コード例 #1
0
ファイル: csrf-magic.php プロジェクト: andrei1489/cacti
/**
 * Generates a hash/expiry double. If time isn't set it will be calculated
 * from the current time.
 */
function csrf_hash($value, $time = null)
{
    if (!$time) {
        $time = time();
    }
    return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
}
コード例 #2
0
ファイル: csrf-magic.php プロジェクト: nyov/thehostingtool
/**
 * Checks if a token is valid.
 */
function csrf_check_token($token)
{
    if (strpos($token, ':') === false) {
        return false;
    }
    list($type, $value) = explode(':', $token, 2);
    if (strpos($value, ',') === false) {
        return false;
    }
    list($x, $time) = explode(',', $token, 2);
    if ($GLOBALS['csrf']['expires']) {
        if (time() > $time + $GLOBALS['csrf']['expires']) {
            return false;
        }
    }
    switch ($type) {
        case 'sid':
            return $value === csrf_hash(session_id(), $time);
        case 'cookie':
            $n = $GLOBALS['csrf']['cookie'];
            if (!$n) {
                return false;
            }
            if (!isset($_COOKIE[$n])) {
                return false;
            }
            return $value === csrf_hash($_COOKIE[$n], $time);
        case 'key':
            if (!$GLOBALS['csrf']['key']) {
                return false;
            }
            return $value === csrf_hash($GLOBALS['csrf']['key'], $time);
            // We could disable these 'weaker' checks if 'key' was set, but
            // that doesn't make me feel good then about the cookie-based
            // implementation.
        // We could disable these 'weaker' checks if 'key' was set, but
        // that doesn't make me feel good then about the cookie-based
        // implementation.
        case 'user':
            if ($GLOBALS['csrf']['secret'] === '') {
                return false;
            }
            if ($GLOBALS['csrf']['user'] === false) {
                return false;
            }
            return $value === csrf_hash($GLOBALS['csrf']['user'], $time);
        case 'ip':
            if (csrf_get_secret() === '') {
                return false;
            }
            // do not allow IP-based checks if the username is set, or if
            // the browser sent cookies
            if ($GLOBALS['csrf']['user'] !== false) {
                return false;
            }
            if (!empty($_COOKIE)) {
                return false;
            }
            if (!$GLOBALS['csrf']['allow-ip']) {
                return false;
            }
            return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time);
    }
    return false;
}