srchub-old

srchub-old Mercurial Source Tree


Root/pluf/src/Pluf/Middleware/Csrf.php

<?php
/* -*- tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
# ***** BEGIN LICENSE BLOCK *****
# This file is part of Plume Framework, a simple PHP Application Framework.
# Copyright (C) 2001-2007 Loic d'Anterroches and contributors.
#
# Plume Framework is free software; you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# Plume Framework is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
# ***** END LICENSE BLOCK ***** */

/**
 * Cross Site Request Forgery Middleware.
 *
 * This class provides a middleware that implements protection against
 * request forgeries from other sites. This middleware must be before
 * the Pluf_Middleware_Session middleware.
 *
 * Based on concepts from the Django CSRF middleware.
 */
class Pluf_Middleware_Csrf
{
    public static function makeToken($session_key)
    {
        return md5(Pluf::f('secret_key').$session_key);
    }

    /**
     * Process the request.
     *
     * When processing the request, if a POST request with a session,
     * we will check that the token is available and valid.
     *
     * @param Pluf_HTTP_Request The request
     * @return bool false
     */
    function process_request(&$request)
    {
        if ($request->method != 'POST') {
            return false;
        }
        $cookie_name = Pluf::f('session_cookie_id', 'sessionid');
        if (!isset($request->COOKIE[$cookie_name])) {
            // no session, nothing to do
            return false;
        }
        try {
            $data = Pluf_Middleware_Session::_decodeData($request->COOKIE[$cookie_name]);
        } catch (Exception $e) {
            // no valid session
            return false;
        }
        if (!isset($data['Pluf_Session_key'])) {
            // no session key
            return false;
        }
        $token = self::makeToken($data['Pluf_Session_key']);
        if (!isset($request->POST['csrfmiddlewaretoken'])) {
            return new Pluf_HTTP_Response_Forbidden($request);
        }
        if ($request->POST['csrfmiddlewaretoken'] != $token) {
            return new Pluf_HTTP_Response_Forbidden($request);
        }
        return false;
    }

    /**
     * Process the response of a view.
     *
     * If we find a POST form, add the token to it.
     *
     * @param Pluf_HTTP_Request The request
     * @param Pluf_HTTP_Response The response
     * @return Pluf_HTTP_Response The response
     */
    function process_response($request, $response)
    {
        $cookie_name = Pluf::f('session_cookie_id', 'sessionid');
        if (!isset($request->COOKIE[$cookie_name])) {
            // no session, nothing to do
            return $response;
        }
        if (!isset($response->headers['Content-Type'])) {
            return $response;
        }
        try {
            $data = Pluf_Middleware_Session::_decodeData($request->COOKIE[$cookie_name]);
        } catch (Exception $e) {
            // no valid session
            return $response;
        }
        if (!isset($data['Pluf_Session_key'])) {
            // no session key
            return $response;
        }
        $ok = false;
        $cts = array('text/html', 'application/xhtml+xml');
        foreach ($cts as $ct) {
            if (false !== strripos($response->headers['Content-Type'], $ct)) {
                $ok = true;
                break;
            }
        }
        if (!$ok) {
            return $response;
        }
        $token = self::makeToken($data['Pluf_Session_key']);
        $extra = '<div style="display:none;"><input type="hidden" name="csrfmiddlewaretoken" value="'.$token.'" /></div>';
        $response->content = preg_replace('/(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)/i', '$1'.$extra, $response->content);
        return $response;
    }
}
Source at commit 23012f799d08 created 10 years 19 days ago.
By Nathan Adams, Adding syntax highlighter to base.html

Archive Download this file

Branches

Tags

Page rendered in 1.78668s using 11 queries.