experimental CSRF protection

2025-12-13 07:25:54 +00:00 · 2011-12-26 12:02:52 +04:00
parent 036cd3a410
commit 8484ce2258
14 changed files with 106 additions and 9 deletions
--- a/backend.php
+++ b/backend.php
@@ -1,5 +1,5 @@
 <?php
-	set_include_path(get_include_path() . PATH_SEPARATOR . 
+	set_include_path(get_include_path() . PATH_SEPARATOR .
 		dirname(__FILE__) . "/include");

 	/* remove ill effects of magic quotes */
@@ -20,6 +20,11 @@
 	$op = $_REQUEST["op"];
 	@$method = $_REQUEST['subop'] ? $_REQUEST['subop'] : $_REQUEST["method"];

+	if (!$method)
+		$method = 'index';
+	else
+		$method = strtolower($method);
+
 	/* Public calls compatibility shim */

 	$public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share",
@@ -30,6 +35,11 @@
 		return;
 	}

+	$csrf_token = $_REQUEST['csrf_token'];
+
+	if (!$csrf_token)
+		error_log("[$op/$method] CSRF: [$csrf_token]\n", 3, "/tmp/csrf.log");
+
 	require_once "functions.php";
 	require_once "sessions.php";
 	require_once "sanity_check.php";
@@ -138,13 +148,17 @@
 		$handler = new $op($link, $_REQUEST);

 		if ($handler) {
-			if ($handler->before($method)) {
-				if ($method && method_exists($handler, $method)) {
-					$handler->$method();
-				} else if (method_exists($handler, 'index')) {
-					$handler->index();
+			if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
+				if ($handler->before($method)) {
+					if ($method && method_exists($handler, $method)) {
+						$handler->$method();
+					}
+					$handler->after();
+					return;
 				}
-				$handler->after();
+			} else {
+				header("Content-Type: text/plain");
+				print json_encode(array("error" => array("code" => 6)));
 				return;
 			}
 		}