From f989b8060b24784980a1003e998f07938ef657d0 Mon Sep 17 00:00:00 2001 From: glaszig Date: Tue, 30 Jul 2019 17:05:00 +0200 Subject: [PATCH] always verify csrf token for resource-modifying requests, that is post, put, patch, delete --- includes/functions.php | 20 ++++++++++++++++++++ index.php | 4 ++++ 2 files changed, 24 insertions(+) diff --git a/includes/functions.php b/includes/functions.php index 06ef2e0f..316665d3 100755 --- a/includes/functions.php +++ b/includes/functions.php @@ -82,6 +82,26 @@ function CSRFValidate() } } +/** +* Should the request be CSRF-validated? +*/ +function csrfValidateRequest() +{ + $request_method = strtolower($_SERVER['REQUEST_METHOD']); + return in_array($request_method, [ "post", "put", "patch", "delete" ]); +} + +/** +* Handle invalid CSRF +*/ +function handleInvalidCSRFToken() +{ + header('HTTP/1.1 500 Internal Server Error'); + header('Content-Type: text/plain'); + echo 'Invalid CSRF token'; + exit; +} + /** * Test whether array is associative */ diff --git a/index.php b/index.php index 8189e175..e8af838a 100755 --- a/index.php +++ b/index.php @@ -39,6 +39,10 @@ include_once('includes/about.php'); $output = $return = 0; $page = $_GET['page']; +if (csrfValidateRequest() && !CSRFValidate()) { + handleInvalidCSRFToken(); +} + if (empty($_SESSION['csrf_token'])) { if (function_exists('mcrypt_create_iv')) { $_SESSION['csrf_token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));