CSRF and URL cleanup.
This commit is contained in:
parent
f025ee13d0
commit
ba8115fe10
4 changed files with 9 additions and 24 deletions
|
@ -42,7 +42,6 @@ if($currentUserInfo->isSilenced()) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
header(CSRF::header());
|
|
||||||
$commentPerms = $currentUserInfo->commentPerms();
|
$commentPerms = $currentUserInfo->commentPerms();
|
||||||
|
|
||||||
$commentId = (int)filter_input(INPUT_GET, 'c', FILTER_SANITIZE_NUMBER_INT);
|
$commentId = (int)filter_input(INPUT_GET, 'c', FILTER_SANITIZE_NUMBER_INT);
|
||||||
|
|
|
@ -81,8 +81,6 @@ if(in_array($moderationMode, $validModerationModes, true)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
header(CSRF::header());
|
|
||||||
|
|
||||||
if(!UserSession::hasCurrent()) {
|
if(!UserSession::hasCurrent()) {
|
||||||
echo render_info('You must be logged in to manage posts.', 401);
|
echo render_info('You must be logged in to manage posts.', 401);
|
||||||
return;
|
return;
|
||||||
|
|
16
src/CSRF.php
16
src/CSRF.php
|
@ -42,20 +42,12 @@ final class CSRF {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Should be replaced by filters eventually <
|
// Should be replaced by filters eventually <
|
||||||
public static function header(...$args): string {
|
|
||||||
return 'X-Misuzu-CSRF: ' . self::token(...$args);
|
|
||||||
}
|
|
||||||
public static function validateRequest($identity = null, ?string $secretKey = null): bool {
|
public static function validateRequest($identity = null, ?string $secretKey = null): bool {
|
||||||
if(isset($_SERVER['HTTP_X_MISUZU_CSRF'])) {
|
$token = filter_input(INPUT_POST, '_csrf');
|
||||||
$token = $_SERVER['HTTP_X_MISUZU_CSRF'];
|
if(empty($token))
|
||||||
} elseif(isset($_REQUEST['_csrf']) && is_string($_REQUEST['_csrf'])) { // Change this to $_POST later, it should never appear in urls
|
$token = filter_input(INPUT_GET, 'csrf');
|
||||||
$token = $_REQUEST['_csrf'];
|
if(empty($token))
|
||||||
} elseif(isset($_REQUEST['csrf']) && is_string($_REQUEST['csrf'])) {
|
|
||||||
$token = $_REQUEST['csrf'];
|
|
||||||
} else {
|
|
||||||
return false;
|
return false;
|
||||||
}
|
|
||||||
|
|
||||||
return self::validate($token, $identity, $secretKey);
|
return self::validate($token, $identity, $secretKey);
|
||||||
}
|
}
|
||||||
// >
|
// >
|
||||||
|
|
14
src/url.php
14
src/url.php
|
@ -128,21 +128,18 @@ define('MSZ_URLS', [
|
||||||
]);
|
]);
|
||||||
|
|
||||||
function url(string $name, array $variables = []): string {
|
function url(string $name, array $variables = []): string {
|
||||||
if(!array_key_exists($name, MSZ_URLS)) {
|
if(!array_key_exists($name, MSZ_URLS))
|
||||||
return '';
|
return '';
|
||||||
}
|
|
||||||
|
|
||||||
$info = MSZ_URLS[$name];
|
$info = MSZ_URLS[$name];
|
||||||
|
|
||||||
if(!isset($info[0]) || !is_string($info[0])) {
|
if(!isset($info[0]) || !is_string($info[0]))
|
||||||
return '';
|
return '';
|
||||||
}
|
|
||||||
|
|
||||||
$splitUrl = explode('/', $info[0]);
|
$splitUrl = explode('/', $info[0]);
|
||||||
|
|
||||||
for($i = 0; $i < count($splitUrl); $i++) {
|
for($i = 0; $i < count($splitUrl); $i++)
|
||||||
$splitUrl[$i] = url_variable($splitUrl[$i], $variables);
|
$splitUrl[$i] = url_variable($splitUrl[$i], $variables);
|
||||||
}
|
|
||||||
|
|
||||||
$url = implode('/', $splitUrl);
|
$url = implode('/', $splitUrl);
|
||||||
|
|
||||||
|
@ -161,9 +158,8 @@ function url(string $name, array $variables = []): string {
|
||||||
$url = trim($url, '?&');
|
$url = trim($url, '?&');
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!empty($info[2]) && is_string($info[2])) {
|
if(!empty($info[2]) && is_string($info[2]))
|
||||||
$url .= rtrim(sprintf('#%s', url_variable($info[2], $variables)), '#');
|
$url .= rtrim(sprintf('#%s', url_variable($info[2], $variables)), '#');
|
||||||
}
|
|
||||||
|
|
||||||
return $url;
|
return $url;
|
||||||
}
|
}
|
||||||
|
@ -181,7 +177,7 @@ function url_variable(string $value, array $variables): string {
|
||||||
return $variables[trim($value, '<>')] ?? '';
|
return $variables[trim($value, '<>')] ?? '';
|
||||||
|
|
||||||
if(str_starts_with($value, '[') && str_ends_with($value, ']'))
|
if(str_starts_with($value, '[') && str_ends_with($value, ']'))
|
||||||
return constant(trim($value, '[]'));
|
return '';
|
||||||
|
|
||||||
if(str_starts_with($value, '{') && str_ends_with($value, '}'))
|
if(str_starts_with($value, '{') && str_ends_with($value, '}'))
|
||||||
return \Misuzu\CSRF::token();
|
return \Misuzu\CSRF::token();
|
||||||
|
|
Loading…
Reference in a new issue