CSRF and URL cleanup.
This commit is contained in:
parent
f025ee13d0
commit
ba8115fe10
4 changed files with 9 additions and 24 deletions
|
|
@ -42,7 +42,6 @@ if($currentUserInfo->isSilenced()) {
|
|||
return;
|
||||
}
|
||||
|
||||
header(CSRF::header());
|
||||
$commentPerms = $currentUserInfo->commentPerms();
|
||||
|
||||
$commentId = (int)filter_input(INPUT_GET, 'c', FILTER_SANITIZE_NUMBER_INT);
|
||||
|
|
|
|||
|
|
@ -81,8 +81,6 @@ if(in_array($moderationMode, $validModerationModes, true)) {
|
|||
return;
|
||||
}
|
||||
|
||||
header(CSRF::header());
|
||||
|
||||
if(!UserSession::hasCurrent()) {
|
||||
echo render_info('You must be logged in to manage posts.', 401);
|
||||
return;
|
||||
|
|
|
|||
16
src/CSRF.php
16
src/CSRF.php
|
|
@ -42,20 +42,12 @@ final class CSRF {
|
|||
}
|
||||
|
||||
// Should be replaced by filters eventually <
|
||||
public static function header(...$args): string {
|
||||
return 'X-Misuzu-CSRF: ' . self::token(...$args);
|
||||
}
|
||||
public static function validateRequest($identity = null, ?string $secretKey = null): bool {
|
||||
if(isset($_SERVER['HTTP_X_MISUZU_CSRF'])) {
|
||||
$token = $_SERVER['HTTP_X_MISUZU_CSRF'];
|
||||
} elseif(isset($_REQUEST['_csrf']) && is_string($_REQUEST['_csrf'])) { // Change this to $_POST later, it should never appear in urls
|
||||
$token = $_REQUEST['_csrf'];
|
||||
} elseif(isset($_REQUEST['csrf']) && is_string($_REQUEST['csrf'])) {
|
||||
$token = $_REQUEST['csrf'];
|
||||
} else {
|
||||
$token = filter_input(INPUT_POST, '_csrf');
|
||||
if(empty($token))
|
||||
$token = filter_input(INPUT_GET, 'csrf');
|
||||
if(empty($token))
|
||||
return false;
|
||||
}
|
||||
|
||||
return self::validate($token, $identity, $secretKey);
|
||||
}
|
||||
// >
|
||||
|
|
|
|||
14
src/url.php
14
src/url.php
|
|
@ -128,21 +128,18 @@ define('MSZ_URLS', [
|
|||
]);
|
||||
|
||||
function url(string $name, array $variables = []): string {
|
||||
if(!array_key_exists($name, MSZ_URLS)) {
|
||||
if(!array_key_exists($name, MSZ_URLS))
|
||||
return '';
|
||||
}
|
||||
|
||||
$info = MSZ_URLS[$name];
|
||||
|
||||
if(!isset($info[0]) || !is_string($info[0])) {
|
||||
if(!isset($info[0]) || !is_string($info[0]))
|
||||
return '';
|
||||
}
|
||||
|
||||
$splitUrl = explode('/', $info[0]);
|
||||
|
||||
for($i = 0; $i < count($splitUrl); $i++) {
|
||||
for($i = 0; $i < count($splitUrl); $i++)
|
||||
$splitUrl[$i] = url_variable($splitUrl[$i], $variables);
|
||||
}
|
||||
|
||||
$url = implode('/', $splitUrl);
|
||||
|
||||
|
|
@ -161,9 +158,8 @@ function url(string $name, array $variables = []): string {
|
|||
$url = trim($url, '?&');
|
||||
}
|
||||
|
||||
if(!empty($info[2]) && is_string($info[2])) {
|
||||
if(!empty($info[2]) && is_string($info[2]))
|
||||
$url .= rtrim(sprintf('#%s', url_variable($info[2], $variables)), '#');
|
||||
}
|
||||
|
||||
return $url;
|
||||
}
|
||||
|
|
@ -181,7 +177,7 @@ function url_variable(string $value, array $variables): string {
|
|||
return $variables[trim($value, '<>')] ?? '';
|
||||
|
||||
if(str_starts_with($value, '[') && str_ends_with($value, ']'))
|
||||
return constant(trim($value, '[]'));
|
||||
return '';
|
||||
|
||||
if(str_starts_with($value, '{') && str_ends_with($value, '}'))
|
||||
return \Misuzu\CSRF::token();
|
||||
|
|
|
|||
Loading…
Reference in a new issue