/** * Returns TRUE if the POST has a valid CSRF * * Usage:<br> * <code> * if ($this->valid_post('upload_photo')) { ... } * </code> * * @param string|NULL $submit Submit value [Optional] * @return boolean Return TRUE if it's valid $_POST * * @uses Request::is_post * @uses Request::post_max_size_exceeded * @uses Request::get_post_max_size * @uses Request::post * @uses Message::error * @uses CSRF::valid * @uses Captcha::valid */ public function valid_post($submit = NULL) { if (!$this->request->is_post()) { return FALSE; } if (Request::post_max_size_exceeded()) { $this->_errors = array('_action' => __('Max file size of :max Bytes exceeded!', array(':max' => Request::get_post_max_size()))); return FALSE; } if (!is_null($submit)) { if (!isset($_POST[$submit])) { $this->_errors = array('_action' => __('This form has altered. Please try submitting it again.')); return FALSE; } } $_token = $this->request->post('_token'); $_action = $this->request->post('_action'); $has_csrf = !empty($_token) and !empty($_action); $valid_csrf = CSRF::valid($_token, $_action); if ($has_csrf and !$valid_csrf) { // CSRF was submitted but expired $this->_errors = array('_token' => __('This form has expired. Please try submitting it again.')); return FALSE; } if (isset($_POST['_captcha'])) { $captcha = $this->request->post('_captcha'); if (empty($captcha)) { // CSRF was not entered $this->_errors = array('_captcha' => __('The security code can\'t be empty.')); return FALSE; } elseif (!Captcha::valid($captcha)) { $this->_errors = array('_captcha' => __('The security answer was wrong.')); return FALSE; } } return $has_csrf and $valid_csrf; }
/** * Determines if a file larger than the post_max_size has been uploaded * * PHP does not handle this situation gracefully on its own, so this method * helps to solve that problem. * * @return boolean * * @uses Arr::get * @link http://php.net/post-max-size */ public static function post_max_size_exceeded() { //return false for cli request if (Kohana::$is_cli === TRUE) { return FALSE; } // Make sure the request method is POST if (!Request::current()->is_post()) { return FALSE; } // Error occurred if method is POST, and content length is too long return Arr::get($_SERVER, 'CONTENT_LENGTH') > Request::get_post_max_size(); }