1 | <?php
|
---|
2 |
|
---|
3 | /**
|
---|
4 | * @file
|
---|
5 | *
|
---|
6 | * csrf-magic is a PHP library that makes adding CSRF-protection to your
|
---|
7 | * web applications a snap. No need to modify every form or create a database
|
---|
8 | * of valid nonces; just include this file at the top of every
|
---|
9 | * web-accessible page (or even better, your common include file included
|
---|
10 | * in every page), and forget about it! (There are, of course, configuration
|
---|
11 | * options for advanced users).
|
---|
12 | *
|
---|
13 | * This library is PHP4 and PHP5 compatible.
|
---|
14 | */
|
---|
15 |
|
---|
16 | // CONFIGURATION:
|
---|
17 |
|
---|
18 | /**
|
---|
19 | * By default, when you include this file csrf-magic will automatically check
|
---|
20 | * and exit if the CSRF token is invalid. This will defer executing
|
---|
21 | * csrf_check() until you're ready. You can also pass false as a parameter to
|
---|
22 | * that function, in which case the function will not exit but instead return
|
---|
23 | * a boolean false if the CSRF check failed. This allows for tighter integration
|
---|
24 | * with your system.
|
---|
25 | */
|
---|
26 | $GLOBALS['csrf']['defer'] = false;
|
---|
27 |
|
---|
28 | /**
|
---|
29 | * This is the amount of seconds you wish to allow before any token becomes
|
---|
30 | * invalid; the default is two hours, which should be more than enough for
|
---|
31 | * most websites.
|
---|
32 | */
|
---|
33 | $GLOBALS['csrf']['expires'] = 7200;
|
---|
34 |
|
---|
35 | /**
|
---|
36 | * Callback function to execute when there's the CSRF check fails and
|
---|
37 | * $fatal == true (see csrf_check). This will usually output an error message
|
---|
38 | * about the failure.
|
---|
39 | */
|
---|
40 | $GLOBALS['csrf']['callback'] = 'csrf_callback';
|
---|
41 |
|
---|
42 | /**
|
---|
43 | * Whether or not to include our JavaScript library which also rewrites
|
---|
44 | * AJAX requests on this domain. Set this to the web path. This setting only works
|
---|
45 | * with supported JavaScript libraries in Internet Explorer; see README.txt for
|
---|
46 | * a list of supported libraries.
|
---|
47 | */
|
---|
48 | $GLOBALS['csrf']['rewrite-js'] = false;
|
---|
49 |
|
---|
50 | /**
|
---|
51 | * A secret key used when hashing items. Please generate a random string and
|
---|
52 | * place it here. If you change this value, all previously generated tokens
|
---|
53 | * will become invalid.
|
---|
54 | */
|
---|
55 | $GLOBALS['csrf']['secret'] = '';
|
---|
56 | // nota bene: library code should use csrf_get_secret() and not access
|
---|
57 | // this global directly
|
---|
58 |
|
---|
59 | /**
|
---|
60 | * Set this to false to disable csrf-magic's output handler, and therefore,
|
---|
61 | * its rewriting capabilities. If you're serving non HTML content, you should
|
---|
62 | * definitely set this false.
|
---|
63 | */
|
---|
64 | $GLOBALS['csrf']['rewrite'] = true;
|
---|
65 |
|
---|
66 | /**
|
---|
67 | * Whether or not to use IP addresses when binding a user to a token. This is
|
---|
68 | * less reliable and less secure than sessions, but is useful when you need
|
---|
69 | * to give facilities to anonymous users and do not wish to maintain a database
|
---|
70 | * of valid keys.
|
---|
71 | */
|
---|
72 | $GLOBALS['csrf']['allow-ip'] = true;
|
---|
73 |
|
---|
74 | /**
|
---|
75 | * If this information is available, use the cookie by this name to determine
|
---|
76 | * whether or not to allow the request. This is a shortcut implementation
|
---|
77 | * very similar to 'key', but we randomly set the cookie ourselves.
|
---|
78 | */
|
---|
79 | $GLOBALS['csrf']['cookie'] = '__csrf_cookie';
|
---|
80 |
|
---|
81 | /**
|
---|
82 | * If this information is available, set this to a unique identifier (it
|
---|
83 | * can be an integer or a unique username) for the current "user" of this
|
---|
84 | * application. The token will then be globally valid for all of that user's
|
---|
85 | * operations, but no one else. This requires that 'secret' be set.
|
---|
86 | */
|
---|
87 | $GLOBALS['csrf']['user'] = false;
|
---|
88 |
|
---|
89 | /**
|
---|
90 | * This is an arbitrary secret value associated with the user's session. This
|
---|
91 | * will most probably be the contents of a cookie, as an attacker cannot easily
|
---|
92 | * determine this information. Warning: If the attacker knows this value, they
|
---|
93 | * can easily spoof a token. This is a generic implementation; sessions should
|
---|
94 | * work in most cases.
|
---|
95 | *
|
---|
96 | * Why would you want to use this? Lets suppose you have a squid cache for your
|
---|
97 | * website, and the presence of a session cookie bypasses it. Let's also say
|
---|
98 | * you allow anonymous users to interact with the website; submitting forms
|
---|
99 | * and AJAX. Previously, you didn't have any CSRF protection for anonymous users
|
---|
100 | * and so they never got sessions; you don't want to start using sessions either,
|
---|
101 | * otherwise you'll bypass the Squid cache. Setup a different cookie for CSRF
|
---|
102 | * tokens, and have Squid ignore that cookie for get requests, for anonymous
|
---|
103 | * users. (If you haven't guessed, this scheme was(?) used for MediaWiki).
|
---|
104 | */
|
---|
105 | $GLOBALS['csrf']['key'] = false;
|
---|
106 |
|
---|
107 | /**
|
---|
108 | * The name of the magic CSRF token that will be placed in all forms, i.e.
|
---|
109 | * the contents of <input type="hidden" name="$name" value="CSRF-TOKEN" />
|
---|
110 | */
|
---|
111 | $GLOBALS['csrf']['input-name'] = '__csrf_magic';
|
---|
112 |
|
---|
113 | /**
|
---|
114 | * Set this to false if your site must work inside of frame/iframe elements,
|
---|
115 | * but do so at your own risk: this configuration protects you against CSS
|
---|
116 | * overlay attacks that defeat tokens.
|
---|
117 | */
|
---|
118 | $GLOBALS['csrf']['frame-breaker'] = true;
|
---|
119 |
|
---|
120 | /**
|
---|
121 | * Whether or not CSRF Magic should be allowed to start a new session in order
|
---|
122 | * to determine the key.
|
---|
123 | */
|
---|
124 | $GLOBALS['csrf']['auto-session'] = true;
|
---|
125 |
|
---|
126 | /**
|
---|
127 | * Whether or not csrf-magic should produce XHTML style tags.
|
---|
128 | */
|
---|
129 | $GLOBALS['csrf']['xhtml'] = true;
|
---|
130 |
|
---|
131 | // FUNCTIONS:
|
---|
132 |
|
---|
133 | // Don't edit this!
|
---|
134 | $GLOBALS['csrf']['version'] = '1.0.4';
|
---|
135 |
|
---|
136 | /**
|
---|
137 | * Rewrites <form> on the fly to add CSRF tokens to them. This can also
|
---|
138 | * inject our JavaScript library.
|
---|
139 | */
|
---|
140 | function csrf_ob_handler($buffer, $flags) {
|
---|
141 | // Even though the user told us to rewrite, we should do a quick heuristic
|
---|
142 | // to check if the page is *actually* HTML. We don't begin rewriting until
|
---|
143 | // we hit the first <html tag.
|
---|
144 | static $is_html = false;
|
---|
145 | if (!$is_html) {
|
---|
146 | // not HTML until proven otherwise
|
---|
147 | if (stripos($buffer, '<html') !== false) {
|
---|
148 | $is_html = true;
|
---|
149 | } else {
|
---|
150 | return $buffer;
|
---|
151 | }
|
---|
152 | }
|
---|
153 | $tokens = csrf_get_tokens();
|
---|
154 | $name = $GLOBALS['csrf']['input-name'];
|
---|
155 | $endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : '';
|
---|
156 | $input = "<input type='hidden' name='$name' value=\"$tokens\"$endslash>";
|
---|
157 | $buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer);
|
---|
158 | if ($GLOBALS['csrf']['frame-breaker']) {
|
---|
159 | $buffer = str_ireplace('</head>', '<script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script></head>', $buffer);
|
---|
160 | }
|
---|
161 | if ($js = $GLOBALS['csrf']['rewrite-js']) {
|
---|
162 | $buffer = str_ireplace(
|
---|
163 | '</head>',
|
---|
164 | '<script type="text/javascript">'.
|
---|
165 | 'var csrfMagicToken = "'.$tokens.'";'.
|
---|
166 | 'var csrfMagicName = "'.$name.'";</script>'.
|
---|
167 | '<script src="'.$js.'" type="text/javascript"></script></head>',
|
---|
168 | $buffer
|
---|
169 | );
|
---|
170 | $script = '<script type="text/javascript">CsrfMagic.end();</script>';
|
---|
171 | $buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
|
---|
172 | if (!$count) {
|
---|
173 | $buffer .= $script;
|
---|
174 | }
|
---|
175 | }
|
---|
176 | return $buffer;
|
---|
177 | }
|
---|
178 |
|
---|
179 | /**
|
---|
180 | * Checks if this is a post request, and if it is, checks if the nonce is valid.
|
---|
181 | * @param bool $fatal Whether or not to fatally error out if there is a problem.
|
---|
182 | * @return True if check passes or is not necessary, false if failure.
|
---|
183 | */
|
---|
184 | function csrf_check($fatal = true) {
|
---|
185 | if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true;
|
---|
186 | csrf_start();
|
---|
187 | $name = $GLOBALS['csrf']['input-name'];
|
---|
188 | $ok = false;
|
---|
189 | $tokens = '';
|
---|
190 | do {
|
---|
191 | if (!isset($_POST[$name])) break;
|
---|
192 | // we don't regenerate a token and check it because some token creation
|
---|
193 | // schemes are volatile.
|
---|
194 | $tokens = $_POST[$name];
|
---|
195 | if (!csrf_check_tokens($tokens)) break;
|
---|
196 | $ok = true;
|
---|
197 | } while (false);
|
---|
198 | if ($fatal && !$ok) {
|
---|
199 | $callback = $GLOBALS['csrf']['callback'];
|
---|
200 | if (trim($tokens, 'A..Za..z0..9:;,') !== '') $tokens = 'hidden';
|
---|
201 | $callback($tokens);
|
---|
202 | exit;
|
---|
203 | }
|
---|
204 | return $ok;
|
---|
205 | }
|
---|
206 |
|
---|
207 | /**
|
---|
208 | * Retrieves a valid token(s) for a particular context. Tokens are separated
|
---|
209 | * by semicolons.
|
---|
210 | */
|
---|
211 | function csrf_get_tokens() {
|
---|
212 | $has_cookies = !empty($_COOKIE);
|
---|
213 |
|
---|
214 | // $ip implements a composite key, which is sent if the user hasn't sent
|
---|
215 | // any cookies. It may or may not be used, depending on whether or not
|
---|
216 | // the cookies "stick"
|
---|
217 | $secret = csrf_get_secret();
|
---|
218 | if (!$has_cookies && $secret) {
|
---|
219 | // :TODO: Harden this against proxy-spoofing attacks
|
---|
220 | $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
|
---|
221 | $ip = ';ip:' . csrf_hash($IP_ADDRESS);
|
---|
222 | } else {
|
---|
223 | $ip = '';
|
---|
224 | }
|
---|
225 | csrf_start();
|
---|
226 |
|
---|
227 | // These are "strong" algorithms that don't require per se a secret
|
---|
228 | if (session_id()) return 'sid:' . csrf_hash(session_id()) . $ip;
|
---|
229 | if ($GLOBALS['csrf']['cookie']) {
|
---|
230 | $val = csrf_generate_secret();
|
---|
231 | setcookie($GLOBALS['csrf']['cookie'], $val);
|
---|
232 | return 'cookie:' . csrf_hash($val) . $ip;
|
---|
233 | }
|
---|
234 | if ($GLOBALS['csrf']['key']) return 'key:' . csrf_hash($GLOBALS['csrf']['key']) . $ip;
|
---|
235 | // These further algorithms require a server-side secret
|
---|
236 | if (!$secret) return 'invalid';
|
---|
237 | if ($GLOBALS['csrf']['user'] !== false) {
|
---|
238 | return 'user:' . csrf_hash($GLOBALS['csrf']['user']);
|
---|
239 | }
|
---|
240 | if ($GLOBALS['csrf']['allow-ip']) {
|
---|
241 | return ltrim($ip, ';');
|
---|
242 | }
|
---|
243 | return 'invalid';
|
---|
244 | }
|
---|
245 |
|
---|
246 | function csrf_flattenpost($data) {
|
---|
247 | $ret = array();
|
---|
248 | foreach($data as $n => $v) {
|
---|
249 | $ret = array_merge($ret, csrf_flattenpost2(1, $n, $v));
|
---|
250 | }
|
---|
251 | return $ret;
|
---|
252 | }
|
---|
253 | function csrf_flattenpost2($level, $key, $data) {
|
---|
254 | if(!is_array($data)) return array($key => $data);
|
---|
255 | $ret = array();
|
---|
256 | foreach($data as $n => $v) {
|
---|
257 | $nk = $level >= 1 ? $key."[$n]" : "[$n]";
|
---|
258 | $ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v));
|
---|
259 | }
|
---|
260 | return $ret;
|
---|
261 | }
|
---|
262 |
|
---|
263 | /**
|
---|
264 | * @param $tokens is safe for HTML consumption
|
---|
265 | */
|
---|
266 | function csrf_callback($tokens) {
|
---|
267 | // (yes, $tokens is safe to echo without escaping)
|
---|
268 | header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
|
---|
269 | $data = '';
|
---|
270 | foreach (csrf_flattenpost($_POST) as $key => $value) {
|
---|
271 | if ($key == $GLOBALS['csrf']['input-name']) continue;
|
---|
272 | $data .= '<input type="hidden" name="'.htmlspecialchars($key).'" value="'.htmlspecialchars($value).'" />';
|
---|
273 | }
|
---|
274 | echo "<html><head><title>CSRF check failed</title></head>
|
---|
275 | <body>
|
---|
276 | <p>CSRF check failed. Your form session may have expired, or you may not have
|
---|
277 | cookies enabled.</p>
|
---|
278 | <form method='post' action=''>$data<input type='submit' value='Try again' /></form>
|
---|
279 | <p>Debug: $tokens</p></body></html>
|
---|
280 | ";
|
---|
281 | }
|
---|
282 |
|
---|
283 | /**
|
---|
284 | * Checks if a composite token is valid. Outward facing code should use this
|
---|
285 | * instead of csrf_check_token()
|
---|
286 | */
|
---|
287 | function csrf_check_tokens($tokens) {
|
---|
288 | if (is_string($tokens)) $tokens = explode(';', $tokens);
|
---|
289 | foreach ($tokens as $token) {
|
---|
290 | if (csrf_check_token($token)) return true;
|
---|
291 | }
|
---|
292 | return false;
|
---|
293 | }
|
---|
294 |
|
---|
295 | /**
|
---|
296 | * Checks if a token is valid.
|
---|
297 | */
|
---|
298 | function csrf_check_token($token) {
|
---|
299 | if (strpos($token, ':') === false) return false;
|
---|
300 | list($type, $value) = explode(':', $token, 2);
|
---|
301 | if (strpos($value, ',') === false) return false;
|
---|
302 | list($x, $time) = explode(',', $token, 2);
|
---|
303 | if ($GLOBALS['csrf']['expires']) {
|
---|
304 | if (time() > $time + $GLOBALS['csrf']['expires']) return false;
|
---|
305 | }
|
---|
306 | switch ($type) {
|
---|
307 | case 'sid':
|
---|
308 | return $value === csrf_hash(session_id(), $time);
|
---|
309 | case 'cookie':
|
---|
310 | $n = $GLOBALS['csrf']['cookie'];
|
---|
311 | if (!$n) return false;
|
---|
312 | if (!isset($_COOKIE[$n])) return false;
|
---|
313 | return $value === csrf_hash($_COOKIE[$n], $time);
|
---|
314 | case 'key':
|
---|
315 | if (!$GLOBALS['csrf']['key']) return false;
|
---|
316 | return $value === csrf_hash($GLOBALS['csrf']['key'], $time);
|
---|
317 | // We could disable these 'weaker' checks if 'key' was set, but
|
---|
318 | // that doesn't make me feel good then about the cookie-based
|
---|
319 | // implementation.
|
---|
320 | case 'user':
|
---|
321 | if (!csrf_get_secret()) return false;
|
---|
322 | if ($GLOBALS['csrf']['user'] === false) return false;
|
---|
323 | return $value === csrf_hash($GLOBALS['csrf']['user'], $time);
|
---|
324 | case 'ip':
|
---|
325 | if (!csrf_get_secret()) return false;
|
---|
326 | // do not allow IP-based checks if the username is set, or if
|
---|
327 | // the browser sent cookies
|
---|
328 | if ($GLOBALS['csrf']['user'] !== false) return false;
|
---|
329 | if (!empty($_COOKIE)) return false;
|
---|
330 | if (!$GLOBALS['csrf']['allow-ip']) return false;
|
---|
331 | $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
|
---|
332 | return $value === csrf_hash($IP_ADDRESS, $time);
|
---|
333 | }
|
---|
334 | return false;
|
---|
335 | }
|
---|
336 |
|
---|
337 | /**
|
---|
338 | * Sets a configuration value.
|
---|
339 | */
|
---|
340 | function csrf_conf($key, $val) {
|
---|
341 | if (!isset($GLOBALS['csrf'][$key])) {
|
---|
342 | trigger_error('No such configuration ' . $key, E_USER_WARNING);
|
---|
343 | return;
|
---|
344 | }
|
---|
345 | $GLOBALS['csrf'][$key] = $val;
|
---|
346 | }
|
---|
347 |
|
---|
348 | /**
|
---|
349 | * Starts a session if we're allowed to.
|
---|
350 | */
|
---|
351 | function csrf_start() {
|
---|
352 | if ($GLOBALS['csrf']['auto-session'] && !session_id()) {
|
---|
353 | session_start();
|
---|
354 | }
|
---|
355 | }
|
---|
356 |
|
---|
357 | /**
|
---|
358 | * Retrieves the secret, and generates one if necessary.
|
---|
359 | */
|
---|
360 | function csrf_get_secret() {
|
---|
361 | if ($GLOBALS['csrf']['secret']) return $GLOBALS['csrf']['secret'];
|
---|
362 | $dir = dirname(__FILE__);
|
---|
363 | $file = $dir . '/csrf-secret.php';
|
---|
364 | $secret = '';
|
---|
365 | if (file_exists($file)) {
|
---|
366 | include $file;
|
---|
367 | return $secret;
|
---|
368 | }
|
---|
369 | if (is_writable($dir)) {
|
---|
370 | $secret = csrf_generate_secret();
|
---|
371 | $fh = fopen($file, 'w');
|
---|
372 | fwrite($fh, '<?php $secret = "'.$secret.'";' . PHP_EOL);
|
---|
373 | fclose($fh);
|
---|
374 | return $secret;
|
---|
375 | }
|
---|
376 | return '';
|
---|
377 | }
|
---|
378 |
|
---|
379 | /**
|
---|
380 | * Generates a random string as the hash of time, microtime, and mt_rand.
|
---|
381 | */
|
---|
382 | function csrf_generate_secret($len = 32) {
|
---|
383 | $r = '';
|
---|
384 | for ($i = 0; $i < $len; $i++) {
|
---|
385 | $r .= chr(mt_rand(0, 255));
|
---|
386 | }
|
---|
387 | $r .= time() . microtime();
|
---|
388 | return sha1($r);
|
---|
389 | }
|
---|
390 |
|
---|
391 | /**
|
---|
392 | * Generates a hash/expiry double. If time isn't set it will be calculated
|
---|
393 | * from the current time.
|
---|
394 | */
|
---|
395 | function csrf_hash($value, $time = null) {
|
---|
396 | if (!$time) $time = time();
|
---|
397 | return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
|
---|
398 | }
|
---|
399 |
|
---|
400 | // Load user configuration
|
---|
401 | if (function_exists('csrf_startup')) csrf_startup();
|
---|
402 | // Initialize our handler
|
---|
403 | if ($GLOBALS['csrf']['rewrite']) ob_start('csrf_ob_handler');
|
---|
404 | // Perform check
|
---|
405 | if (!$GLOBALS['csrf']['defer']) csrf_check();
|
---|