From 20952e3f133bb2097f9f86fd2f2fffe4870d4228 Mon Sep 17 00:00:00 2001
From: nashe <thomas@chauchefoin.fr>
Date: Sat, 23 Dec 2017 21:08:23 +0100
Subject: Implement and expose a CSRF mitigation

---
 app/app.php          |  2 +-
 app/classes/CSRF.php | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 app/classes/CSRF.php

diff --git a/app/app.php b/app/app.php
index 64c120a..0797cc7 100755
--- a/app/app.php
+++ b/app/app.php
@@ -29,4 +29,4 @@ if (is_installed()) {
 }
 
 $l10n = new Simplel10n($conf['locale']);
-
+$csrf = new CSRF();
diff --git a/app/classes/CSRF.php b/app/classes/CSRF.php
new file mode 100644
index 0000000..3e23380
--- /dev/null
+++ b/app/classes/CSRF.php
@@ -0,0 +1,49 @@
+<?php
+
+class CSRF
+{
+    /** @var string */
+    const HMAC_ALGORITHM = 'sha1';
+
+    /**
+     * Ensure that a CSRF token is valid for a given action.
+     *
+     * @param  string $token
+     * @param  string $action
+     * @return bool
+     */
+    public static function verify($token = '', $action = null)
+    {
+        if (!is_string($token) || !is_string($action)) {
+            return false;
+        }
+
+        $known = self::generate($action);
+        return hash_equals($known, $token);
+    }
+
+    /**
+     * Generate a CSRF token for a given action.
+     *
+     * @param  string $action
+     * @throws InvalidArgumentException
+     * @return string
+     */
+    public static function generate($action = null)
+    {
+        if (!is_string($action)) {
+            throw InvalidArgumentException('A valid action must be defined.');
+        }
+        return hash_hmac(self::HMAC_ALGORITHM, $action, self::getKey());
+    }
+
+    /**
+     * Get HMAC key.
+     *
+     * @return string
+     */
+    public static function getKey()
+    {
+        return session_id();
+    }
+}
-- 
cgit v1.2.1