summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authornashe <thomas@chauchefoin.fr>2017-12-23 21:08:23 +0100
committernashe <thomas@chauchefoin.fr>2017-12-23 21:08:23 +0100
commit20952e3f133bb2097f9f86fd2f2fffe4870d4228 (patch)
tree41a92c2d0219ce6b5c3fcba5c11e3283115a8266
parentace3788763e40161b346757a5178bbe2cc6e7773 (diff)
downloadplanet-20952e3f133bb2097f9f86fd2f2fffe4870d4228.tar
planet-20952e3f133bb2097f9f86fd2f2fffe4870d4228.tar.gz
planet-20952e3f133bb2097f9f86fd2f2fffe4870d4228.tar.bz2
planet-20952e3f133bb2097f9f86fd2f2fffe4870d4228.tar.xz
planet-20952e3f133bb2097f9f86fd2f2fffe4870d4228.zip
Implement and expose a CSRF mitigation
-rwxr-xr-xapp/app.php2
-rw-r--r--app/classes/CSRF.php49
2 files changed, 50 insertions, 1 deletions
diff --git a/app/app.php b/app/app.php
index 64c120a..0797cc7 100755
--- a/app/app.php
+++ b/app/app.php
@@ -29,4 +29,4 @@ if (is_installed()) {
}
$l10n = new Simplel10n($conf['locale']);
-
+$csrf = new CSRF();
diff --git a/app/classes/CSRF.php b/app/classes/CSRF.php
new file mode 100644
index 0000000..3e23380
--- /dev/null
+++ b/app/classes/CSRF.php
@@ -0,0 +1,49 @@
+<?php
+
+class CSRF
+{
+ /** @var string */
+ const HMAC_ALGORITHM = 'sha1';
+
+ /**
+ * Ensure that a CSRF token is valid for a given action.
+ *
+ * @param string $token
+ * @param string $action
+ * @return bool
+ */
+ public static function verify($token = '', $action = null)
+ {
+ if (!is_string($token) || !is_string($action)) {
+ return false;
+ }
+
+ $known = self::generate($action);
+ return hash_equals($known, $token);
+ }
+
+ /**
+ * Generate a CSRF token for a given action.
+ *
+ * @param string $action
+ * @throws InvalidArgumentException
+ * @return string
+ */
+ public static function generate($action = null)
+ {
+ if (!is_string($action)) {
+ throw InvalidArgumentException('A valid action must be defined.');
+ }
+ return hash_hmac(self::HMAC_ALGORITHM, $action, self::getKey());
+ }
+
+ /**
+ * Get HMAC key.
+ *
+ * @return string
+ */
+ public static function getKey()
+ {
+ return session_id();
+ }
+}