diff --git a/src/Pluf/Middleware/Csrf.php b/src/Pluf/Middleware/Csrf.php new file mode 100644 index 0000000..a898d42 --- /dev/null +++ b/src/Pluf/Middleware/Csrf.php @@ -0,0 +1,121 @@ +method != 'POST') { + return false; + } + $cookie_name = Pluf::f('session_cookie_id', 'sessionid'); + if (!isset($request->COOKIE[$cookie_name])) { + // no session, nothing to do + return false; + } + try { + $data = Pluf_Middleware_Session::_decodeData($request->COOKIE[$cookie_name]); + } catch (Exception $e) { + // no valid session + return false; + } + if (!isset($data['Pluf_Session_key'])) { + // no session key + return false; + } + $token = self::makeToken($data['Pluf_Session_key']); + if (!isset($request->POST['csrfmiddlewaretoken'])) { + return new Pluf_HTTP_Response_Forbidden($request); + } + if ($request->POST['csrfmiddlewaretoken'] != $token) { + return new Pluf_HTTP_Response_Forbidden($request); + } + return false; + } + + /** + * Process the response of a view. + * + * If we find a POST form, add the token to it. + * + * @param Pluf_HTTP_Request The request + * @param Pluf_HTTP_Response The response + * @return Pluf_HTTP_Response The response + */ + function process_response($request, $response) + { + $cookie_name = Pluf::f('session_cookie_id', 'sessionid'); + if (!isset($request->COOKIE[$cookie_name])) { + // no session, nothing to do + return $response; + } + try { + $data = Pluf_Middleware_Session::_decodeData($request->COOKIE[$cookie_name]); + } catch (Exception $e) { + // no valid session + return $response; + } + if (!isset($data['Pluf_Session_key'])) { + // no session key + return $response; + } + $ok = false; + $cts = array('text/html', 'application/xhtml+xml'); + foreach ($cts as $ct) { + if (false !== strripos($response->headers['Content-Type'], $ct)) { + $ok = true; + break; + } + } + if (!$ok) { + return $response; + } + $token = self::makeToken($data['Pluf_Session_key']); + $extra = '
'; + $response->content = preg_replace('/(