csrf-magic.php

   1 <?php
   2
   3 /**
   4  * @file
   5  *
   6  * csrf-magic is a PHP library that makes adding CSRF-protection to your
   7  * web applications a snap. No need to modify every form or create a database
   8  * of valid nonces; just include this file at the top of every
   9  * web-accessible page (or even better, your common include file included
  10  * in every page), and forget about it! (There are, of course, configuration
  11  * options for advanced users).
  12  *
  13  * This library is PHP4 and PHP5 compatible.
  14  */
  15
  16 // CONFIGURATION:
  17
  18 /**
  19  * The name of the magic CSRF token that will be placed in all forms, i.e.
  20  * the contents of <input type="hidden" name="$name" value="CSRF-TOKEN" />
  21  */
  22 $GLOBALS['csrf']['input-name'] = '__csrf';
  23
  24 /**
  25  * Whether or not CSRF Magic should be allowed to start a new session in order
  26  * to determine the key.
  27  */
  28 $GLOBALS['csrf']['auto-session'] = true;
  29
  30 /**
  31  * A secret key used when hashing items. Please generate a random string and
  32  * place it here. If you change this value, all previously generated tokens
  33  * will become invalid.
  34  */
  35 $GLOBALS['csrf']['secret'] = '';
  36
  37 /**
  38  * Whether or not to use IP addresses when binding a user to a token. This is
  39  * less reliable and less secure than sessions, but is useful when you need
  40  * to give facilities to anonymous users and do not wish to maintain a database
  41  * of valid keys.
  42  * @warning Not implemented yet
  43  */
  44 $GLOBALS['csrf']['allow-ip'] = true;
  45
  46 /**
  47  * Whether or not to include our JavaScript library which also rewrites
  48  * AJAX requests on this domain. Set this to the path.
  49  */
  50 $GLOBALS['csrf']['rewrite-js'] = false;
  51
  52 // FUNCTIONS:
  53
  54 /**
  55  * Rewrites <form> on the fly to add CSRF tokens to them. This can also
  56  * inject our JavaScript library.
  57  */
  58 function csrf_ob_handler($buffer, $flags) {
  59     $token = csrf_get_token();
  60     $name = $GLOBALS['csrf']['input-name'];
  61     $input = "<input type='hidden' name='$name' value=\"$token\" />";
  62     $buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer);
  63     if ($js = $GLOBALS['csrf']['rewrite-js']) {
  64         $buffer = preg_replace(
  65             '#(</head>)#i',
  66             '<script type="text/javascript">'.
  67                 'var csrfMagicToken = "'.$token.'";'.
  68                 'var csrfMagicName = "'.$name.'";</script>'.
  69             '<script src="'.$js.'" type="text/javascript"></script>$1',
  70             $buffer
  71         );
  72     }
  73     return $buffer;
  74 }
  75
  76 /**
  77  * Checks if this is a post request, and if it is, checks if the nonce is valid.
  78  * @param bool $fatal Whether or not to fatally error out if there is a problem.
  79  */
  80 function csrf_check($fatal = true) {
  81     if ($_SERVER['REQUEST_METHOD'] !== 'POST') return;
  82     csrf_start();
  83     $name = $GLOBALS['csrf']['input-name'];
  84     $ok = false;
  85     do {
  86         if (!isset($_POST[$name])) break;
  87         if (!csrf_check_token($_POST[$name])) break;
  88         $ok = true;
  89     } while (false);
  90     if ($fatal && !$ok) {
  91         echo '<html><body>You failed CSRF protection</body></html>'.PHP_EOL;
  92         exit;
  93     }
  94 }
  95
  96 /**
  97  * Retrieves a valid token for a particular context.
  98  */
  99 function csrf_get_token() {
 100     $secret = $GLOBALS['csrf']['secret'];
 101     csrf_start();
 102     if (session_id()) return 'sid:' . sha1($secret . session_id());
 103     // Ok, session failed, let's see if we've got an IP address
 104
 105     // Uh-oh, you need some configuration!
 106     return 'invalid';
 107 }
 108
 109 /**
 110  * Checks if a token is valid.
 111  */
 112 function csrf_check_token($token) {
 113     if (strpos($token, ':') === false) return false;
 114     list($type, $value) = explode(':', $token, 2);
 115     $secret = $GLOBALS['csrf']['secret'];
 116     switch ($type) {
 117         case 'sid':
 118             return $value === sha1($secret . session_id());
 119         default:
 120             return false;
 121     }
 122     return false;
 123 }
 124
 125 /**
 126  * Sets a configuration value.
 127  */
 128 function csrf_conf($key, $val) {
 129     if (!isset($GLOBALS['csrf'][$key])) {
 130         trigger_error('No such configuration ' . $key, E_USER_WARNING);
 131         return;
 132     }
 133     $GLOBALS['csrf'][$key] = $val;
 134 }
 135
 136 /**
 137  * Starts a session if we're allowed to.
 138  */
 139 function csrf_start() {
 140     if ($GLOBALS['csrf']['auto-session'] && !session_id()) {
 141         session_start();
 142     }
 143 }
 144
 145 // Initialize our handler
 146 ob_start('csrf_ob_handler');
 147 // Load user configuration
 148 if (function_exists('csrf_startup')) csrf_startup();
 149 // Perform check
 150 csrf_check();