diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-06-03 14:39:56 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-06-03 14:39:56 -0300 |
commit | 29732bc3cf195dda95c5ea78d2659a93da586754 (patch) | |
tree | 231d675713b9e8046d9e398243ccbe060822aa12 | |
parent | bc29d9fd91e82757b433c9f6a13e56c0bbeaf7c6 (diff) | |
download | pfsense-29732bc3cf195dda95c5ea78d2659a93da586754.zip pfsense-29732bc3cf195dda95c5ea78d2659a93da586754.tar.gz |
Update csrf-magic to 1.0.4
-rw-r--r-- | usr/local/www/csrf/csrf-magic.js | 17 | ||||
-rw-r--r-- | usr/local/www/csrf/csrf-magic.php | 36 |
2 files changed, 45 insertions, 8 deletions
diff --git a/usr/local/www/csrf/csrf-magic.js b/usr/local/www/csrf/csrf-magic.js index d776b6a..d358b0f 100644 --- a/usr/local/www/csrf/csrf-magic.js +++ b/usr/local/www/csrf/csrf-magic.js @@ -142,25 +142,30 @@ if (window.XMLHttpRequest && window.XMLHttpRequest.prototype && '\v' != 'v') { } return jQuery.csrf_ajax( s ); } - } else if (window.Prototype) { + } + if (window.Prototype) { // This works for script.aculo.us too Ajax.csrf_getTransport = Ajax.getTransport; Ajax.getTransport = function() { return new CsrfMagic(Ajax.csrf_getTransport()); } - } else if (window.MooTools) { + } + if (window.MooTools) { Browser.csrf_Request = Browser.Request; Browser.Request = function () { return new CsrfMagic(Browser.csrf_Request()); } - } else if (window.YAHOO) { + } + if (window.YAHOO) { + // old YUI API YAHOO.util.Connect.csrf_createXhrObject = YAHOO.util.Connect.createXhrObject; YAHOO.util.Connect.createXhrObject = function (transaction) { obj = YAHOO.util.Connect.csrf_createXhrObject(transaction); obj.conn = new CsrfMagic(obj.conn); return obj; } - } else if (window.Ext) { + } + if (window.Ext) { // Ext can use other js libraries as loaders, so it has to come last // Ext's implementation is pretty identical to Yahoo's, but we duplicate // it for comprehensiveness's sake. @@ -170,7 +175,9 @@ if (window.XMLHttpRequest && window.XMLHttpRequest.prototype && '\v' != 'v') { obj.conn = new CsrfMagic(obj.conn); return obj; } - } else if (window.dojo) { + } + if (window.dojo) { + // NOTE: this doesn't work with latest dojo dojo.csrf__xhrObj = dojo._xhrObj; dojo._xhrObj = function () { return new CsrfMagic(dojo.csrf__xhrObj()); diff --git a/usr/local/www/csrf/csrf-magic.php b/usr/local/www/csrf/csrf-magic.php index fc02dea..58f4eba 100644 --- a/usr/local/www/csrf/csrf-magic.php +++ b/usr/local/www/csrf/csrf-magic.php @@ -53,6 +53,8 @@ $GLOBALS['csrf']['rewrite-js'] = false; * will become invalid. */ $GLOBALS['csrf']['secret'] = ''; +// nota bene: library code should use csrf_get_secret() and not access +// this global directly /** * Set this to false to disable csrf-magic's output handler, and therefore, @@ -129,7 +131,7 @@ $GLOBALS['csrf']['xhtml'] = true; // FUNCTIONS: // Don't edit this! -$GLOBALS['csrf']['version'] = '1.0.1'; +$GLOBALS['csrf']['version'] = '1.0.4'; /** * Rewrites <form> on the fly to add CSRF tokens to them. This can also @@ -240,12 +242,40 @@ function csrf_get_tokens() { return 'invalid'; } +function csrf_flattenpost($data) { + $ret = array(); + foreach($data as $n => $v) { + $ret = array_merge($ret, csrf_flattenpost2(1, $n, $v)); + } + return $ret; +} +function csrf_flattenpost2($level, $key, $data) { + if(!is_array($data)) return array($key => $data); + $ret = array(); + foreach($data as $n => $v) { + $nk = $level >= 1 ? $key."[$n]" : "[$n]"; + $ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v)); + } + return $ret; +} + /** * @param $tokens is safe for HTML consumption */ function csrf_callback($tokens) { + // (yes, $tokens is safe to echo without escaping) header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden'); - echo "<html><head><title>CSRF check failed</title></head><body>CSRF check failed. Either your session has expired, this page has been inactive too long, or you need to enable cookies.<br />Debug: ".$tokens."</body></html> + $data = ''; + foreach (csrf_flattenpost($_POST) as $key => $value) { + if ($key == $GLOBALS['csrf']['input-name']) continue; + $data .= '<input type="hidden" name="'.htmlspecialchars($key).'" value="'.htmlspecialchars($value).'" />'; + } + echo "<html><head><title>CSRF check failed</title></head> + <body> + <p>CSRF check failed. Your form session may have expired, or you may not have + cookies enabled.</p> + <form method='post' action=''>$data<input type='submit' value='Try again' /></form> + <p>Debug: $tokens</p></body></html> "; } @@ -362,7 +392,7 @@ function csrf_generate_secret($len = 32) { */ function csrf_hash($value, $time = null) { if (!$time) $time = time(); - return sha1($GLOBALS['csrf']['secret'] . $value . $time) . ',' . $time; + return sha1(csrf_get_secret() . $value . $time) . ',' . $time; } // Load user configuration |