/**
* @return Ajde_Http_Request
*/
public static function fromGlobal()
{
$instance = new self();
if (!empty($_POST) && self::requirePostToken() && !self::_isWhitelisted()) {
// Measures against CSRF attacks
$session = new Session('AC.Form');
if (!isset($_POST['_token']) || !$session->has('formTime')) {
// TODO:
$exception = new Security('No form token received or no form time set, bailing out to prevent CSRF attack');
if (Config::getInstance()->debug === true) {
Response::setResponseType(Response::RESPONSE_TYPE_FORBIDDEN);
throw $exception;
} else {
// Prevent inf. loops
unset($_POST);
// Rewrite
Log::logException($exception);
Response::dieOnCode(Response::RESPONSE_TYPE_FORBIDDEN);
}
}
$formToken = $_POST['_token'];
if (!self::verifyFormToken($formToken) || !self::verifyFormTime()) {
// TODO:
if (!self::verifyFormToken($formToken)) {
$exception = new Security('No matching form token (got ' . self::_getHashFromSession($formToken) . ', expected ' . self::_tokenHash($formToken) . '), bailing out to prevent CSRF attack');
} else {
$exception = new Security('Form token timed out, bailing out to prevent CSRF attack');
}
if (Config::getInstance()->debug === true) {
Response::setResponseType(Response::RESPONSE_TYPE_FORBIDDEN);
throw $exception;
} else {
// Prevent inf. loops
unset($_POST);
// Rewrite
Log::logException($exception);
Response::dieOnCode(Response::RESPONSE_TYPE_FORBIDDEN);
}
}
}
// Security measure, protect $_POST
//$global = array_merge($_GET, $_POST);
$global = $_GET;
foreach ($global as $key => $value) {
$instance->set($key, $value);
}
$instance->_postData = $_POST;
if (!empty($instance->_postData)) {
Cache::getInstance()->disable();
}
return $instance;
}
