interface/modules/zend_modules/library/Zend/Validator/Csrf.php

   1 <?php
   2 /**
   3  * Zend Framework (http://framework.zend.com/)
   4  *
   5  * @link      http://github.com/zendframework/zf2 for the canonical source repository
   6  * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
   7  * @license   http://framework.zend.com/license/new-bsd New BSD License
   8  */
   9
  10 namespace Zend\Validator;
  11
  12 use Traversable;
  13 use Zend\Math\Rand;
  14 use Zend\Session\Container as SessionContainer;
  15 use Zend\Stdlib\ArrayUtils;
  16
  17 class Csrf extends AbstractValidator
  18 {
  19     /**
  20      * Error codes
  21      * @const string
  22      */
  23     const NOT_SAME = 'notSame';
  24
  25     /**
  26      * Error messages
  27      * @var array
  28      */
  29     protected $messageTemplates = array(
  30         self::NOT_SAME => "The form submitted did not originate from the expected site",
  31     );
  32
  33     /**
  34      * Actual hash used.
  35      *
  36      * @var mixed
  37      */
  38     protected $hash;
  39
  40     /**
  41      * Static cache of the session names to generated hashes
  42      *
  43      * @var array
  44      */
  45     protected static $hashCache;
  46
  47     /**
  48      * Name of CSRF element (used to create non-colliding hashes)
  49      *
  50      * @var string
  51      */
  52     protected $name = 'csrf';
  53
  54     /**
  55      * Salt for CSRF token
  56      * @var string
  57      */
  58     protected $salt = 'salt';
  59
  60     /**
  61      * @var SessionContainer
  62      */
  63     protected $session;
  64
  65     /**
  66      * TTL for CSRF token
  67      * @var int|null
  68      */
  69     protected $timeout = 300;
  70
  71     /**
  72      * Constructor
  73      *
  74      * @param  array|Traversable $options
  75      */
  76     public function __construct($options = array())
  77     {
  78         parent::__construct($options);
  79
  80         if ($options instanceof Traversable) {
  81             $options = ArrayUtils::iteratorToArray($options);
  82         }
  83
  84         if (!is_array($options)) {
  85             $options = (array) $options;
  86         }
  87
  88         foreach ($options as $key => $value) {
  89             switch (strtolower($key)) {
  90                 case 'name':
  91                     $this->setName($value);
  92                     break;
  93                 case 'salt':
  94                     $this->setSalt($value);
  95                     break;
  96                 case 'session':
  97                     $this->setSession($value);
  98                     break;
  99                 case 'timeout':
 100                     $this->setTimeout($value);
 101                     break;
 102                 default:
 103                     // ignore unknown options
 104                     break;
 105             }
 106         }
 107     }
 108
 109     /**
 110      * Does the provided token match the one generated?
 111      *
 112      * @param  string $value
 113      * @param  mixed $context
 114      * @return bool
 115      */
 116     public function isValid($value, $context = null)
 117     {
 118         $this->setValue((string) $value);
 119
 120         $hash = $this->getValidationToken();
 121
 122         if ($value !== $hash) {
 123             $this->error(self::NOT_SAME);
 124             return false;
 125         }
 126
 127         return true;
 128     }
 129
 130     /**
 131      * Set CSRF name
 132      *
 133      * @param  string $name
 134      * @return Csrf
 135      */
 136     public function setName($name)
 137     {
 138         $this->name = (string) $name;
 139         return $this;
 140     }
 141
 142     /**
 143      * Get CSRF name
 144      *
 145      * @return string
 146      */
 147     public function getName()
 148     {
 149         return $this->name;
 150     }
 151
 152     /**
 153      * Set session container
 154      *
 155      * @param  SessionContainer $session
 156      * @return Csrf
 157      */
 158     public function setSession(SessionContainer $session)
 159     {
 160         $this->session = $session;
 161         if ($this->hash) {
 162             $this->initCsrfToken();
 163         }
 164         return $this;
 165     }
 166
 167     /**
 168      * Get session container
 169      *
 170      * Instantiate session container if none currently exists
 171      *
 172      * @return SessionContainer
 173      */
 174     public function getSession()
 175     {
 176         if (null === $this->session) {
 177             // Using fully qualified name, to ensure polyfill class alias is used
 178             $this->session = new SessionContainer($this->getSessionName());
 179         }
 180         return $this->session;
 181     }
 182
 183     /**
 184      * Salt for CSRF token
 185      *
 186      * @param  string $salt
 187      * @return Csrf
 188      */
 189     public function setSalt($salt)
 190     {
 191         $this->salt = (string) $salt;
 192         return $this;
 193     }
 194
 195     /**
 196      * Retrieve salt for CSRF token
 197      *
 198      * @return string
 199      */
 200     public function getSalt()
 201     {
 202         return $this->salt;
 203     }
 204
 205     /**
 206      * Retrieve CSRF token
 207      *
 208      * If no CSRF token currently exists, or should be regenerated,
 209      * generates one.
 210      *
 211      * @param  bool $regenerate    default false
 212      * @return string
 213      */
 214     public function getHash($regenerate = false)
 215     {
 216         if ((null === $this->hash) || $regenerate) {
 217             if ($regenerate) {
 218                 $this->hash = null;
 219             } else {
 220                 $this->hash = $this->getValidationToken();
 221             }
 222             if (null === $this->hash) {
 223                 $this->generateHash();
 224             }
 225         }
 226         return $this->hash;
 227     }
 228
 229     /**
 230      * Get session namespace for CSRF token
 231      *
 232      * Generates a session namespace based on salt, element name, and class.
 233      *
 234      * @return string
 235      */
 236     public function getSessionName()
 237     {
 238         return str_replace('\\', '_', __CLASS__) . '_'
 239             . $this->getSalt() . '_'
 240             . strtr($this->getName(), array('[' => '_', ']' => ''));
 241     }
 242
 243     /**
 244      * Set timeout for CSRF session token
 245      *
 246      * @param  int|null $ttl
 247      * @return Csrf
 248      */
 249     public function setTimeout($ttl)
 250     {
 251         $this->timeout = ($ttl !== null) ? (int) $ttl : null;
 252         return $this;
 253     }
 254
 255     /**
 256      * Get CSRF session token timeout
 257      *
 258      * @return int
 259      */
 260     public function getTimeout()
 261     {
 262         return $this->timeout;
 263     }
 264
 265     /**
 266      * Initialize CSRF token in session
 267      *
 268      * @return void
 269      */
 270     protected function initCsrfToken()
 271     {
 272         $session = $this->getSession();
 273         //$session->setExpirationHops(1, null);
 274         $timeout = $this->getTimeout();
 275         if (null !== $timeout) {
 276             $session->setExpirationSeconds($timeout);
 277         }
 278         $session->hash = $this->getHash();
 279     }
 280
 281     /**
 282      * Generate CSRF token
 283      *
 284      * Generates CSRF token and stores both in {@link $hash} and element
 285      * value.
 286      *
 287      * @return void
 288      */
 289     protected function generateHash()
 290     {
 291         if (isset(static::$hashCache[$this->getSessionName()])) {
 292             $this->hash = static::$hashCache[$this->getSessionName()];
 293         } else {
 294             $this->hash = md5($this->getSalt() . Rand::getBytes(32) .  $this->getName());
 295             static::$hashCache[$this->getSessionName()] = $this->hash;
 296         }
 297         $this->setValue($this->hash);
 298         $this->initCsrfToken();
 299     }
 300
 301     /**
 302      * Get validation token
 303      *
 304      * Retrieve token from session, if it exists.
 305      *
 306      * @return null|string
 307      */
 308     protected function getValidationToken()
 309     {
 310         $session = $this->getSession();
 311         if (isset($session->hash)) {
 312             return $session->hash;
 313         }
 314         return null;
 315     }
 316 }