Ejemplo n.º 1
0
 /**
  * Matches a \TYPO3\FLOW3\Mvc\RequestInterface against the configured CSRF pattern rules and searches for invalid
  * csrf tokens.
  *
  * @param \TYPO3\FLOW3\Mvc\RequestInterface $request The request that should be matched
  * @return boolean TRUE if the pattern matched, FALSE otherwise
  * @throws \TYPO3\FLOW3\Security\Exception\AuthenticationRequiredException
  */
 public function matchRequest(\TYPO3\FLOW3\Mvc\RequestInterface $request)
 {
     if ($this->authenticationManager->isAuthenticated() === FALSE) {
         return FALSE;
     }
     $controllerClassName = $this->objectManager->getClassNameByObjectName($request->getControllerObjectName());
     $actionName = $request->getControllerActionName() . 'Action';
     if ($this->policyService->hasPolicyEntryForMethod($controllerClassName, $actionName) && !$this->reflectionService->isMethodTaggedWith($controllerClassName, $actionName, 'skipcsrfprotection')) {
         $internalArguments = $request->getInternalArguments();
         if (!isset($internalArguments['__csrfToken'])) {
             return TRUE;
         }
         $csrfToken = $internalArguments['__csrfToken'];
         if (!$this->securityContext->hasCsrfProtectionTokens()) {
             throw new \TYPO3\FLOW3\Security\Exception\AuthenticationRequiredException('No tokens in security context, possible session timeout', 1317309673);
         }
         if ($this->securityContext->isCsrfProtectionTokenValid($csrfToken) === FALSE) {
             return TRUE;
         }
     }
     return FALSE;
 }