*/ $GLOBALS['csrf']['input-name'] = '__csrf_magic'; /** * Set this to false if your site must work inside of frame/iframe elements, * but do so at your own risk: this configuration protects you against CSS * overlay attacks that defeat tokens. */ $GLOBALS['csrf']['frame-breaker'] = true; /** * Whether or not CSRF Magic should be allowed to start a new session in order * to determine the key. */ $GLOBALS['csrf']['auto-session'] = true; /** * Whether or not csrf-magic should produce XHTML style tags. */ $GLOBALS['csrf']['xhtml'] = true; // FUNCTIONS: // Don't edit this! $GLOBALS['csrf']['version'] = '1.0.1'; /** * Rewrites
CSRF check failed. Please enable cookies.', $script . '', $buffer, $count); if (!$count) { $buffer .= $script; } } return $buffer; } /** * Checks if this is a post request, and if it is, checks if the nonce is valid. * @param bool $fatal Whether or not to fatally error out if there is a problem. * @return True if check passes or is not necessary, false if failure. */ function csrf_check($fatal = true) { if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true; csrf_start(); $name = $GLOBALS['csrf']['input-name']; $ok = false; $tokens = ''; do { if (!isset($_POST[$name])) break; // we don't regenerate a token and check it because some token creation // schemes are volatile. $tokens = $_POST[$name]; if (!csrf_check_tokens($tokens)) break; $ok = true; } while (false); if ($fatal && !$ok) { $callback = $GLOBALS['csrf']['callback']; if (trim($tokens, 'A..Za..z0..9:;,') !== '') $tokens = 'hidden'; $callback($tokens); exit; } return $ok; } /** * Retrieves a valid token(s) for a particular context. Tokens are separated * by semicolons. */ function csrf_get_tokens() { $has_cookies = !empty($_COOKIE); // $ip implements a composite key, which is sent if the user hasn't sent // any cookies. It may or may not be used, depending on whether or not // the cookies "stick" $secret = csrf_get_secret(); if (!$has_cookies && $secret) { // :TODO: Harden this against proxy-spoofing attacks $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']); } else { $ip = ''; } csrf_start(); // These are "strong" algorithms that don't require per se a secret if (session_id()) return 'sid:' . csrf_hash(session_id()) . $ip; if ($GLOBALS['csrf']['cookie']) { $val = csrf_generate_secret(); setcookie($GLOBALS['csrf']['cookie'], $val); return 'cookie:' . csrf_hash($val) . $ip; } if ($GLOBALS['csrf']['key']) return 'key:' . csrf_hash($GLOBALS['csrf']['key']) . $ip; // These further algorithms require a server-side secret if (!$secret) return 'invalid'; if ($GLOBALS['csrf']['user'] !== false) { return 'user:' . csrf_hash($GLOBALS['csrf']['user']); } if ($GLOBALS['csrf']['allow-ip']) { return ltrim($ip, ';'); } return 'invalid'; } /** * @param $tokens is safe for HTML consumption */ function csrf_callback($tokens) { header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); echo "