/**
* Executes this filter.
*
* @param sfFilterChain A sfFilterChain instance
*/
public function execute($filterChain)
{
$secret = afAuthenticDatamaker::getSiteSecret();
$request = $this->getContext()->getRequest();
$moduleName = $this->context->getActionStack()->getLastEntry()->getModuleName();
$actionName = $this->context->getActionStack()->getLastEntry()->getActionName();
// check only if request method is POST
if (sfRequest::POST === $request->getMethod()) {
if (self::isPossibleCrossSiteSessionRiding($request)) {
$requestToken = $request->getParameter('_csrf_token');
// error if no token or if token is not valid
if (!$this->getContext()->getUser()->isTimedOut() && !in_array($moduleName, sfConfig::get('app_csrf_token_deactivatedModules', array())) && (!$requestToken || md5($secret . session_id()) !== $requestToken)) {
throw new sfException('CSRF attack detected.');
}
}
} else {
if (strpos($actionName, 'delete') === 0) {
throw new sfException('Only POST is allowed for write-making actions.');
}
}
// provide the token to anyone interested
$request->setAttribute('_csrf_token', md5($secret . session_id()));
// execute next filter
$filterChain->execute();
}
public static function buildFormcfg($submitUrl, $validators, $fileTypes, $wizard = false)
{
$formcfg = array('url' => $submitUrl, 'validators' => $validators, 'fileTypes' => $fileTypes);
if ($wizard) {
$formcfg['wizard'] = true;
}
return afAuthenticDatamaker::encode($formcfg);
}
/**
* Returns a valid af_formcfg for this form or null.
*/
private static function getFormConfig($context)
{
$request = $context->getRequest();
$encoded = $request->getParameter('af_formcfg');
$formcfg = afAuthenticDatamaker::decode($encoded);
if ($formcfg === null) {
return null;
}
$uri = $context->getRequest()->getUri();
if (UrlUtil::getPathPart($formcfg['url']) !== UrlUtil::getPathPart($uri)) {
// The given formcfg is for a different form.
return null;
}
return $formcfg;
}
<?php
include dirname(__FILE__) . '/../bootstrap/dbunit.php';
$t = new lime_test(6, new lime_output_color());
$data = array('hello' => 'value1', 'hello2' => 123);
$encoded = afAuthenticDatamaker::encode($data);
$t->is(afAuthenticDatamaker::decode($encoded), $data);
$encoded = afAuthenticDatamaker::encode($data, 1);
$t->is(afAuthenticDatamaker::decode($encoded), null);
$t->is(afAuthenticDatamaker::decode('wrongInput'), null);
$t->is(afAuthenticDatamaker::decode(null), null);
$t->is(afAuthenticDatamaker::decode(''), null);
sfConfig::set('app_appFlower_siteSecret', 'CHANGE_ME');
$apikey = afApikeySecurityFilter::getApiKey(sfGuardUserPeer::retrieveByPk(1));
$t->is($apikey, 'RPQgOL2Pwgj06P4mkWHnip2iZMc~admin');
/**
* Returns API key usable for the given user.
* The API key consists of "hmac,username".
*/
public static function getApikey($afUser)
{
$extraKey = $afUser->getPassword();
return afAuthenticDatamaker::plainEncode($afUser->getUsername(), $extraKey);
}
public static function updateSession($step = false, $key = "parser/wizard", $data = null, $datastore = null, $process = null)
{
$context = sfContext::getInstance();
$session = $context->getUser()->getAttributeHolder()->getAll($key);
$add = $context->getRequest()->getParameter("add");
$actionInstance = $context->getActionStack()->getLastEntry()->getActionInstance();
$attribute_holder = $actionInstance->getVarHolder()->getAll();
// Put xml data
if ($key == "parser/wizard") {
if (!isset($session["skip"])) {
$session["skip"] = array();
}
if (isset($attribute_holder["init"]) && $datastore) {
$session["datastore"] = $process["parses"][0]["datastore"];
}
if ($context->getRequest()->getMethod() === sfRequest::POST) {
$post = $context->getRequest()->getParameterHolder()->getAll();
$empty = true;
// Is empty post?
if (isset($post["edit"][2])) {
foreach ($post["edit"][2] as $k => $value) {
if ($k == "id") {
continue;
}
if (trim($value)) {
$empty = false;
break;
}
}
} else {
$post["edit"][2] = array();
if (isset($_FILES["edit"])) {
$empty = false;
}
}
if ($step === false) {
$step = $attribute_holder["step"];
}
// Put post data
if ($add === "true") {
// Is a duplicate?
$duplicate = false;
if (isset($session[$step])) {
foreach ($session[$step] as $item) {
$cnt = 0;
foreach ($post["edit"][2] as $k => $v) {
if (isset($item["fields"][$k]) && $v == $item["fields"][$k]) {
$cnt++;
}
if ($cnt == sizeof($post["edit"][2])) {
$duplicate = true;
break;
}
}
}
}
if (!$empty && !$duplicate) {
$session[$step][] = array();
$sk = max(array_keys($session[$step]));
foreach ($post["edit"][2] as $k => $value) {
$session[$step][$sk]["fields"][$k] = $value;
}
}
} else {
if (isset($post["edit"][2])) {
foreach ($post["edit"][2] as $k => $value) {
if ($k != "associated_widgets") {
$session[$step]["fields"][$k] = $value;
} else {
$session = PdfReportsPeer::updateWidgets($value);
}
}
}
if (isset($_FILES["edit"])) {
$session[$step]["file"] = true;
foreach ($_FILES["edit"] as $k => $value) {
if ($k == "error") {
if ($value[2][key($value[2])] != 0) {
$tmp_data = afAuthenticDatamaker::decode($post["af_formcfg"]);
$field_data = $tmp_data["validators"]["edit[2][file]"];
if ($value[2][key($value[2])] == 4) {
if (array_key_exists("immValidatorRequired", $field_data) || array_key_exists("sfValidatorFile", $field_data) && $field_data["sfValidatorFile"]["params"]["required"] === "true") {
return 4;
} else {
return 0;
}
}
return $value[2][key($value[2])];
}
}
if ($k == "type" || $k == "error") {
continue;
}
if ($k == "tmp_name") {
$tmp_dir = sfConfig::get('app_tmp_dir') ? sfConfig::get('app_tmp_dir') : '/usr/www/tmp/';
$tx = substr($value[2][key($value[2])], strrpos($value[2][key($value[2])], "/") + 1);
copy($value[2][key($value[2])], $tmp_dir . $tx);
$txval = $tmp_dir . $tx;
} else {
$txval = $value[2][key($value[2])];
}
$k = "file_" . $k;
$session[$step]["fields"][$k] = $txval;
}
}
}
}
}
$context->getUser()->getAttributeHolder()->removeNamespace($key);
$context->getUser()->getAttributeHolder()->add($session, $key);
return true;
}
