/** * * Is the current request a cross-site forgery? * * @return bool * */ public function isCsrf() { if (!$this->_csrf) { $this->_csrf = Solar::factory('Solar_Csrf'); } return $this->_csrf->isForgery(); }
/** * * Updates this object with current values. * * This helps to maintain transitions between not having a session and * then having one; in the non-session state, there will be no token, * so we can't expect its presence until the next page load. * * @return void * */ protected function _update() { if (self::$_updated) { // already updated with current values return; } // lazy-start the session if one exists self::$_session->lazyStart(); if (!self::$_session->isStarted()) { // not started, nothing left to do return; } // the session has started. is there an existing csrf token? if (self::$_session->has('token')) { // retain the existing token self::$_current = self::$_session->get('token'); } else { // no token, create a new one for the session. // we're transitioning from a non-token state, and // incoming forms won't have it yet, so we don't retain // the new token as the current value. self::$_session->set('token', uniqid(mt_rand(), true)); } self::$_updated = true; }
/** * * Generates a hidden anti-CSRF element. * * @param array $info An array of element information. * * @return string The element XHTML. * */ public function formCsrf() { return $this->_view->formHidden(array('name' => $this->_csrf->getKey(), 'value' => $this->_csrf->getToken())); }
/** * * Resets the form object to its originally-configured state, and adds * an anti-CSRF element with the current value of the session token. * * This clears out all elements, filters, validations, and feedback, * as well as all submitted values. Use this method to "start over * again" using the same form object. * * @return void * */ public function reset() { // attribs should be the default set, plus config overrides $this->attribs = array_merge($this->_default_attribs, $this->_config['attribs']); $this->elements = array(); $this->feedback = array(); $this->_submitted = null; // add the csrf token value if present if ($this->_csrf->hasToken()) { $name = $this->_csrf->getKey(); $this->setElement($name, array('type' => 'hidden', 'value' => $this->_csrf->getToken())); } }
/** * * If no CSRF element is present, add one. * * @return void * */ protected function _addCsrfElement() { // if no token, nothing to add if (!$this->_csrf->hasToken()) { return; } // is a csrf element already present? $name = $this->_csrf->getKey(); foreach ($this->_hidden as $info) { if ($info['name'] == $name) { // found it, no need to add it return; } } // add the token to the hidden elements $this->addElement(array('name' => $name, 'type' => 'hidden', 'value' => $this->_csrf->getToken())); }
/** * * If a CSRF element is needed but not present, add it; if present and not * needed, remove it. * * @return void * */ protected function _modCsrfElement() { // the name of the csrf element $name = $this->_csrf->getKey(); // if using GET, don't add csrf if not already there ... $method = strtolower($this->_attribs_form['method']); if ($method == 'get') { // ... and remove it if present. foreach ($this->_hidden as $key => $info) { if ($info['name'] == $name) { unset($this->_hidden[$key]); } } // done return; } // if no token, nothing to add if (!$this->_csrf->hasToken()) { return; } // is a csrf element already present? foreach ($this->_hidden as $info) { if ($info['name'] == $name) { // found it, no need to add it return; } } // add the token to the hidden elements $this->addElement(array('name' => $name, 'type' => 'hidden', 'value' => $this->_csrf->getToken())); }