Commit 6e31f486 authored by Côme Chilliet's avatar Côme Chilliet
Browse files

:sparkles: feat(core) Reject CSRF based on HEADER values

issue #5840
Showing with 27 additions and 0 deletions
+27 -0
......@@ -29,6 +29,8 @@ class CSRFProtection
throw new Exception('CSRF protection token missing');
}
static::checkHeaders();
$validToken = static::getToken();
if ($_POST['CSRFtoken'] !== static::getToken()) {
throw new Exception('CSRF protection token invalid');
......@@ -42,4 +44,29 @@ class CSRFProtection
}
return session::get('CSRFtoken');
}
public static function checkHeaders()
{
$origin = FALSE;
if (!empty($_SERVER['HTTP_ORIGIN'])) {
$origin = $_SERVER['HTTP_ORIGIN'];
} elseif (!empty($_SERVER['HTTP_REFERER'])) {
$origin = $_SERVER['HTTP_REFERER'];
}
if ($origin) {
$origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin);
$target = FALSE;
if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$target = $_SERVER['HTTP_X_FORWARDED_HOST'];
} else
if (!empty($_SERVER['HTTP_HOST'])) {
$target = $_SERVER['HTTP_HOST'];
}
if ($target) {
if (!hash_equals($origin, $target)) {
  • :warning: Merge this if statement with the enclosing one. :blue_book:

    By Ghost User on 2018-06-04T14:48:31 (imported from GitLab)

Please register or sign in to reply
throw new Exception('CSRF detected: origin and target are not matching ('.$origin.' != '.$target.')');
  • :warning: Define and throw a dedicated exception instead of using a generic one. :blue_book:

    By Ghost User on 2018-06-04T14:48:31 (imported from GitLab)

Please register or sign in to reply
}
}
}
}
}
  • SonarQube analysis reported 5 issues

    • :warning: 5 major

    Watch the comments in this conversation to review them.

    3 extra issues

    Note: The following issues were found on lines that were not modified in the commit. Because these issues can't be reported as line comments, they are summarized here:

    1. :warning: Define and throw a dedicated exception instead of using a generic one. :blue_book:
    2. :warning: Remove this unused "$validToken" local variable. :blue_book:
    3. :warning: Define and throw a dedicated exception instead of using a generic one. :blue_book:

    By Ghost User on 2018-06-04T14:48:32 (imported from GitLab)

  • bmortier @bmortier

    mentioned in commit 62ffce88

    By Côme Chilliet on 2018-06-13T12:46:14 (imported from GitLab)

    ·

    mentioned in commit 62ffce88

    By Côme Chilliet on 2018-06-13T12:46:14 (imported from GitLab)

    Toggle commit list
  • bmortier @bmortier

    mentioned in merge request !296

    By Côme Chilliet on 2018-06-13T12:46:41 (imported from GitLab)

    ·

    mentioned in merge request !296

    By Côme Chilliet on 2018-06-13T12:46:41 (imported from GitLab)

    Toggle commit list
  • bmortier @bmortier

    mentioned in commit fd690297

    By Côme Chilliet on 2018-06-13T13:13:59 (imported from GitLab)

    ·

    mentioned in commit fd690297

    By Côme Chilliet on 2018-06-13T13:13:59 (imported from GitLab)

    Toggle commit list
  • bmortier @bmortier

    mentioned in merge request !298

    By Côme Chilliet on 2018-06-13T13:14:19 (imported from GitLab)

    ·

    mentioned in merge request !298

    By Côme Chilliet on 2018-06-13T13:14:19 (imported from GitLab)

    Toggle commit list
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment