always verify csrf token for resource-modifying requests,

that is post, put, patch, delete
2025-03-01 10:31:47 +00:00 · 2019-07-30 17:05:00 +02:00
parent 93b458197a
commit f989b8060b
2 changed files with 24 additions and 0 deletions
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -82,6 +82,26 @@ function CSRFValidate()
    }
 }

+/**
+* Should the request be CSRF-validated?
+*/
+function csrfValidateRequest()
+{
+  $request_method = strtolower($_SERVER['REQUEST_METHOD']);
+  return in_array($request_method, [ "post", "put", "patch", "delete" ]);
+}
+
+/**
+* Handle invalid CSRF
+*/
+function handleInvalidCSRFToken()
+{
+    header('HTTP/1.1 500 Internal Server Error');
+    header('Content-Type: text/plain');
+    echo 'Invalid CSRF token';
+    exit;
+}
+
 /**
 * Test whether array is associative
 */