| 100 | * and so they never got sessions; you don't want to start using sessions either,
|
---|
| 101 | * otherwise you'll bypass the Squid cache. Setup a different cookie for CSRF
|
---|
| 102 | * tokens, and have Squid ignore that cookie for get requests, for anonymous
|
---|
| 103 | * users. (If you haven't guessed, this scheme was(?) used for MediaWiki).
|
---|
| 104 | */
|
---|
| 105 | $GLOBALS['csrf']['key'] = false;
|
---|
| 106 |
|
---|
| 107 | /**
|
---|
| 108 | * The name of the magic CSRF token that will be placed in all forms, i.e.
|
---|
| 109 | * the contents of <input type="hidden" name="$name" value="CSRF-TOKEN" />
|
---|
| 110 | */
|
---|
| 111 | $GLOBALS['csrf']['input-name'] = '__csrf_magic';
|
---|
| 112 |
|
---|
| 113 | /**
|
---|
| 114 | * Set this to false if your site must work inside of frame/iframe elements,
|
---|
| 115 | * but do so at your own risk: this configuration protects you against CSS
|
---|
| 116 | * overlay attacks that defeat tokens.
|
---|
| 117 | */
|
---|
| 118 | $GLOBALS['csrf']['frame-breaker'] = true;
|
---|
| 119 |
|
---|
| 120 | /**
|
---|
| 121 | * Whether or not CSRF Magic should be allowed to start a new session in order
|
---|
| 122 | * to determine the key.
|
---|
| 123 | */
|
---|
| 124 | $GLOBALS['csrf']['auto-session'] = true;
|
---|
| 125 |
|
---|
| 126 | /**
|
---|
| 127 | * Whether or not csrf-magic should produce XHTML style tags.
|
---|
| 128 | */
|
---|
| 129 | $GLOBALS['csrf']['xhtml'] = true;
|
---|
| 130 |
|
---|
| 131 | // FUNCTIONS:
|
---|
| 132 |
|
---|
| 133 | // Don't edit this!
|
---|
[253] | 134 | $GLOBALS['csrf']['version'] = '1.0.4';
|
---|
[153] | 135 |
|
---|
| 136 | /**
|
---|
| 137 | * Rewrites <form> on the fly to add CSRF tokens to them. This can also
|
---|
| 138 | * inject our JavaScript library.
|
---|
| 139 | */
|
---|
| 140 | function csrf_ob_handler($buffer, $flags) {
|
---|
| 141 | // Even though the user told us to rewrite, we should do a quick heuristic
|
---|
| 142 | // to check if the page is *actually* HTML. We don't begin rewriting until
|
---|
| 143 | // we hit the first <html tag.
|
---|
| 144 | static $is_html = false;
|
---|
| 145 | if (!$is_html) {
|
---|
| 146 | // not HTML until proven otherwise
|
---|
| 147 | if (stripos($buffer, '<html') !== false) {
|
---|
| 148 | $is_html = true;
|
---|
| 149 | } else {
|
---|
| 150 | return $buffer;
|
---|
| 151 | }
|
---|
| 152 | }
|
---|
| 153 | $tokens = csrf_get_tokens();
|
---|
| 154 | $name = $GLOBALS['csrf']['input-name'];
|
---|
| 155 | $endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : '';
|
---|
[253] | 156 | $input = "<input type='hidden' name='$name' value=\"$tokens\"$endslash>";
|
---|
[153] | 157 | $buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer);
|
---|
| 158 | if ($GLOBALS['csrf']['frame-breaker']) {
|
---|
| 159 | $buffer = str_ireplace('</head>', '<script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script></head>', $buffer);
|
---|
| 160 | }
|
---|
| 161 | if ($js = $GLOBALS['csrf']['rewrite-js']) {
|
---|
| 162 | $buffer = str_ireplace(
|
---|
| 163 | '</head>',
|
---|
| 164 | '<script type="text/javascript">'.
|
---|
| 165 | 'var csrfMagicToken = "'.$tokens.'";'.
|
---|
| 166 | 'var csrfMagicName = "'.$name.'";</script>'.
|
---|
| 167 | '<script src="'.$js.'" type="text/javascript"></script></head>',
|
---|
| 168 | $buffer
|
---|
| 169 | );
|
---|
| 170 | $script = '<script type="text/javascript">CsrfMagic.end();</script>';
|
---|
| 171 | $buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
|
---|
| 172 | if (!$count) {
|
---|
| 173 | $buffer .= $script;
|
---|
| 174 | }
|
---|
| 175 | }
|
---|
| 176 | return $buffer;
|
---|
| 177 | }
|
---|
| 178 |
|
---|
| 179 | /**
|
---|
| 180 | * Checks if this is a post request, and if it is, checks if the nonce is valid.
|
---|
| 181 | * @param bool $fatal Whether or not to fatally error out if there is a problem.
|
---|
| 182 | * @return True if check passes or is not necessary, false if failure.
|
---|
| 183 | */
|
---|
| 184 | function csrf_check($fatal = true) {
|
---|
| 185 | if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true;
|
---|
| 186 | csrf_start();
|
---|
| 187 | $name = $GLOBALS['csrf']['input-name'];
|
---|
| 188 | $ok = false;
|
---|
| 189 | $tokens = '';
|
---|
| 190 | do {
|
---|
| 191 | if (!isset($_POST[$name])) break;
|
---|
| 192 | // we don't regenerate a token and check it because some token creation
|
---|
| 193 | // schemes are volatile.
|
---|
| 194 | $tokens = $_POST[$name];
|
---|
| 195 | if (!csrf_check_tokens($tokens)) break;
|
---|
| 196 | $ok = true;
|
---|
| 197 | } while (false);
|
---|
| 198 | if ($fatal && !$ok) {
|
---|
| 199 | $callback = $GLOBALS['csrf']['callback'];
|
---|
| 200 | if (trim($tokens, 'A..Za..z0..9:;,') !== '') $tokens = 'hidden';
|
---|
| 201 | $callback($tokens);
|
---|
| 202 | exit;
|
---|
| 203 | }
|
---|
| 204 | return $ok;
|
---|
| 205 | }
|
---|
| 206 |
|
---|
| 207 | /**
|
---|
| 208 | * Retrieves a valid token(s) for a particular context. Tokens are separated
|
---|
| 209 | * by semicolons.
|
---|
| 210 | */
|
---|
| 211 | function csrf_get_tokens() {
|
---|
| 212 | $has_cookies = !empty($_COOKIE);
|
---|
| 213 |
|
---|
| 214 | // $ip implements a composite key, which is sent if the user hasn't sent
|
---|
| 215 | // any cookies. It may or may not be used, depending on whether or not
|
---|
| 216 | // the cookies "stick"
|
---|
| 217 | $secret = csrf_get_secret();
|
---|
| 218 | if (!$has_cookies && $secret) {
|
---|
| 219 | // :TODO: Harden this against proxy-spoofing attacks
|
---|
[253] | 220 | $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
|
---|
| 221 | $ip = ';ip:' . csrf_hash($IP_ADDRESS);
|
---|
[153] | 222 | } else {
|
---|
| 223 | $ip = '';
|
---|
| 224 | }
|
---|
| 225 | csrf_start();
|
---|
| 226 |
|
---|
| 227 | // These are "strong" algorithms that don't require per se a secret
|
---|
| 228 | if (session_id()) return 'sid:' . csrf_hash(session_id()) . $ip;
|
---|
| 229 | if ($GLOBALS['csrf']['cookie']) {
|
---|
| 230 | $val = csrf_generate_secret();
|
---|
| 231 | setcookie($GLOBALS['csrf']['cookie'], $val);
|
---|
| 232 | return 'cookie:' . csrf_hash($val) . $ip;
|
---|
| 233 | }
|
---|
| 234 | if ($GLOBALS['csrf']['key']) return 'key:' . csrf_hash($GLOBALS['csrf']['key']) . $ip;
|
---|
| 235 | // These further algorithms require a server-side secret
|
---|
| 236 | if (!$secret) return 'invalid';
|
---|
| 237 | if ($GLOBALS['csrf']['user'] !== false) {
|
---|
| 238 | return 'user:' . csrf_hash($GLOBALS['csrf']['user']);
|
---|
| 239 | }
|
---|
| 240 | if ($GLOBALS['csrf']['allow-ip']) {
|
---|
| 241 | return ltrim($ip, ';');
|
---|
| 242 | }
|
---|
| 243 | return 'invalid';
|
---|
| 244 | }
|
---|
| 245 |
|
---|
[253] | 246 | function csrf_flattenpost($data) {
|
---|
| 247 | $ret = array();
|
---|
| 248 | foreach($data as $n => $v) {
|
---|
| 249 | $ret = array_merge($ret, csrf_flattenpost2(1, $n, $v));
|
---|
| 250 | }
|
---|
| 251 | return $ret;
|
---|
| 252 | }
|
---|
| 253 | function csrf_flattenpost2($level, $key, $data) {
|
---|
| 254 | if(!is_array($data)) return array($key => $data);
|
---|
| 255 | $ret = array();
|
---|
| 256 | foreach($data as $n => $v) {
|
---|
| 257 | $nk = $level >= 1 ? $key."[$n]" : "[$n]";
|
---|
| 258 | $ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v));
|
---|
| 259 | }
|
---|
| 260 | return $ret;
|
---|
| 261 | }
|
---|
| 262 |
|
---|
[153] | 263 | /**
|
---|
| 264 | * @param $tokens is safe for HTML consumption
|
---|
| 265 | */
|
---|
| 266 | function csrf_callback($tokens) {
|
---|
[253] | 267 | // (yes, $tokens is safe to echo without escaping)
|
---|
[153] | 268 | header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
|
---|
[253] | 269 | $data = '';
|
---|
| 270 | foreach (csrf_flattenpost($_POST) as $key => $value) {
|
---|
| 271 | if ($key == $GLOBALS['csrf']['input-name']) continue;
|
---|
| 272 | $data .= '<input type="hidden" name="'.htmlspecialchars($key).'" value="'.htmlspecialchars($value).'" />';
|
---|
| 273 | }
|
---|
| 274 | echo "<html><head><title>CSRF check failed</title></head>
|
---|
| 275 | <body>
|
---|
| 276 | <p>CSRF check failed. Your form session may have expired, or you may not have
|
---|
| 277 | cookies enabled.</p>
|
---|
| 278 | <form method='post' action=''>$data<input type='submit' value='Try again' /></form>
|
---|
| 279 | <p>Debug: $tokens</p></body></html>
|
---|
[153] | 280 | ";
|
---|
| 281 | }
|
---|
| 282 |
|
---|
| 283 | /**
|
---|
| 284 | * Checks if a composite token is valid. Outward facing code should use this
|
---|
| 285 | * instead of csrf_check_token()
|
---|
| 286 | */
|
---|
| 287 | function csrf_check_tokens($tokens) {
|
---|
| 288 | if (is_string($tokens)) $tokens = explode(';', $tokens);
|
---|
| 289 | foreach ($tokens as $token) {
|
---|
| 290 | if (csrf_check_token($token)) return true;
|
---|
| 291 | }
|
---|
| 292 | return false;
|
---|
| 293 | }
|
---|
| 294 |
|
---|
| 295 | /**
|
---|
| 296 | * Checks if a token is valid.
|
---|
| 297 | */
|
---|
| 298 | function csrf_check_token($token) {
|
---|
| 299 | if (strpos($token, ':') === false) return false;
|
---|
| 300 | list($type, $value) = explode(':', $token, 2);
|
---|
| 301 | if (strpos($value, ',') === false) return false;
|
---|
| 302 | list($x, $time) = explode(',', $token, 2);
|
---|
| 303 | if ($GLOBALS['csrf']['expires']) {
|
---|
| 304 | if (time() > $time + $GLOBALS['csrf']['expires']) return false;
|
---|
| 305 | }
|
---|
| 306 | switch ($type) {
|
---|
| 307 | case 'sid':
|
---|
| 308 | return $value === csrf_hash(session_id(), $time);
|
---|
| 309 | case 'cookie':
|
---|
| 310 | $n = $GLOBALS['csrf']['cookie'];
|
---|
| 311 | if (!$n) return false;
|
---|
| 312 | if (!isset($_COOKIE[$n])) return false;
|
---|
| 313 | return $value === csrf_hash($_COOKIE[$n], $time);
|
---|
| 314 | case 'key':
|
---|
| 315 | if (!$GLOBALS['csrf']['key']) return false;
|
---|
| 316 | return $value === csrf_hash($GLOBALS['csrf']['key'], $time);
|
---|
| 317 | // We could disable these 'weaker' checks if 'key' was set, but
|
---|
| 318 | // that doesn't make me feel good then about the cookie-based
|
---|
| 319 | // implementation.
|
---|
| 320 | case 'user':
|
---|
| 321 | if (!csrf_get_secret()) return false;
|
---|
| 322 | if ($GLOBALS['csrf']['user'] === false) return false;
|
---|
| 323 | return $value === csrf_hash($GLOBALS['csrf']['user'], $time);
|
---|
| 324 | case 'ip':
|
---|
| 325 | if (!csrf_get_secret()) return false;
|
---|
| 326 | // do not allow IP-based checks if the username is set, or if
|
---|
| 327 | // the browser sent cookies
|
---|
| 328 | if ($GLOBALS['csrf']['user'] !== false) return false;
|
---|
| 329 | if (!empty($_COOKIE)) return false;
|
---|
| 330 | if (!$GLOBALS['csrf']['allow-ip']) return false;
|
---|
[253] | 331 | $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
|
---|
| 332 | return $value === csrf_hash($IP_ADDRESS, $time);
|
---|
[153] | 333 | }
|
---|
| 334 | return false;
|
---|
| 335 | }
|
---|
| 336 |
|
---|
| 337 | /**
|
---|
| 338 | * Sets a configuration value.
|
---|
| 339 | */
|
---|
| 340 | function csrf_conf($key, $val) {
|
---|
| 341 | if (!isset($GLOBALS['csrf'][$key])) {
|
---|
| 342 | trigger_error('No such configuration ' . $key, E_USER_WARNING);
|
---|
| 343 | return;
|
---|
| 344 | }
|
---|
| 345 | $GLOBALS['csrf'][$key] = $val;
|
---|
| 346 | }
|
---|
| 347 |
|
---|
| 348 | /**
|
---|
| 349 | * Starts a session if we're allowed to.
|
---|
| 350 | */
|
---|
| 351 | function csrf_start() {
|
---|
| 352 | if ($GLOBALS['csrf']['auto-session'] && !session_id()) {
|
---|
| 353 | session_start();
|
---|
| 354 | }
|
---|
| 355 | }
|
---|
| 356 |
|
---|
| 357 | /**
|
---|
| 358 | * Retrieves the secret, and generates one if necessary.
|
---|
| 359 | */
|
---|
| 360 | function csrf_get_secret() {
|
---|
| 361 | if ($GLOBALS['csrf']['secret']) return $GLOBALS['csrf']['secret'];
|
---|
| 362 | $dir = dirname(__FILE__);
|
---|
| 363 | $file = $dir . '/csrf-secret.php';
|
---|
| 364 | $secret = '';
|
---|
| 365 | if (file_exists($file)) {
|
---|
| 366 | include $file;
|
---|
| 367 | return $secret;
|
---|
| 368 | }
|
---|
| 369 | if (is_writable($dir)) {
|
---|
| 370 | $secret = csrf_generate_secret();
|
---|
| 371 | $fh = fopen($file, 'w');
|
---|
| 372 | fwrite($fh, '<?php $secret = "'.$secret.'";' . PHP_EOL);
|
---|
| 373 | fclose($fh);
|
---|
| 374 | return $secret;
|
---|
| 375 | }
|
---|
| 376 | return '';
|
---|
| 377 | }
|
---|
| 378 |
|
---|
| 379 | /**
|
---|
| 380 | * Generates a random string as the hash of time, microtime, and mt_rand.
|
---|
| 381 | */
|
---|
| 382 | function csrf_generate_secret($len = 32) {
|
---|
| 383 | $r = '';
|
---|
[253] | 384 | for ($i = 0; $i < $len; $i++) {
|
---|
[153] | 385 | $r .= chr(mt_rand(0, 255));
|
---|
| 386 | }
|
---|
| 387 | $r .= time() . microtime();
|
---|
| 388 | return sha1($r);
|
---|
| 389 | }
|
---|
| 390 |
|
---|
| 391 | /**
|
---|
| 392 | * Generates a hash/expiry double. If time isn't set it will be calculated
|
---|
| 393 | * from the current time.
|
---|
| 394 | */
|
---|
| 395 | function csrf_hash($value, $time = null) {
|
---|
| 396 | if (!$time) $time = time();
|
---|
[253] | 397 | return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
|
---|
[153] | 398 | }
|
---|
| 399 |
|
---|
| 400 | // Load user configuration
|
---|
| 401 | if (function_exists('csrf_startup')) csrf_startup();
|
---|
| 402 | // Initialize our handler
|
---|
| 403 | if ($GLOBALS['csrf']['rewrite']) ob_start('csrf_ob_handler');
|
---|
| 404 | // Perform check
|
---|
| 405 | if (!$GLOBALS['csrf']['defer']) csrf_check();
|
---|