Override the CSRF validation to support the X-CSRF header.

This commit is contained in:
Alex Tselegidis 2021-10-29 13:06:56 +02:00
parent 3233c19571
commit d886f6db16

View file

@ -40,5 +40,59 @@
* @property EA_URI $uri * @property EA_URI $uri
*/ */
class EA_Security extends CI_Security { class EA_Security extends CI_Security {
// /**
* CSRF Verify
*
* @return CI_Security
*/
public function csrf_verify()
{
// If it's not a POST request we will set the CSRF cookie
if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST')
{
return $this->csrf_set_cookie();
}
// Check if URI has been whitelisted from CSRF checks
if ($exclude_uris = config_item('csrf_exclude_uris'))
{
$uri = load_class('URI', 'core');
foreach ($exclude_uris as $excluded)
{
if (preg_match('#^' . $excluded . '$#i' . (UTF8_ENABLED ? 'u' : ''), $uri->uri_string()))
{
return $this;
}
}
}
// Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate
$csrf_token = $_POST[$this->_csrf_token_name] ?? $_SERVER['HTTP_X_CSRF'] ?? NULL;
$valid = isset($csrf_token, $_COOKIE[$this->_csrf_cookie_name])
&& is_string($csrf_token) && is_string($_COOKIE[$this->_csrf_cookie_name])
&& hash_equals($csrf_token, $_COOKIE[$this->_csrf_cookie_name]);
// We kill this since we're done and we don't want to pollute the _POST array
unset($_POST[$this->_csrf_token_name]);
// Regenerate on every submission?
if (config_item('csrf_regenerate'))
{
// Nothing should last forever
unset($_COOKIE[$this->_csrf_cookie_name]);
$this->_csrf_hash = NULL;
}
$this->_csrf_set_hash();
$this->csrf_set_cookie();
if ($valid !== TRUE)
{
$this->csrf_show_error();
}
log_message('info', 'CSRF token verified');
return $this;
}
} }