/** * @return Ajde_Http_Request */ public static function fromGlobal() { $instance = new self(); if (!empty($_POST) && self::requirePostToken() && !self::_isWhitelisted()) { // Measures against CSRF attacks $session = new Session('AC.Form'); if (!isset($_POST['_token']) || !$session->has('formTime')) { // TODO: $exception = new Security('No form token received or no form time set, bailing out to prevent CSRF attack'); if (Config::getInstance()->debug === true) { Response::setResponseType(Response::RESPONSE_TYPE_FORBIDDEN); throw $exception; } else { // Prevent inf. loops unset($_POST); // Rewrite Log::logException($exception); Response::dieOnCode(Response::RESPONSE_TYPE_FORBIDDEN); } } $formToken = $_POST['_token']; if (!self::verifyFormToken($formToken) || !self::verifyFormTime()) { // TODO: if (!self::verifyFormToken($formToken)) { $exception = new Security('No matching form token (got ' . self::_getHashFromSession($formToken) . ', expected ' . self::_tokenHash($formToken) . '), bailing out to prevent CSRF attack'); } else { $exception = new Security('Form token timed out, bailing out to prevent CSRF attack'); } if (Config::getInstance()->debug === true) { Response::setResponseType(Response::RESPONSE_TYPE_FORBIDDEN); throw $exception; } else { // Prevent inf. loops unset($_POST); // Rewrite Log::logException($exception); Response::dieOnCode(Response::RESPONSE_TYPE_FORBIDDEN); } } } // Security measure, protect $_POST //$global = array_merge($_GET, $_POST); $global = $_GET; foreach ($global as $key => $value) { $instance->set($key, $value); } $instance->_postData = $_POST; if (!empty($instance->_postData)) { Cache::getInstance()->disable(); } return $instance; }