Commit 6e31f486 authored by Côme Chilliet's avatar Côme Chilliet
Browse files

feat(core) Reject CSRF based on HEADER values

issue #5840
parent d8dbd130
......@@ -29,6 +29,8 @@ class CSRFProtection
throw new Exception('CSRF protection token missing');
}
static::checkHeaders();
$validToken = static::getToken();
if ($_POST['CSRFtoken'] !== static::getToken()) {
throw new Exception('CSRF protection token invalid');
......@@ -42,4 +44,29 @@ class CSRFProtection
}
return session::get('CSRFtoken');
}
public static function checkHeaders()
{
$origin = FALSE;
if (!empty($_SERVER['HTTP_ORIGIN'])) {
$origin = $_SERVER['HTTP_ORIGIN'];
} elseif (!empty($_SERVER['HTTP_REFERER'])) {
$origin = $_SERVER['HTTP_REFERER'];
}
if ($origin) {
$origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin);
$target = FALSE;
if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$target = $_SERVER['HTTP_X_FORWARDED_HOST'];
} else
if (!empty($_SERVER['HTTP_HOST'])) {
$target = $_SERVER['HTTP_HOST'];
}
if ($target) {
if (!hash_equals($origin, $target)) {
  • Merge this if statement with the enclosing one. 📘

Please register or sign in to reply
throw new Exception('CSRF detected: origin and target are not matching ('.$origin.' != '.$target.')');
  • Define and throw a dedicated exception instead of using a generic one. 📘

Please register or sign in to reply
}
}
}
}
}
  • SonarQube analysis reported 5 issues

    • 5 major

    Watch the comments in this conversation to review them.

    3 extra issues

    Note: The following issues were found on lines that were not modified in the commit. Because these issues can't be reported as line comments, they are summarized here:

    1. Define and throw a dedicated exception instead of using a generic one. 📘
    2. Remove this unused "$validToken" local variable. 📘
    3. Define and throw a dedicated exception instead of using a generic one. 📘
  • mentioned in commit 62ffce88

    Toggle commit list
  • mentioned in commit fd690297

    Toggle commit list
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment