CSRF and URL cleanup.

This commit is contained in:
Pachira 2023-07-11 20:51:24 +00:00
parent f025ee13d0
commit ba8115fe10
4 changed files with 9 additions and 24 deletions

View file

@ -42,7 +42,6 @@ if($currentUserInfo->isSilenced()) {
return;
}
header(CSRF::header());
$commentPerms = $currentUserInfo->commentPerms();
$commentId = (int)filter_input(INPUT_GET, 'c', FILTER_SANITIZE_NUMBER_INT);

View file

@ -81,8 +81,6 @@ if(in_array($moderationMode, $validModerationModes, true)) {
return;
}
header(CSRF::header());
if(!UserSession::hasCurrent()) {
echo render_info('You must be logged in to manage posts.', 401);
return;

View file

@ -42,20 +42,12 @@ final class CSRF {
}
// Should be replaced by filters eventually <
public static function header(...$args): string {
return 'X-Misuzu-CSRF: ' . self::token(...$args);
}
public static function validateRequest($identity = null, ?string $secretKey = null): bool {
if(isset($_SERVER['HTTP_X_MISUZU_CSRF'])) {
$token = $_SERVER['HTTP_X_MISUZU_CSRF'];
} elseif(isset($_REQUEST['_csrf']) && is_string($_REQUEST['_csrf'])) { // Change this to $_POST later, it should never appear in urls
$token = $_REQUEST['_csrf'];
} elseif(isset($_REQUEST['csrf']) && is_string($_REQUEST['csrf'])) {
$token = $_REQUEST['csrf'];
} else {
$token = filter_input(INPUT_POST, '_csrf');
if(empty($token))
$token = filter_input(INPUT_GET, 'csrf');
if(empty($token))
return false;
}
return self::validate($token, $identity, $secretKey);
}
// >

View file

@ -128,21 +128,18 @@ define('MSZ_URLS', [
]);
function url(string $name, array $variables = []): string {
if(!array_key_exists($name, MSZ_URLS)) {
if(!array_key_exists($name, MSZ_URLS))
return '';
}
$info = MSZ_URLS[$name];
if(!isset($info[0]) || !is_string($info[0])) {
if(!isset($info[0]) || !is_string($info[0]))
return '';
}
$splitUrl = explode('/', $info[0]);
for($i = 0; $i < count($splitUrl); $i++) {
for($i = 0; $i < count($splitUrl); $i++)
$splitUrl[$i] = url_variable($splitUrl[$i], $variables);
}
$url = implode('/', $splitUrl);
@ -161,9 +158,8 @@ function url(string $name, array $variables = []): string {
$url = trim($url, '?&');
}
if(!empty($info[2]) && is_string($info[2])) {
if(!empty($info[2]) && is_string($info[2]))
$url .= rtrim(sprintf('#%s', url_variable($info[2], $variables)), '#');
}
return $url;
}
@ -181,7 +177,7 @@ function url_variable(string $value, array $variables): string {
return $variables[trim($value, '<>')] ?? '';
if(str_starts_with($value, '[') && str_ends_with($value, ']'))
return constant(trim($value, '[]'));
return '';
if(str_starts_with($value, '{') && str_ends_with($value, '}'))
return \Misuzu\CSRF::token();