feat(core) Reject CSRF based on HEADER values

issue #5840

feat(core) Reject CSRF based on HEADER values
issue #5840
6e31f486 · Côme Chilliet · d8dbd130 · 6e31f486
Commit 6e31f486 authored 6 years ago by Côme Chilliet
Hide whitespace changes
Inline Side-by-side

Showing

with 27 additions and 0 deletions
+27 -0
--- a/include/class_CSRFProtection.inc
+++ b/include/class_CSRFProtection.inc
@@ -29,6 +29,8 @@ class CSRFProtection
      throw new Exception('CSRF protection token missing');
    }

+    static::checkHeaders();
+
    $validToken = static::getToken();
    if ($_POST['CSRFtoken'] !== static::getToken()) {
      throw new Exception('CSRF protection token invalid');
@@ -42,4 +44,29 @@ class CSRFProtection
    }
    return session::get('CSRFtoken');
  }
+
+  public static function checkHeaders()
+  {
+    $origin = FALSE;
+    if (!empty($_SERVER['HTTP_ORIGIN'])) {
+      $origin = $_SERVER['HTTP_ORIGIN'];
+    } elseif (!empty($_SERVER['HTTP_REFERER'])) {
+      $origin = $_SERVER['HTTP_REFERER'];
+    }
+    if ($origin) {
+      $origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin);
+      $target = FALSE;
+      if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
+        $target = $_SERVER['HTTP_X_FORWARDED_HOST'];
+      } else
+      if (!empty($_SERVER['HTTP_HOST'])) {
+        $target = $_SERVER['HTTP_HOST'];
+      }
+      if ($target) {
+        if (!hash_equals($origin, $target)) {
+          throw new Exception('CSRF detected: origin and target are not matching ('.$origin.' != '.$target.')');
+        }
+      }
+    }
+  }
 }