CSRF and URL cleanup.

This commit is contained in:
flash 2023-07-11 20:51:24 +00:00
parent f025ee13d0
commit ba8115fe10
4 changed files with 9 additions and 24 deletions

View file

@ -42,7 +42,6 @@ if($currentUserInfo->isSilenced()) {
return; return;
} }
header(CSRF::header());
$commentPerms = $currentUserInfo->commentPerms(); $commentPerms = $currentUserInfo->commentPerms();
$commentId = (int)filter_input(INPUT_GET, 'c', FILTER_SANITIZE_NUMBER_INT); $commentId = (int)filter_input(INPUT_GET, 'c', FILTER_SANITIZE_NUMBER_INT);

View file

@ -81,8 +81,6 @@ if(in_array($moderationMode, $validModerationModes, true)) {
return; return;
} }
header(CSRF::header());
if(!UserSession::hasCurrent()) { if(!UserSession::hasCurrent()) {
echo render_info('You must be logged in to manage posts.', 401); echo render_info('You must be logged in to manage posts.', 401);
return; return;

View file

@ -42,20 +42,12 @@ final class CSRF {
} }
// Should be replaced by filters eventually < // Should be replaced by filters eventually <
public static function header(...$args): string {
return 'X-Misuzu-CSRF: ' . self::token(...$args);
}
public static function validateRequest($identity = null, ?string $secretKey = null): bool { public static function validateRequest($identity = null, ?string $secretKey = null): bool {
if(isset($_SERVER['HTTP_X_MISUZU_CSRF'])) { $token = filter_input(INPUT_POST, '_csrf');
$token = $_SERVER['HTTP_X_MISUZU_CSRF']; if(empty($token))
} elseif(isset($_REQUEST['_csrf']) && is_string($_REQUEST['_csrf'])) { // Change this to $_POST later, it should never appear in urls $token = filter_input(INPUT_GET, 'csrf');
$token = $_REQUEST['_csrf']; if(empty($token))
} elseif(isset($_REQUEST['csrf']) && is_string($_REQUEST['csrf'])) {
$token = $_REQUEST['csrf'];
} else {
return false; return false;
}
return self::validate($token, $identity, $secretKey); return self::validate($token, $identity, $secretKey);
} }
// > // >

View file

@ -128,21 +128,18 @@ define('MSZ_URLS', [
]); ]);
function url(string $name, array $variables = []): string { function url(string $name, array $variables = []): string {
if(!array_key_exists($name, MSZ_URLS)) { if(!array_key_exists($name, MSZ_URLS))
return ''; return '';
}
$info = MSZ_URLS[$name]; $info = MSZ_URLS[$name];
if(!isset($info[0]) || !is_string($info[0])) { if(!isset($info[0]) || !is_string($info[0]))
return ''; return '';
}
$splitUrl = explode('/', $info[0]); $splitUrl = explode('/', $info[0]);
for($i = 0; $i < count($splitUrl); $i++) { for($i = 0; $i < count($splitUrl); $i++)
$splitUrl[$i] = url_variable($splitUrl[$i], $variables); $splitUrl[$i] = url_variable($splitUrl[$i], $variables);
}
$url = implode('/', $splitUrl); $url = implode('/', $splitUrl);
@ -161,9 +158,8 @@ function url(string $name, array $variables = []): string {
$url = trim($url, '?&'); $url = trim($url, '?&');
} }
if(!empty($info[2]) && is_string($info[2])) { if(!empty($info[2]) && is_string($info[2]))
$url .= rtrim(sprintf('#%s', url_variable($info[2], $variables)), '#'); $url .= rtrim(sprintf('#%s', url_variable($info[2], $variables)), '#');
}
return $url; return $url;
} }
@ -181,7 +177,7 @@ function url_variable(string $value, array $variables): string {
return $variables[trim($value, '<>')] ?? ''; return $variables[trim($value, '<>')] ?? '';
if(str_starts_with($value, '[') && str_ends_with($value, ']')) if(str_starts_with($value, '[') && str_ends_with($value, ']'))
return constant(trim($value, '[]')); return '';
if(str_starts_with($value, '{') && str_ends_with($value, '}')) if(str_starts_with($value, '{') && str_ends_with($value, '}'))
return \Misuzu\CSRF::token(); return \Misuzu\CSRF::token();