always verify csrf token for resource-modifying requests,

that is post, put, patch, delete
2025-03-01 10:31:47 +00:00 · 2019-07-30 17:05:00 +02:00
parent 93b458197a
commit f989b8060b
2 changed files with 24 additions and 0 deletions
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -82,6 +82,26 @@ function CSRFValidate()
    }
 }

+/**
+* Should the request be CSRF-validated?
+*/
+function csrfValidateRequest()
+{
+  $request_method = strtolower($_SERVER['REQUEST_METHOD']);
+  return in_array($request_method, [ "post", "put", "patch", "delete" ]);
+}
+
+/**
+* Handle invalid CSRF
+*/
+function handleInvalidCSRFToken()
+{
+    header('HTTP/1.1 500 Internal Server Error');
+    header('Content-Type: text/plain');
+    echo 'Invalid CSRF token';
+    exit;
+}
+
 /**
 * Test whether array is associative
 */
--- a/index.php
+++ b/index.php
@@ -39,6 +39,10 @@ include_once('includes/about.php');
 $output = $return = 0;
 $page = $_GET['page'];

+if (csrfValidateRequest() && !CSRFValidate()) {
+  handleInvalidCSRFToken();
+}
+
 if (empty($_SESSION['csrf_token'])) {
    if (function_exists('mcrypt_create_iv')) {
        $_SESSION['csrf_token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));