usr/local/www/csrf/csrf-magic.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179

/**
 * @file
 *
 * Rewrites XMLHttpRequest to automatically send CSRF token with it. In theory
 * plays nice with other JavaScript libraries, needs testing though.
 */

// Here are the basic overloaded method definitions
// The wrapper must be set BEFORE onreadystatechange is written to, since
// a bug in ActiveXObject prevents us from properly testing for it.
CsrfMagic = function(real) {
    // try to make it ourselves, if you didn't pass it
    if (!real) try { real = new XMLHttpRequest; } catch (e) {;}
    if (!real) try { real = new ActiveXObject('Msxml2.XMLHTTP'); } catch (e) {;}
    if (!real) try { real = new ActiveXObject('Microsoft.XMLHTTP'); } catch (e) {;}
    if (!real) try { real = new ActiveXObject('Msxml2.XMLHTTP.4.0'); } catch (e) {;}
    this.csrf = real;
    // properties
    var csrfMagic = this;
    real.onreadystatechange = function() {
        csrfMagic._updateProps();
        return csrfMagic.onreadystatechange ? csrfMagic.onreadystatechange() : null;
    };
    csrfMagic._updateProps();
}

CsrfMagic.prototype = {

    open: function(method, url, async, username, password) {
        if (method == 'POST') this.csrf_isPost = true;
        // deal with Opera bug, thanks jQuery
        if (username) return this.csrf_open(method, url, async, username, password);
        else return this.csrf_open(method, url, async);
    },
    csrf_open: function(method, url, async, username, password) {
        if (username) return this.csrf.open(method, url, async, username, password);
        else return this.csrf.open(method, url, async);
    },

    send: function(data) {
        if (!this.csrf_isPost) return this.csrf_send(data);
        prepend = csrfMagicName + '=' + csrfMagicToken + '&';
        if (this.csrf_purportedLength === undefined) {
            this.csrf_setRequestHeader("Content-length", this.csrf_purportedLength + prepend.length);
            delete this.csrf_purportedLength;
        }
        delete this.csrf_isPost;
        return this.csrf_send(prepend + data);
    },
    csrf_send: function(data) {
        return this.csrf.send(data);
    },

    setRequestHeader: function(header, value) {
        // We have to auto-set this at the end, since we don't know how long the
        // nonce is when added to the data.
        if (this.csrf_isPost && header == "Content-length") {
            this.csrf_purportedLength = value;
            return;
        }
        return this.csrf_setRequestHeader(header, value);
    },
    csrf_setRequestHeader: function(header, value) {
        return this.csrf.setRequestHeader(header, value);
    },

    abort: function() {
        return this.csrf.abort();
    },
    getAllResponseHeaders: function() {
        return this.csrf.getAllResponseHeaders();
    },
    getResponseHeader: function(header) {
        return this.csrf.getResponseHeader(header);
    } // ,
}

// proprietary
CsrfMagic.prototype._updateProps = function() {
    this.readyState = this.csrf.readyState;
    if (this.readyState == 4) {
        this.responseText = this.csrf.responseText;
        this.responseXML  = this.csrf.responseXML;
        this.status       = this.csrf.status;
        this.statusText   = this.csrf.statusText;
    }
}
CsrfMagic.process = function(base) {
    var prepend = csrfMagicName + '=' + csrfMagicToken;
    if (base) return prepend + '&' + base;
    return prepend;
}
// callback function for when everything on the page has loaded
CsrfMagic.end = function() {
    // This rewrites forms AGAIN, so in case buffering didn't work this
    // certainly will.
    forms = document.getElementsByTagName('form');
    for (var i = 0; i < forms.length; i++) {
        form = forms[i];
        if (form.method.toUpperCase() !== 'POST') continue;
        if (form.elements[csrfMagicName]) continue;
        var input = document.createElement('input');
        input.setAttribute('name',  csrfMagicName);
        input.setAttribute('value', csrfMagicToken);
        input.setAttribute('type',  'hidden');
        form.appendChild(input);
    }
}

// Sets things up for Mozilla/Opera/nice browsers
// We very specifically match against Internet Explorer, since they haven't
// implemented prototypes correctly yet.
if (window.XMLHttpRequest && window.XMLHttpRequest.prototype && '\v' != '\v') {
    var x = XMLHttpRequest.prototype;
    var c = CsrfMagic.prototype;

    // Save the original functions
    x.csrf_open = x.open;
    x.csrf_send = x.send;
    x.csrf_setRequestHeader = x.setRequestHeader;

    // Notice that CsrfMagic is itself an instantiatable object, but only
    // open, send and setRequestHeader are necessary as decorators.
    x.open = c.open;
    x.send = c.send;
    x.setRequestHeader = c.setRequestHeader;
} else {
    // The only way we can do this is by modifying a library you have been
    // using. We support YUI, script.aculo.us, prototype, MooTools,
    // jQuery, Ext and Dojo.
    if (window.jQuery) {
        // jQuery didn't implement a new XMLHttpRequest function, so we have
        // to do this the hard way.
        jQuery.csrf_ajax = jQuery.ajax;
        jQuery.ajax = function( s ) {
            if (s.type && s.type.toUpperCase() == 'POST') {
                s = jQuery.extend(true, s, jQuery.extend(true, {}, jQuery.ajaxSettings, s));
                if ( s.data && s.processData && typeof s.data != "string" ) {
                    s.data = jQuery.param(s.data);
                }
                s.data = CsrfMagic.process(s.data);
            }
            return jQuery.csrf_ajax( s );
        }
    } else if (window.Prototype) {
        // This works for script.aculo.us too
        Ajax.csrf_getTransport = Ajax.getTransport;
        Ajax.getTransport = function() {
            return new CsrfMagic(Ajax.csrf_getTransport());
        }
    } else if (window.MooTools) {
        Browser.csrf_Request = Browser.Request;
        Browser.Request = function () {
            return new CsrfMagic(Browser.csrf_Request());
        }
    } else if (window.YAHOO) {
        YAHOO.util.Connect.csrf_createXhrObject = YAHOO.util.Connect.createXhrObject;
        YAHOO.util.Connect.createXhrObject = function (transaction) {
            obj = YAHOO.util.Connect.csrf_createXhrObject(transaction);
            obj.conn = new CsrfMagic(obj.conn);
            return obj;
        }
    } else if (window.Ext) {
        // Ext can use other js libraries as loaders, so it has to come last
        // Ext's implementation is pretty identical to Yahoo's, but we duplicate
        // it for comprehensiveness's sake.
        Ext.lib.Ajax.csrf_createXhrObject = Ext.lib.Ajax.createXhrObject;
        Ext.lib.Ajax.createXhrObject = function (transaction) {
            obj = Ext.lib.Ajax.csrf_createXhrObject(transaction);
            obj.conn = new CsrfMagic(obj.conn);
            return obj;
        }
    } else if (window.dojo) {
        dojo.csrf__xhrObj = dojo._xhrObj;
        dojo._xhrObj = function () {
            return new CsrfMagic(dojo.csrf__xhrObj());
        }
    }
}