/** * * Does the incoming request look like a cross-site forgery? * * Only works for POST requests. * * @return string * */ public function isForgery() { $this->_update(); if (!self::$_request->isPost()) { // only POST requests can be cross-site request forgeries return false; } if (!self::$_current) { // there is no current value so it doesn't matter return false; } // get the incoming csrf value from $_POST $key = $this->getKey(); $val = self::$_request->post($key); // if they don't match, it's a forgery return $val != self::$_current; }
/** * * Whether or not user requested a specific process within the action. * * By default, looks for $process_key in [[Solar_Request::post()]] to get the * value of the process request. * * Checks against "PROCESS_$type" locale string for matching. For example, * $this->_isProcess('save') checks Solar_Request::post('process') * against $this->locale('PROCESS_SAVE'). * * @param string $type The process type; for example, 'save', 'delete', * 'preview', etc. If empty, returns true if *any* process type * was posted. * * @param string $process_key If not empty, check against this * [[Solar_Request::post()]] key instead $this->_process_key. Default * null. * * @return bool * */ protected function _isProcess($type = null, $process_key = null) { // make sure we know what post-var to look in if (empty($process_key)) { $process_key = $this->_process_key; } // didn't ask for a process type; answer if *any* process was // requested. if (empty($type)) { $any = $this->_request->post($process_key); return !empty($any); } // asked for a process type, find the locale string for it. $locale_key = 'PROCESS_' . strtoupper($type); $locale = $this->locale($locale_key); // $process must be non-empty, and must match locale string. // not enough just to match the locale string, as it might // be empty. $process = $this->_request->post($process_key, false); return $process && $process == $locale; }
/** * * Indicates this is a cross-site request forgery attempt. * * @return void * */ protected function _csrfAttempt() { $this->_errors[] = 'ERR_CSRF_ATTEMPT'; $vars = $this->_request->post(); foreach ((array) $vars as $key => $val) { $this->_errors[] = "{$key}: {$val}"; } $this->_response->setStatusCode(403); return $this->_forward('error'); }