public function process($parameters) { $activation = new Activation(); $csfr = new Csrf(); $userId = $parameters[0]; if (!$activation->checkIfIsAdminOfUser($_SESSION['id_user'], $userId)) { $this->redirect('error'); } if (isset($_POST['sent'])) { if (!Csrf::validateCsrfRequest($_POST['csrf'])) { $this->messages[] = ['s' => 'error', 'cs' => 'Možný CSRF útok! Zkuste prosím aktivaci znovu', 'en' => 'Possible CSRF attack! Please try activation again']; $this->redirect('error'); } $tariffId = $activation->sanitize($_POST['tariff']); $startDate = $activation->sanitize($_POST['startDate']); $result = $activation->validateForceActivationData($tariffId, $startDate); if ($result['s'] == 'success') { $result = $activation->forceActivateUser($activation->getUserEmailFromId($userId), $tariffId, $startDate); } $this->messages[] = $result; if ($result['s'] == 'success') { $this->redirect('payments/' . $userId); } } $this->data['csrf'] = $csfr->getCsrfToken(); $this->data['tariffs'] = $activation->returnTariffsData($this->language); $this->header['title'] = ['cs' => 'Aktivace uživatele', 'en' => 'User activation']; $this->view = 'forceActivation'; }
public static function update() { // verify Csrf token if (Csrf::verify(Input::post('token')) === false) { Notifications::set('error', 'Invalid token'); return false; } $post = Input::post(array('sitename', 'description', 'theme', 'twitter', 'home_page', 'posts_page', 'auto_published_comments', 'posts_per_page')); $errors = array(); if (empty($post['sitename'])) { $errors[] = Lang::line('metadata.missing_sitename', 'You need a site sitename'); } if (empty($post['description'])) { $errors[] = Lang::line('metadata.missing_sitedescription', 'You need a site description'); } if (empty($post['theme'])) { $errors[] = Lang::line('metadata.missing_theme', 'You need a theme'); } // auto publish comments $post['auto_published_comments'] = $post['auto_published_comments'] ? 1 : 0; // format posts per page, must be a whole number above 1 defaults to 10 if a invalid number is entered $post['posts_per_page'] = ($posts_per_page = intval($post['posts_per_page'])) > 0 ? $posts_per_page : 10; if (count($errors)) { Notifications::set('error', $errors); return false; } foreach ($post as $key => $value) { Db::update('meta', array('value' => $value), array('key' => $key)); } Notifications::set('success', Lang::line('metadata.meta_success_updated', 'Your metadata has been updated')); return true; }
/** * The login action, when you do login/login */ public function login() { // check if csrf token is valid if (!Csrf::isTokenValid()) { LoginModel::logout(); Redirect::home(); exit; } // perform the login method, put result (true or false) into $login_successful $login_successful = LoginModel::login(Request::post('user_name'), Request::post('user_password'), Request::post('set_remember_me_cookie')); // check login status: if true, then redirect user to user/index, if false, then to login form again if ($login_successful) { if (Request::post('redirect')) { Redirect::toPreviousViewedPageAfterLogin(ltrim(urldecode(Request::post('redirect')), '/')); } else { Redirect::to('user/index'); } } else { if (Request::post('redirect')) { Redirect::to('login?redirect=' . ltrim(urlencode(Request::post('redirect')), '/')); } else { Redirect::to('login/index'); } } }
/** * Edit user name (perform the real action after form has been submitted) */ public function editUsername_action() { // check if csrf token is valid if (!Csrf::isTokenValid()) { LoginModel::logout(); Redirect::home(); exit; } UserModel::editUserName(Request::post('user_name')); Redirect::to('user/editUsername'); }
function process($parameters) { $checkUsers = new CheckUsers(); $userId = $_SESSION['id_user']; if (!$checkUsers->checkIfAdmin($userId)) { $this->redirect('error'); } $members = $checkUsers->getMembers($userId, $this->language); $this->data['csrf'] = Csrf::getCsrfToken(); $this->data['activeMemberMailList'] = $checkUsers->getActiveMemberMailList($members); $this->data['members'] = $members; $this->header['title'] = ['cs' => 'Ostatní členové', 'en' => 'Other members']; $this->view = 'checkUsers'; }
public function process($parameters) { $deactivation = new Activation(); $userId = $parameters[0]; if (!$deactivation->checkIfIsAdminOfUser($_SESSION['id_user'], $userId)) { $this->redirect('error'); } $csrfToken = $parameters[1]; if (!Csrf::validateCsrfRequest($csrfToken)) { $this->messages[] = ['s' => 'error', 'cs' => 'Možný CSRF útok! Zkuste prosím deaktivaci znovu', 'en' => 'Possible CSRF attack! Please try deactivation again']; } else { $email = $deactivation->getUserEmailFromId($userId); $result = $deactivation->deactivateUser($email); $this->messages[] = $result; } $this->redirect('checkUsers'); }
public function login() { if (!Csrf::isTokenValid()) { self::logout(); } $success = LoginModel::login(Request::post('user_name'), Request::post('user_password'), Request::post('set_remember_me_cookie')); // check login status: if true, then redirect user login/showProfile, if false, then to login form again if ($success) { if (Request::post('redirect')) { Redirect::to(ltrim(urldecode(Request::post('redirect')), '/')); } else { Redirect::to('login/showProfile'); } } else { Redirect::to('login/index'); } }
function process($parameters) { $changePersonals = new ChangePersonals(); if (!$changePersonals->checkLogin()) { $this->redirect('error'); } //if empty parameter, add the current user if (isset($parameters[0])) { $userId = $parameters[0]; } else { $userId = $_SESSION['id_user']; } //if not admin of the right place, throw error if ($userId != $_SESSION['id_user'] && !$changePersonals->checkIfIsAdminOfUser($_SESSION['id_user'], $userId)) { $this->redirect('error'); } //if form is sent if (isset($_POST['sent'])) { $data = $changePersonals->sanitize(['firstname' => $_POST['firstname'], 'surname' => $_POST['surname'], 'telephone' => $_POST['telephone'], 'address' => $_POST['address'], 'ic' => $_POST['ic'], 'p' => $_POST['p'], 'csrf' => $_POST['csrf']]); if (!Csrf::validateCsrfRequest($data['csrf'])) { $this->messages[] = ['s' => 'error', 'cs' => 'Možný CSRF útok! Zkuste prosím změnit údaje znovu', 'en' => 'Possible CSRF attack! Please try to change your personals again']; } else { $result = $changePersonals->validateData($data); if ($result['s'] == 'success') { $fakturoid = new FakturoidWrapper(); //add fakturoid_id into data $data['fakturoid_id'] = $fakturoid->getFakturoidIdFromUserId($userId); if ($fakturoid->updateCustomer($data) == false) { $result = ['s' => 'error', 'cs' => 'Bohužel se nepovedlo uložit data do Faktuoidu; zkus to prosím za pár minut', 'en' => 'Sorry, we didn\'n safe your data into Fakturoid; try it again after a couple of minutes please']; } else { $result = $changePersonals->changePersonalData($data, $userId); } } $this->messages[] = $result; } } //data for form $userData = $changePersonals->getUserData($userId); $this->data = $userData['user']; $this->data['csrf'] = Csrf::getCsrfToken(); $this->header['title'] = ['cs' => 'Změna osobních údajů', 'en' => 'Change personal information']; $this->view = 'changePersonals'; }
function process($parameters) { $changePersonals = new ChangePersonals(); if (!$changePersonals->checkLogin()) { $this->redirect('error'); } //if empty parameter, add there current user if (isset($parameters[0])) { $userId = $parameters[0]; } else { $userId = $_SESSION['id_user']; } //if not admin of the right place, throw error if ($userId != $_SESSION['id_user'] && !$changePersonals->checkIfIsAdminOfUser($_SESSION['id_user'], $userId)) { $this->redirect('error'); } //if form is sent if (isset($_POST['sent'])) { $data = $changePersonals->sanitize(['firstname' => $_POST['firstname'], 'surname' => $_POST['surname'], 'telephone' => $_POST['telephone'], 'address' => $_POST['address'], 'ic' => $_POST['ic'], 'p' => $_POST['p'], 'csrf' => $_POST['csrf']]); if (!Csrf::validateCsrfRequest($data['csrf'])) { $this->messages[] = ['s' => 'error', 'cs' => 'Možný CSRF útok! Zkuste prosím změnit údaje znovu', 'en' => 'Possible CSRF attack! Please try change your personals again']; } else { $result = $changePersonals->validateData($data); if ($result['s'] == 'success') { $result = $changePersonals->changePersonalData($data, $userId); } $this->messages[] = $result; } } //data for form $user = $changePersonals->getUserData($userId, $this->language); $this->data = $user['user']; $this->data['csrf'] = Csrf::getCsrfToken(); $this->header['title'] = ['cs' => 'Změna osobních údajů', 'en' => 'Change Personal info']; $this->view = 'changePersonals'; }
/** * Edit user name (perform the real action after form has been submitted) * Auth::checkAuthentication() makes sure that only logged in users can use this action */ public function editUsername_action() { Auth::checkAuthentication(); // check if csrf token is valid if (!Csrf::isTokenValid()) { self::logout(); } UserModel::editUserName(Request::post('user_name')); Redirect::to('login/index'); }
/** * Do something after content is loaded from DB * * @param \Cx\Core\ContentManager\Model\Entity\Page $page The resolved page */ public function postContentLoad(\Cx\Core\ContentManager\Model\Entity\Page $page) { global $objTemplate; Csrf::add_placeholder($objTemplate); }
function render(Container $form, $data, $prefix = '') { if ($form->if) { $this->pushStack(new Test($prefix . $form->if), $data); } // Add the forms prefix on $prefix .= $form->prefix; // Group by the form name if it is set if ($form->name) { if (isset($data[$form->name])) { $data = $data[$form->name]; } else { $data = array(); } } // Render the <form> tag if it has an action if ($form->action) { print '<form' . Html::attributes(array('id' => $form->id, 'action' => $form->action, 'method' => $form->method, 'enctype' => $form->upload ? 'multipart/form-data' : NULL)) . '>' . "\n"; // Send a _csrf field with the form print '<input' . Html::attributes(array('type' => 'hidden', 'name' => '_csrf', 'value' => Csrf::generate($form->intent, $form->expire))) . '>' . "\n"; } // Render each of the elements foreach ($form->getElements() as $element) { $this->renderElement($element, $data, $prefix); } // Kill anything remaining on the stack $this->endStack(NULL); // Close the actual form if ($form->action) { print '</form>' . "\n"; } }
if ($objFWUser->objUser->login($backend)) { return true; } } return false; } /** * Remove the CSRF protection parameter from the query string and referrer */ public static function cleanRequestURI() { // This will remove the parameter from the first position in the query string // and leave an URI like "index.php&name=value", which is invalid //$csrfUrlModifierPattern = '#(?:\&(?:amp\;)?|\?)?'.self::$formkey.'\=[a-zA-Z0-9_]+#'; // Better cut the parameter plus trailing ampersand, if any. $csrfUrlModifierPattern = '/' . self::$formkey . '\\=[a-zA-Z0-9_]+\\&?/'; // This will leave the URI valid, even if it's the last parameter; // a trailing question mark or ampersand does no harm. !empty($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] = preg_replace($csrfUrlModifierPattern, '', $_SERVER['QUERY_STRING']) : false; !empty($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] = preg_replace($csrfUrlModifierPattern, '', $_SERVER['REQUEST_URI']) : false; !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] = preg_replace($csrfUrlModifierPattern, '', $_SERVER['HTTP_REFERER']) : false; !empty($_SERVER['argv']) ? $_SERVER['argv'] = preg_grep($csrfUrlModifierPattern, $_SERVER['argv'], PREG_GREP_INVERT) : false; } public static function setFrontendMode() { self::$frontend_mode = true; @ini_set('url_rewriter.tags', 'area=href,frame=src,iframe=src,input=src,form=,fieldset='); } } Csrf::cleanRequestURI();
public static function add() { // verify Csrf token if (Csrf::verify(Input::post('token')) === false) { Notifications::set('error', 'Invalid token'); return false; } $post = Input::post(array('slug', 'name', 'title', 'content', 'redirect', 'status')); $errors = array(); if (empty($post['name'])) { $errors[] = Lang::line('pages.missing_name', 'Please enter a name'); } if (empty($post['title'])) { $errors[] = Lang::line('pages.missing_title', 'Please enter a title'); } // check for duplicate slug $sql = "select id from pages where slug = ?"; if (Db::row($sql, array($post['slug']))) { $errors[] = Lang::line('pages.duplicate_slug', 'A pages with the same slug already exists, please change your page slug.'); } if (count($errors)) { Notifications::set('error', $errors); return false; } if (empty($post['slug'])) { $post['slug'] = $post['name']; } $post['slug'] = Str::slug($post['slug']); Db::insert('pages', $post); Notifications::set('success', Lang::line('pages.page_success_created', 'Your new page has been added')); return true; }
/* |-------------------------------------------------------------------------- | CSRF Protection Filter |-------------------------------------------------------------------------- | | The CSRF filter is responsible for protecting your application against | cross-site request forgery attacks. If this special token in a user | session does not match the one given in this request, we'll bail. | */ Route::filter('csrf', function () { if (Request::isMethod('get') || Request::isMethod('options')) { return; } // throws exception if token invalid Csrf::check(); }); /* |-------------------------------------------------------------------------- | X-Frame-Options Header Filter |-------------------------------------------------------------------------- | | Prevents pages being loaded in an iframe. | */ Route::filter('setXFrameOptionsHeader', function ($route, $request, $response) { if (method_exists($response, "header")) { $response->header("X-Frame-Options", "deny"); } }); /*
function submitted() { if (parent::submitted() && isset($_POST['_csrf'])) { return Csrf::check($_POST['_csrf'], $this->intent); } else { return False; } }
<h4>editUsername</h4> <!-- echo out the system feedback (error and success messages) --> <?php $this->renderFeedbackMessages(); ?> <h4>Change your username</h4> <form action="<?php echo Config::get('URL'); ?> user/editUserName_action" method="post"> <!-- btw http://stackoverflow.com/questions/774054/should-i-put-input-tag-inside-label-tag --> <label> New username: <input type="text" name="user_name" required /> </label> <!-- set CSRF token at the end of the form --> <input type="hidden" name="csrf_token" value="<?php echo Csrf::makeToken(); ?> " /> <input type="submit" value="Submit" /> </form>
return View::create('upgrade', $vars)->partial('header', 'partials/header')->partial('footer', 'partials/footer'); }); /* List extend */ Route::get('admin/extend', array('before' => 'auth', 'main' => function ($page = 1) { $vars['messages'] = Notify::read(); $vars['token'] = Csrf::token(); return View::create('extend/index', $vars)->partial('header', 'partials/header')->partial('footer', 'partials/footer'); })); Route::post('admin/get_fields', array('before' => 'auth', 'main' => function () { $input = Input::get(array('id', 'pagetype')); // get the extended fields $vars['fields'] = Extend::fields('page', -1, $input['pagetype']); $html = View::create('pages/fields', $vars)->render(); $token = '<input name="token" type="hidden" value="' . Csrf::token() . '">'; return Response::json(array('token' => $token, 'html' => $html)); })); /* Upload an image */ Route::post('admin/upload', array('before' => 'auth', 'main' => function () { $uploader = new Uploader(PATH . 'content', array('png', 'jpg', 'bmp', 'gif', 'pdf')); $filepath = $uploader->upload($_FILES['file']); $uri = Config::app('url', '/') . 'content/' . basename($filepath); $output = array('uri' => $uri); return Response::json($output); })); /* 404 error */
public static function add() { // verify Csrf token if (Csrf::verify(Input::post('token')) === false) { Notifications::set('error', 'Invalid token'); return false; } $post = Input::post(array('title', 'slug', 'created', 'description', 'html', 'css', 'js', 'status', 'field', 'comments')); $errors = array(); $post['created'] = strtotime($post['created']); if ($post['created'] === false) { $errors[] = Lang::line('posts.invalid_date', 'Please enter a valid date'); } if (empty($post['title'])) { $errors[] = Lang::line('posts.missing_title', 'Please enter a title'); } if (empty($post['description'])) { $errors[] = Lang::line('posts.missing_description', 'Please enter a description'); } if (empty($post['html'])) { $errors[] = Lang::line('posts.missing_html', 'Please enter your html'); } // use title as fallback if (empty($post['slug'])) { $post['slug'] = $post['title']; } // format slug $post['slug'] = Str::slug($post['slug']); // check for duplicate slug $sql = "select id from posts where slug = ?"; if (Db::row($sql, array($post['slug']))) { $errors[] = Lang::line('posts.duplicate_slug', 'A post with the same slug already exists, please change your post slug.'); } if (count($errors)) { Notifications::set('error', $errors); return false; } $custom = array(); if (is_array($post['field'])) { foreach ($post['field'] as $keylabel => $value) { list($key, $label) = explode(':', $keylabel); $custom[$key] = array('label' => $label, 'value' => $value); } } // remove from update unset($post['field']); $post['custom_fields'] = json_encode($custom); // set author $user = Users::authed(); $post['author'] = $user->id; Db::insert('posts', $post); Notifications::set('success', Lang::line('posts.post_success_created', 'Your new post has been added')); return true; }
?> </h1> <?php echo Notifications::read(); ?> <section class="content"> <form method="post" action="<?php echo Url::current(); ?> "> <input name="token" type="hidden" value="<?php echo Csrf::token(); ?> "> <fieldset> <p> <label for="user"><?php echo __('users.username', 'Username'); ?> :</label> <input autocapitalize="off" name="user" id="user" value="<?php echo filter_var(Input::post('user'), FILTER_SANITIZE_STRING); ?> "> </p>
public static function add() { // verify Csrf token if (Csrf::verify(Input::post('token')) === false) { Notifications::set('error', 'Invalid token'); return false; } $post = Input::post(array('username', 'password', 'email', 'real_name', 'bio', 'status', 'role')); $errors = array(); if (empty($post['username'])) { $errors[] = Lang::line('users.missing_username', 'Please enter a username'); } else { if (static::find(array('username' => $post['username']))) { $errors[] = Lang::line('users.username_exists', 'Username is already being used'); } } if (empty($post['password'])) { $errors[] = Lang::line('users.missing_password', 'Please enter a password'); } if (filter_var($post['email'], FILTER_VALIDATE_EMAIL) === false) { $errors[] = Lang::line('users.invalid_email', 'Please enter a valid email address'); } if (empty($post['real_name'])) { $errors[] = Lang::line('users.missing_name', 'Please enter a display name'); } if (count($errors)) { Notifications::set('error', $errors); return false; } // encrypt password $post['password'] = Hash::make($post['password']); // format email $post['email'] = strtolower(trim($post['email'])); // strip tags on real_name (http://osvdb.org/show/osvdb/79659) $post['real_name'] = strip_tags($post['real_name']); // add record Db::insert('users', $post); Notifications::set('success', Lang::line('users.user_success_created', 'A new user has been added')); return true; }
Notify::error($errors); return Response::redirect('admin/users/edit/' . $id); } if ($password_reset) { $input['password'] = Hash::make($input['password']); } User::update($id, $input); Notify::success(__('users.updated')); return Response::redirect('admin/users/edit/' . $id); }); /* Add user */ Route::get('admin/users/add', function () { $vars['messages'] = Notify::read(); $vars['token'] = Csrf::token(); $vars['statuses'] = array('inactive' => __('global.inactive'), 'active' => __('global.active')); $vars['roles'] = array('administrator' => __('global.administrator'), 'editor' => __('global.editor'), 'user' => __('global.user')); return View::create('users/add', $vars)->partial('header', 'partials/header')->partial('footer', 'partials/footer'); }); Route::post('admin/users/add', function () { $input = Input::get(array('username', 'email', 'real_name', 'password', 'bio', 'status', 'role')); $validator = new Validator($input); $validator->check('username')->is_max(3, __('users.username_missing', 2)); $validator->check('email')->is_email(__('users.email_missing')); $validator->check('password')->is_max(6, __('users.password_too_short', 6)); if ($errors = $validator->errors()) { Input::flash(); Notify::error($errors); return Response::redirect('admin/users/add'); }
public function ajaxSalt() { $public_key = Csrf::generateKeys(); $data = 'plaintext data goes here'; openssl_public_encrypt($data, $encrypted, $public_key); openssl_private_decrypt($encrypted, $decrypted, Session::get('RSA_private')); if ($public_key !== false) { var_dump($public_key); } else { echo 'N'; } }