mirror of
https://github.com/alextselegidis/easyappointments.git
synced 2024-11-28 10:53:40 +03:00
Override the CSRF validation to support the X-CSRF header.
This commit is contained in:
parent
3233c19571
commit
d886f6db16
1 changed files with 55 additions and 1 deletions
|
@ -40,5 +40,59 @@
|
||||||
* @property EA_URI $uri
|
* @property EA_URI $uri
|
||||||
*/
|
*/
|
||||||
class EA_Security extends CI_Security {
|
class EA_Security extends CI_Security {
|
||||||
//
|
/**
|
||||||
|
* CSRF Verify
|
||||||
|
*
|
||||||
|
* @return CI_Security
|
||||||
|
*/
|
||||||
|
public function csrf_verify()
|
||||||
|
{
|
||||||
|
// If it's not a POST request we will set the CSRF cookie
|
||||||
|
if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
|
||||||
|
{
|
||||||
|
return $this->csrf_set_cookie();
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if URI has been whitelisted from CSRF checks
|
||||||
|
if ($exclude_uris = config_item('csrf_exclude_uris'))
|
||||||
|
{
|
||||||
|
$uri = load_class('URI', 'core');
|
||||||
|
foreach ($exclude_uris as $excluded)
|
||||||
|
{
|
||||||
|
if (preg_match('#^' . $excluded . '$#i' . (UTF8_ENABLED ? 'u' : ''), $uri->uri_string()))
|
||||||
|
{
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate
|
||||||
|
$csrf_token = $_POST[$this->_csrf_token_name] ?? $_SERVER['HTTP_X_CSRF'] ?? NULL;
|
||||||
|
|
||||||
|
$valid = isset($csrf_token, $_COOKIE[$this->_csrf_cookie_name])
|
||||||
|
&& is_string($csrf_token) && is_string($_COOKIE[$this->_csrf_cookie_name])
|
||||||
|
&& hash_equals($csrf_token, $_COOKIE[$this->_csrf_cookie_name]);
|
||||||
|
|
||||||
|
// We kill this since we're done and we don't want to pollute the _POST array
|
||||||
|
unset($_POST[$this->_csrf_token_name]);
|
||||||
|
|
||||||
|
// Regenerate on every submission?
|
||||||
|
if (config_item('csrf_regenerate'))
|
||||||
|
{
|
||||||
|
// Nothing should last forever
|
||||||
|
unset($_COOKIE[$this->_csrf_cookie_name]);
|
||||||
|
$this->_csrf_hash = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->_csrf_set_hash();
|
||||||
|
$this->csrf_set_cookie();
|
||||||
|
|
||||||
|
if ($valid !== TRUE)
|
||||||
|
{
|
||||||
|
$this->csrf_show_error();
|
||||||
|
}
|
||||||
|
|
||||||
|
log_message('info', 'CSRF token verified');
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue