diff options
author | Renato Botelho <renato@netgate.com> | 2017-04-10 15:04:40 -0300 |
---|---|---|
committer | Renato Botelho <renato@netgate.com> | 2017-04-10 15:04:40 -0300 |
commit | dc668baa84a0809ac04e7421fa4a17b341572494 (patch) | |
tree | 5221e6d9dc3d0d32572a68e5aacc6c47aa2d1974 /src/usr/local/www/csrf/csrf-magic.php | |
parent | 557e082696823ea5fa09a36d98f01775bf1e0c77 (diff) | |
download | pfsense-dc668baa84a0809ac04e7421fa4a17b341572494.zip pfsense-dc668baa84a0809ac04e7421fa4a17b341572494.tar.gz |
Update CSRF to latest version from github
Diffstat (limited to 'src/usr/local/www/csrf/csrf-magic.php')
-rw-r--r-- | src/usr/local/www/csrf/csrf-magic.php | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/usr/local/www/csrf/csrf-magic.php b/src/usr/local/www/csrf/csrf-magic.php index 77a55fb..65db19f 100644 --- a/src/usr/local/www/csrf/csrf-magic.php +++ b/src/usr/local/www/csrf/csrf-magic.php @@ -13,8 +13,6 @@ * This library is PHP4 and PHP5 compatible. */ -include_once('phpsessionmanager.inc'); - // CONFIGURATION: /** @@ -219,7 +217,8 @@ function csrf_get_tokens() { $secret = csrf_get_secret(); if (!$has_cookies && $secret) { // :TODO: Harden this against proxy-spoofing attacks - $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']); + $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']); + $ip = ';ip:' . csrf_hash($IP_ADDRESS); } else { $ip = ''; } @@ -329,7 +328,8 @@ function csrf_check_token($token) { if ($GLOBALS['csrf']['user'] !== false) return false; if (!empty($_COOKIE)) return false; if (!$GLOBALS['csrf']['allow-ip']) return false; - return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time); + $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']); + return $value === csrf_hash($IP_ADDRESS, $time); } return false; } @@ -350,7 +350,7 @@ function csrf_conf($key, $val) { */ function csrf_start() { if ($GLOBALS['csrf']['auto-session'] && !session_id()) { - phpsession_begin(); + session_start(); } } @@ -381,7 +381,7 @@ function csrf_get_secret() { */ function csrf_generate_secret($len = 32) { $r = ''; - for ($i = 0; $i < 32; $i++) { + for ($i = 0; $i < $len; $i++) { $r .= chr(mt_rand(0, 255)); } $r .= time() . microtime(); |