Beispiel #1
0
 /**
  * Check for signs of a CSRF attack and only
  * run the save function if the coast is clear.
  * @param Controller $controller
  */
 function csrfProtect($controller)
 {
     $request = $controller->request;
     $save_method = underscoreToMethod($controller->action . "Save");
     if (!method_exists($controller, $save_method)) {
         return false;
     }
     if (isset($request['csrf'])) {
         $sess_token = $controller->session->get('csrf_token');
         $req_token = $request['csrf'];
         $match = $req_token == $sess_token;
         if (!$match) {
             $controller->save_status = "bad csrf";
             $controller->error("bad csrf");
             return false;
         } else {
             if (isset($_SERVER['referer'])) {
                 $domain = parse_url($_SERVER['referer']);
                 $domain = $domain['host'];
                 if ($domain != $controller->config['domain']) {
                     $controller->save_status = "bad referer";
                     $controller->error("bad referer");
                     return false;
                 }
             }
         }
     } else {
         $controller->save_status = "no csrf";
         $controller->error("no csrf");
         return false;
     }
     $controller->save_status = "success";
     return true;
 }
Beispiel #2
0
 /**
  * Find the appropriate method, execute it,
  * and render the corresponding template.
  * @ignore
  */
 function execute()
 {
     if ($this->do_save) {
         $save_func = underscoreToMethod($this->action) . "Save";
         if (method_exists($this, $save_func)) {
             $this->{$save_func}($this->request);
         }
     }
     if ($this->do_run) {
         $run_func = underscoreToMethod($this->action) . "Run";
         if (method_exists($this, $run_func)) {
             $this->{$run_func}($this->request);
         } else {
             if (method_exists($this, 'defaultRun')) {
                 $this->view = 'default';
                 $this->defaultRun($this->request);
             } else {
                 $this->renderer = new FourOhFourRenderer();
             }
         }
     }
 }