diff options
| author | Renato Botelho <renato@netgate.com> | 2017-04-10 15:04:40 -0300 |
|---|---|---|
| committer | Renato Botelho <renato@netgate.com> | 2017-04-10 15:04:40 -0300 |
| commit | dc668baa84a0809ac04e7421fa4a17b341572494 (patch) | |
| tree | 5221e6d9dc3d0d32572a68e5aacc6c47aa2d1974 /src | |
| parent | 557e082696823ea5fa09a36d98f01775bf1e0c77 (diff) | |
| download | pfsense-dc668baa84a0809ac04e7421fa4a17b341572494.zip pfsense-dc668baa84a0809ac04e7421fa4a17b341572494.tar.gz | |
Update CSRF to latest version from github
Diffstat (limited to 'src')
| -rw-r--r-- | src/usr/local/www/csrf/csrf-magic.js | 16 | ||||
| -rw-r--r-- | src/usr/local/www/csrf/csrf-magic.php | 12 |
2 files changed, 15 insertions, 13 deletions
diff --git a/src/usr/local/www/csrf/csrf-magic.js b/src/usr/local/www/csrf/csrf-magic.js index a889773..0989c10 100644 --- a/src/usr/local/www/csrf/csrf-magic.js +++ b/src/usr/local/www/csrf/csrf-magic.js @@ -40,13 +40,11 @@ CsrfMagic.prototype = { send: function(data) { if (!this.csrf_isPost) return this.csrf_send(data); prepend = csrfMagicName + '=' + csrfMagicToken + '&'; - - // Removed to eliminate 'Refused to set unsafe header "Content-length" ' errors in modern browsers - // if (this.csrf_purportedLength === undefined) { - // this.csrf_setRequestHeader("Content-length", this.csrf_purportedLength + prepend.length); - // delete this.csrf_purportedLength; - // } - + // XXX: Removed to eliminate 'Refused to set unsafe header "Content-length" ' errors in modern browsers + // if (this.csrf_purportedLength === undefined) { + // this.csrf_setRequestHeader("Content-length", this.csrf_purportedLength + prepend.length); + // delete this.csrf_purportedLength; + // } delete this.csrf_isPost; return this.csrf_send(prepend + data); }, @@ -89,6 +87,10 @@ CsrfMagic.prototype._updateProps = function() { } } CsrfMagic.process = function(base) { + if(typeof base == 'object') { + base[csrfMagicName] = csrfMagicToken; + return base; + } var prepend = csrfMagicName + '=' + csrfMagicToken; if (base) return prepend + '&' + base; return prepend; diff --git a/src/usr/local/www/csrf/csrf-magic.php b/src/usr/local/www/csrf/csrf-magic.php index 77a55fb..65db19f 100644 --- a/src/usr/local/www/csrf/csrf-magic.php +++ b/src/usr/local/www/csrf/csrf-magic.php @@ -13,8 +13,6 @@ * This library is PHP4 and PHP5 compatible. */ -include_once('phpsessionmanager.inc'); - // CONFIGURATION: /** @@ -219,7 +217,8 @@ function csrf_get_tokens() { $secret = csrf_get_secret(); if (!$has_cookies && $secret) { // :TODO: Harden this against proxy-spoofing attacks - $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']); + $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']); + $ip = ';ip:' . csrf_hash($IP_ADDRESS); } else { $ip = ''; } @@ -329,7 +328,8 @@ function csrf_check_token($token) { if ($GLOBALS['csrf']['user'] !== false) return false; if (!empty($_COOKIE)) return false; if (!$GLOBALS['csrf']['allow-ip']) return false; - return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time); + $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']); + return $value === csrf_hash($IP_ADDRESS, $time); } return false; } @@ -350,7 +350,7 @@ function csrf_conf($key, $val) { */ function csrf_start() { if ($GLOBALS['csrf']['auto-session'] && !session_id()) { - phpsession_begin(); + session_start(); } } @@ -381,7 +381,7 @@ function csrf_get_secret() { */ function csrf_generate_secret($len = 32) { $r = ''; - for ($i = 0; $i < 32; $i++) { + for ($i = 0; $i < $len; $i++) { $r .= chr(mt_rand(0, 255)); } $r .= time() . microtime(); |
