frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2025-03-01 10:31:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Resolve hash_equals() error w/ expired csrf_token, add login redirect

Browse Source
This commit is contained in:
billz 2025-01-21 00:33:24 -08:00
parent 6cb0be96b4
commit 111c9581a3
1 changed files with 19 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
includes/functions.php
View File

@ -336,25 +336,28 @@ function CSRFMetaTag()
*/ */
function CSRFValidate() function CSRFValidate()
{ {
if(isset($_POST['csrf_token'])) { if (empty($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token'])) {
$post_token = $_POST['csrf_token']; error_log('Session expired or CSRF token is missing.');
header('Location: /login');
exit;
}
$post_token = $_POST['csrf_token'] ?? null;
$header_token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null; $header_token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
if (empty($post_token) && is_null($header_token)) { if (empty($post_token) && is_null($header_token)) {
error_log('CSRF token missing in the request');
return false; return false;
} }
$request_token = $post_token; $request_token = $post_token ?: $header_token;
if (empty($post_token)) {
$request_token = $header_token;
}
if (hash_equals($_SESSION['csrf_token'], $request_token)) { if (hash_equals($_SESSION['csrf_token'], $request_token)) {
return true; return true;
} else { } else {
error_log('CSRF violation'); error_log('CSRF token mismatch');
return false; return false;
} }
} }
}
/** /**
* Should the request be CSRF-validated? * Should the request be CSRF-validated?