diff options
author | nashe <thomas@chauchefoin.fr> | 2017-12-23 21:08:23 +0100 |
---|---|---|
committer | nashe <thomas@chauchefoin.fr> | 2017-12-23 21:08:23 +0100 |
commit | 20952e3f133bb2097f9f86fd2f2fffe4870d4228 (patch) | |
tree | 41a92c2d0219ce6b5c3fcba5c11e3283115a8266 | |
parent | ace3788763e40161b346757a5178bbe2cc6e7773 (diff) | |
download | planet-20952e3f133bb2097f9f86fd2f2fffe4870d4228.tar planet-20952e3f133bb2097f9f86fd2f2fffe4870d4228.tar.gz planet-20952e3f133bb2097f9f86fd2f2fffe4870d4228.tar.bz2 planet-20952e3f133bb2097f9f86fd2f2fffe4870d4228.tar.xz planet-20952e3f133bb2097f9f86fd2f2fffe4870d4228.zip |
Implement and expose a CSRF mitigation
-rwxr-xr-x | app/app.php | 2 | ||||
-rw-r--r-- | app/classes/CSRF.php | 49 |
2 files changed, 50 insertions, 1 deletions
diff --git a/app/app.php b/app/app.php index 64c120a..0797cc7 100755 --- a/app/app.php +++ b/app/app.php @@ -29,4 +29,4 @@ if (is_installed()) { } $l10n = new Simplel10n($conf['locale']); - +$csrf = new CSRF(); diff --git a/app/classes/CSRF.php b/app/classes/CSRF.php new file mode 100644 index 0000000..3e23380 --- /dev/null +++ b/app/classes/CSRF.php @@ -0,0 +1,49 @@ +<?php + +class CSRF +{ + /** @var string */ + const HMAC_ALGORITHM = 'sha1'; + + /** + * Ensure that a CSRF token is valid for a given action. + * + * @param string $token + * @param string $action + * @return bool + */ + public static function verify($token = '', $action = null) + { + if (!is_string($token) || !is_string($action)) { + return false; + } + + $known = self::generate($action); + return hash_equals($known, $token); + } + + /** + * Generate a CSRF token for a given action. + * + * @param string $action + * @throws InvalidArgumentException + * @return string + */ + public static function generate($action = null) + { + if (!is_string($action)) { + throw InvalidArgumentException('A valid action must be defined.'); + } + return hash_hmac(self::HMAC_ALGORITHM, $action, self::getKey()); + } + + /** + * Get HMAC key. + * + * @return string + */ + public static function getKey() + { + return session_id(); + } +} |