summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/usr/local/www/csrf/csrf-magic.js16
-rw-r--r--src/usr/local/www/csrf/csrf-magic.php12
2 files changed, 15 insertions, 13 deletions
diff --git a/src/usr/local/www/csrf/csrf-magic.js b/src/usr/local/www/csrf/csrf-magic.js
index a889773..0989c10 100644
--- a/src/usr/local/www/csrf/csrf-magic.js
+++ b/src/usr/local/www/csrf/csrf-magic.js
@@ -40,13 +40,11 @@ CsrfMagic.prototype = {
send: function(data) {
if (!this.csrf_isPost) return this.csrf_send(data);
prepend = csrfMagicName + '=' + csrfMagicToken + '&';
-
- // Removed to eliminate 'Refused to set unsafe header "Content-length" ' errors in modern browsers
- // if (this.csrf_purportedLength === undefined) {
- // this.csrf_setRequestHeader("Content-length", this.csrf_purportedLength + prepend.length);
- // delete this.csrf_purportedLength;
- // }
-
+ // XXX: Removed to eliminate 'Refused to set unsafe header "Content-length" ' errors in modern browsers
+ // if (this.csrf_purportedLength === undefined) {
+ // this.csrf_setRequestHeader("Content-length", this.csrf_purportedLength + prepend.length);
+ // delete this.csrf_purportedLength;
+ // }
delete this.csrf_isPost;
return this.csrf_send(prepend + data);
},
@@ -89,6 +87,10 @@ CsrfMagic.prototype._updateProps = function() {
}
}
CsrfMagic.process = function(base) {
+ if(typeof base == 'object') {
+ base[csrfMagicName] = csrfMagicToken;
+ return base;
+ }
var prepend = csrfMagicName + '=' + csrfMagicToken;
if (base) return prepend + '&' + base;
return prepend;
diff --git a/src/usr/local/www/csrf/csrf-magic.php b/src/usr/local/www/csrf/csrf-magic.php
index 77a55fb..65db19f 100644
--- a/src/usr/local/www/csrf/csrf-magic.php
+++ b/src/usr/local/www/csrf/csrf-magic.php
@@ -13,8 +13,6 @@
* This library is PHP4 and PHP5 compatible.
*/
-include_once('phpsessionmanager.inc');
-
// CONFIGURATION:
/**
@@ -219,7 +217,8 @@ function csrf_get_tokens() {
$secret = csrf_get_secret();
if (!$has_cookies && $secret) {
// :TODO: Harden this against proxy-spoofing attacks
- $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
+ $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
+ $ip = ';ip:' . csrf_hash($IP_ADDRESS);
} else {
$ip = '';
}
@@ -329,7 +328,8 @@ function csrf_check_token($token) {
if ($GLOBALS['csrf']['user'] !== false) return false;
if (!empty($_COOKIE)) return false;
if (!$GLOBALS['csrf']['allow-ip']) return false;
- return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time);
+ $IP_ADDRESS = (isset($_SERVER['IP_ADDRESS']) ? $_SERVER['IP_ADDRESS'] : $_SERVER['REMOTE_ADDR']);
+ return $value === csrf_hash($IP_ADDRESS, $time);
}
return false;
}
@@ -350,7 +350,7 @@ function csrf_conf($key, $val) {
*/
function csrf_start() {
if ($GLOBALS['csrf']['auto-session'] && !session_id()) {
- phpsession_begin();
+ session_start();
}
}
@@ -381,7 +381,7 @@ function csrf_get_secret() {
*/
function csrf_generate_secret($len = 32) {
$r = '';
- for ($i = 0; $i < 32; $i++) {
+ for ($i = 0; $i < $len; $i++) {
$r .= chr(mt_rand(0, 255));
}
$r .= time() . microtime();
OpenPOWER on IntegriCloud