| blob | dfbd6d913212e073ccf2b69cbc18aaf164923f3f |
1 <?php
3 /**
4 * @file
5 *
6 * csrf-magic is a PHP library that makes adding CSRF-protection to your
7 * web applications a snap. No need to modify every form or create a database
8 * of valid nonces; just include this file at the top of every
9 * web-accessible page (or even better, your common include file included
10 * in every page), and forget about it! (There are, of course, configuration
11 * options for advanced users).
12 *
13 * This library is PHP4 and PHP5 compatible.
14 */
16 // CONFIGURATION:
18 /**
19 * Convenience parameter for disabling all of our functionality;
20 * equivalent to setting 'rewrite' to false and 'defer' to true.
21 */
24 /**
25 * By default, when you include this file csrf-magic will automatically check
26 * and exit if the CSRF token is invalid. This will defer executing
27 * csrf_check() until you're ready. You can also pass false as a parameter to
28 * that function, in which case the function will not exit but instead return
29 * a boolean false if the CSRF check failed. This allows for tighter integration
30 * with your system.
31 */
34 /**
35 * This is the amount of seconds you wish to allow before any token becomes
36 * invalid; the default is two hours, which should be more than enough for
37 * most websites.
38 */
41 /**
42 * Callback function to execute when there's the CSRF check fails and
43 * $fatal == true (see csrf_check). This will usually output an error message
44 * about the failure.
45 */
48 /**
49 * Whether or not to include our JavaScript library which also rewrites
50 * AJAX requests on this domain. Set this to the web path. This setting only works
51 * with supported JavaScript libraries in Internet Explorer; see README.txt for
52 * a list of supported libraries.
53 */
56 /**
57 * A secret key used when hashing items. Please generate a random string and
58 * place it here. If you change this value, all previously generated tokens
59 * will become invalid.
60 */
62 // nota bene: library code should use csrf_get_secret() and not access
63 // this global directly
65 /**
66 * Set this to false to disable csrf-magic's output handler, and therefore,
67 * its rewriting capabilities. If you're serving non HTML content, you should
68 * definitely set this false.
69 */
72 /**
73 * Whether or not to use IP addresses when binding a user to a token. This is
74 * less reliable and less secure than sessions, but is useful when you need
75 * to give facilities to anonymous users and do not wish to maintain a database
76 * of valid keys.
77 */
80 /**
81 * If this information is available, use the cookie by this name to determine
82 * whether or not to allow the request. This is a shortcut implementation
83 * very similar to 'key', but we randomly set the cookie ourselves.
84 */
87 /**
88 * If this information is available, set this to a unique identifier (it
89 * can be an integer or a unique username) for the current "user" of this
90 * application. The token will then be globally valid for all of that user's
91 * operations, but no one else. This requires that 'secret' be set.
92 */
95 /**
96 * This is an arbitrary secret value associated with the user's session. This
97 * will most probably be the contents of a cookie, as an attacker cannot easily
98 * determine this information. Warning: If the attacker knows this value, they
99 * can easily spoof a token. This is a generic implementation; sessions should
100 * work in most cases.
101 *
102 * Why would you want to use this? Lets suppose you have a squid cache for your
103 * website, and the presence of a session cookie bypasses it. Let's also say
104 * you allow anonymous users to interact with the website; submitting forms
105 * and AJAX. Previously, you didn't have any CSRF protection for anonymous users
106 * and so they never got sessions; you don't want to start using sessions either,
107 * otherwise you'll bypass the Squid cache. Setup a different cookie for CSRF
108 * tokens, and have Squid ignore that cookie for get requests, for anonymous
109 * users. (If you haven't guessed, this scheme was(?) used for MediaWiki).
110 */
113 /**
114 * The name of the magic CSRF token that will be placed in all forms, i.e.
115 * the contents of <input type="hidden" name="$name" value="CSRF-TOKEN" />
116 */
119 /**
120 * Set this to false if your site must work inside of frame/iframe elements,
121 * but do so at your own risk: this configuration protects you against CSS
122 * overlay attacks that defeat tokens.
123 */
126 /**
127 * Whether or not CSRF Magic should be allowed to start a new session in order
128 * to determine the key.
129 */
132 /**
133 * Whether or not csrf-magic should produce XHTML style tags.
134 */
137 // FUNCTIONS:
139 // Don't edit this!
142 /**
143 * Rewrites <form> on the fly to add CSRF tokens to them. This can also
144 * inject our JavaScript library.
145 */
147 // Even though the user told us to rewrite, we should do a quick heuristic
148 // to check if the page is *actually* HTML. We don't begin rewriting until
149 // we hit the first <html tag.
152 // not HTML until proven otherwise
157 }
158 }
163 $buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer);
165 $buffer = str_ireplace('</head>', '<script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script></head>', $buffer);
166 }
174 $buffer
175 );
180 }
181 }
183 }
185 /**
186 * Checks if this is a post request, and if it is, checks if the nonce is valid.
187 * @param bool $fatal Whether or not to fatally error out if there is a problem.
188 * @return True if check passes or is not necessary, false if failure.
189 */
198 // we don't regenerate a token and check it because some token creation
199 // schemes are volatile.
209 }
211 }
213 /**
214 * Retrieves a valid token(s) for a particular context. Tokens are separated
215 * by semicolons.
216 */
220 // $ip implements a composite key, which is sent if the user hasn't sent
221 // any cookies. It may or may not be used, depending on whether or not
222 // the cookies "stick"
225 // :TODO: Harden this against proxy-spoofing attacks
229 }
232 // These are "strong" algorithms that don't require per se a secret
238 }
240 // These further algorithms require a server-side secret
244 }
247 }
249 }
255 }
257 }
264 }
266 }
268 /**
269 * @param $tokens is safe for HTML consumption
270 */
272 // (yes, $tokens is safe to echo without escaping)
277 $data .= '<input type="hidden" name="'.htmlspecialchars($key).'" value="'.htmlspecialchars($value).'" />';
278 }
280 <body>
281 <p>CSRF check failed. Your form session may have expired, or you may not have
282 cookies enabled.</p>
286 }
288 /**
289 * Checks if a composite token is valid. Outward facing code should use this
290 * instead of csrf_check_token()
291 */
296 }
298 }
300 /**
301 * Checks if a token is valid.
302 */
310 }
322 // We could disable these 'weaker' checks if 'key' was set, but
323 // that doesn't make me feel good then about the cookie-based
324 // implementation.
331 // do not allow IP-based checks if the username is set, or if
332 // the browser sent cookies
337 }
339 }
341 /**
342 * Sets a configuration value.
343 */
348 }
350 }
352 /**
353 * Starts a session if we're allowed to.
354 */
358 }
359 }
361 /**
362 * Retrieves the secret, and generates one if necessary.
363 */
372 }
379 }
381 }
383 /**
384 * Generates a random string as the hash of time, microtime, and mt_rand.
385 */
390 }
393 }
395 /**
396 * Generates a hash/expiry double. If time isn't set it will be calculated
397 * from the current time.
398 */
406 }
407 }
409 // Load user configuration
412 // Initialize our handler
414 // Perform check
416 }