An error occurred while loading the file. Please try again.
-
Côme Chilliet authoredThis replaces save_object and execute methods by 3 methods: readPost - Reads POST data update - Update object state render - Render HTML UI The point is to avoid reading POST and rendering HTML when this is not needed (when doing stuff through the webservice for instance). It’s also more consisent across FD with all classes handling some kind of dialog implementing the new interface FusionDirectoryDialog which makes sure these 3 methods are implemented. issue #6072
Unverified94eaa6ba
<?php/* This code is part of FusionDirectory (http://www.fusiondirectory.org/) Copyright (C) 2017-2019 FusionDirectory This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.*/class CSRFProtection{ public static function check () { if (empty($_POST)) { return; } if (empty($_POST['CSRFtoken'])) { throw new FusionDirectoryException('CSRF protection token missing'); } static::checkHeaders(); if (!session::is_set('CSRFtoken')) { throw new FusionDirectoryException('Unexpected CSRF protection token'); } if ($_POST['CSRFtoken'] !== static::getToken()) { throw new FusionDirectoryException('CSRF protection token invalid'); } } public static function getToken () { if (!session::is_set('CSRFtoken')) { session::set('CSRFtoken', standAlonePage::generateRandomHash()); } return session::get('CSRFtoken'); } public static function checkHeaders () { $origin = FALSE; if (!empty($_SERVER['HTTP_ORIGIN'])) { $origin = $_SERVER['HTTP_ORIGIN']; } elseif (!empty($_SERVER['HTTP_REFERER'])) { $origin = $_SERVER['HTTP_REFERER']; } if ($origin) { $origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin); $target = FALSE; if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) { /* Only take the first value, there may be several separated by commas */ list($target) = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST'], 2); } elseif (!empty($_SERVER['HTTP_HOST'])) { $target = $_SERVER['HTTP_HOST']; } if ($target && !hash_equals($origin, $target)) { throw new FusionDirectoryException('CSRF detected: origin and target are not matching ('.$origin.' != '.$target.')'); }71727374
}
}
}