flashii/misuzu
flashii/misuzu
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add temp CSRF functions, for reusage.

Browse source
This commit is contained in:
flash 2018-03-22 19:07:02 +01:00
parent b26ecb0d68
commit b5f14a1ef7
4 changed files with 23 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
public/auth.php
View file

@ -41,7 +41,7 @@ switch ($mode) {
} }
// this is temporary, don't scream at me for using md5 // this is temporary, don't scream at me for using md5
if (isset($_GET['s']) && md5($app->getSession()->session_key) === $_GET['s']) { if (isset($_GET['s']) && tmp_csrf_verify($_GET['s'])) {
set_cookie_m('uid', '', -3600); set_cookie_m('uid', '', -3600);
set_cookie_m('sid', '', -3600); set_cookie_m('sid', '', -3600);
$app->getSession()->delete(); $app->getSession()->delete();

1
src/Application.php
View file

@ -127,6 +127,7 @@ class Application extends ApplicationBase
$twig->addFunction('config', [$this->config, 'get']); $twig->addFunction('config', [$this->config, 'get']);
$twig->addFunction('git_hash', [Application::class, 'gitCommitHash']); $twig->addFunction('git_hash', [Application::class, 'gitCommitHash']);
$twig->addFunction('git_branch', [Application::class, 'gitBranch']); $twig->addFunction('git_branch', [Application::class, 'gitBranch']);
$twig->addFunction('csrf_token', 'tmp_csrf_token');
$twig->var('app', $this); $twig->var('app', $this);

20
utility.php
View file

@ -130,6 +130,26 @@ function get_country_name(string $code): string
} }
} }
// this is temporary, don't scream at me for using md5
// BIG TODO: make these functions not dependent on sessions so they can be used outside of those.
function tmp_csrf_verify(string $token, ?\Misuzu\Users\Session $session = null): bool
{
if ($session === null) {
$session = \Misuzu\Application::getInstance()->getSession();
}
return hash_equals(tmp_csrf_token($session), $token);
}
function tmp_csrf_token(?\Misuzu\Users\Session $session = null): string
{
if ($session === null) {
$session = \Misuzu\Application::getInstance()->getSession();
}
return md5($session->session_key);
}
function is_int_ex($value, int $boundary_low, int $boundary_high): bool function is_int_ex($value, int $boundary_low, int $boundary_high): bool
{ {
return is_int($value) && $value >= $boundary_low && $value <= $boundary_high; return is_int($value) && $value >= $boundary_low && $value <= $boundary_high;

2
views/auth/logout.twig
View file

@ -7,7 +7,7 @@
<p class="logout__paragraph">Press the button below to verify the logout request, otherwise click back in your browser or close this tab.</p> <p class="logout__paragraph">Press the button below to verify the logout request, otherwise click back in your browser or close this tab.</p>
</div> </div>
<div class="logout__buttons"> <div class="logout__buttons">
<a href="?m=logout&amp;s={{ app.session.session_key|md5 }}" class="button button--logout">Logout</a> <a href="?m=logout&amp;s={{ csrf_token() }}" class="button button--logout">Logout</a>
</div> </div>
</div> </div>
{% endblock %} {% endblock %}