frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2025-03-01 10:31:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Resolve hash_equals() error w/ expired csrf_token, add login redirect

Browse Source
This commit is contained in:
billz 2025-01-21 00:33:24 -08:00
parent 6cb0be96b4
commit 111c9581a3
1 changed files with 19 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
includes/functions.php
View File

@ -336,23 +336,26 @@ function CSRFMetaTag()
*/ */
function CSRFValidate() function CSRFValidate()
{ {
if(isset($_POST['csrf_token'])) { if (empty($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token'])) {
$post_token = $_POST['csrf_token']; error_log('Session expired or CSRF token is missing.');
$header_token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null; header('Location: /login');
exit;
}
if (empty($post_token) && is_null($header_token)) { $post_token = $_POST['csrf_token'] ?? null;
return false; $header_token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
}
$request_token = $post_token; if (empty($post_token) && is_null($header_token)) {
if (empty($post_token)) { error_log('CSRF token missing in the request');
$request_token = $header_token; return false;
} }
if (hash_equals($_SESSION['csrf_token'], $request_token)) { $request_token = $post_token ?: $header_token;
return true;
} else { if (hash_equals($_SESSION['csrf_token'], $request_token)) {
error_log('CSRF violation'); return true;
return false; } else {
} error_log('CSRF token mismatch');
return false;
} }
} }