/** * Executes this filter. * * @param sfFilterChain A sfFilterChain instance */ public function execute($filterChain) { $secret = afAuthenticDatamaker::getSiteSecret(); $request = $this->getContext()->getRequest(); $moduleName = $this->context->getActionStack()->getLastEntry()->getModuleName(); $actionName = $this->context->getActionStack()->getLastEntry()->getActionName(); // check only if request method is POST if (sfRequest::POST === $request->getMethod()) { if (self::isPossibleCrossSiteSessionRiding($request)) { $requestToken = $request->getParameter('_csrf_token'); // error if no token or if token is not valid if (!$this->getContext()->getUser()->isTimedOut() && !in_array($moduleName, sfConfig::get('app_csrf_token_deactivatedModules', array())) && (!$requestToken || md5($secret . session_id()) !== $requestToken)) { throw new sfException('CSRF attack detected.'); } } } else { if (strpos($actionName, 'delete') === 0) { throw new sfException('Only POST is allowed for write-making actions.'); } } // provide the token to anyone interested $request->setAttribute('_csrf_token', md5($secret . session_id())); // execute next filter $filterChain->execute(); }
public static function buildFormcfg($submitUrl, $validators, $fileTypes, $wizard = false) { $formcfg = array('url' => $submitUrl, 'validators' => $validators, 'fileTypes' => $fileTypes); if ($wizard) { $formcfg['wizard'] = true; } return afAuthenticDatamaker::encode($formcfg); }
/** * Returns a valid af_formcfg for this form or null. */ private static function getFormConfig($context) { $request = $context->getRequest(); $encoded = $request->getParameter('af_formcfg'); $formcfg = afAuthenticDatamaker::decode($encoded); if ($formcfg === null) { return null; } $uri = $context->getRequest()->getUri(); if (UrlUtil::getPathPart($formcfg['url']) !== UrlUtil::getPathPart($uri)) { // The given formcfg is for a different form. return null; } return $formcfg; }
<?php include dirname(__FILE__) . '/../bootstrap/dbunit.php'; $t = new lime_test(6, new lime_output_color()); $data = array('hello' => 'value1', 'hello2' => 123); $encoded = afAuthenticDatamaker::encode($data); $t->is(afAuthenticDatamaker::decode($encoded), $data); $encoded = afAuthenticDatamaker::encode($data, 1); $t->is(afAuthenticDatamaker::decode($encoded), null); $t->is(afAuthenticDatamaker::decode('wrongInput'), null); $t->is(afAuthenticDatamaker::decode(null), null); $t->is(afAuthenticDatamaker::decode(''), null); sfConfig::set('app_appFlower_siteSecret', 'CHANGE_ME'); $apikey = afApikeySecurityFilter::getApiKey(sfGuardUserPeer::retrieveByPk(1)); $t->is($apikey, 'RPQgOL2Pwgj06P4mkWHnip2iZMc~admin');
/** * Returns API key usable for the given user. * The API key consists of "hmac,username". */ public static function getApikey($afUser) { $extraKey = $afUser->getPassword(); return afAuthenticDatamaker::plainEncode($afUser->getUsername(), $extraKey); }
public static function updateSession($step = false, $key = "parser/wizard", $data = null, $datastore = null, $process = null) { $context = sfContext::getInstance(); $session = $context->getUser()->getAttributeHolder()->getAll($key); $add = $context->getRequest()->getParameter("add"); $actionInstance = $context->getActionStack()->getLastEntry()->getActionInstance(); $attribute_holder = $actionInstance->getVarHolder()->getAll(); // Put xml data if ($key == "parser/wizard") { if (!isset($session["skip"])) { $session["skip"] = array(); } if (isset($attribute_holder["init"]) && $datastore) { $session["datastore"] = $process["parses"][0]["datastore"]; } if ($context->getRequest()->getMethod() === sfRequest::POST) { $post = $context->getRequest()->getParameterHolder()->getAll(); $empty = true; // Is empty post? if (isset($post["edit"][2])) { foreach ($post["edit"][2] as $k => $value) { if ($k == "id") { continue; } if (trim($value)) { $empty = false; break; } } } else { $post["edit"][2] = array(); if (isset($_FILES["edit"])) { $empty = false; } } if ($step === false) { $step = $attribute_holder["step"]; } // Put post data if ($add === "true") { // Is a duplicate? $duplicate = false; if (isset($session[$step])) { foreach ($session[$step] as $item) { $cnt = 0; foreach ($post["edit"][2] as $k => $v) { if (isset($item["fields"][$k]) && $v == $item["fields"][$k]) { $cnt++; } if ($cnt == sizeof($post["edit"][2])) { $duplicate = true; break; } } } } if (!$empty && !$duplicate) { $session[$step][] = array(); $sk = max(array_keys($session[$step])); foreach ($post["edit"][2] as $k => $value) { $session[$step][$sk]["fields"][$k] = $value; } } } else { if (isset($post["edit"][2])) { foreach ($post["edit"][2] as $k => $value) { if ($k != "associated_widgets") { $session[$step]["fields"][$k] = $value; } else { $session = PdfReportsPeer::updateWidgets($value); } } } if (isset($_FILES["edit"])) { $session[$step]["file"] = true; foreach ($_FILES["edit"] as $k => $value) { if ($k == "error") { if ($value[2][key($value[2])] != 0) { $tmp_data = afAuthenticDatamaker::decode($post["af_formcfg"]); $field_data = $tmp_data["validators"]["edit[2][file]"]; if ($value[2][key($value[2])] == 4) { if (array_key_exists("immValidatorRequired", $field_data) || array_key_exists("sfValidatorFile", $field_data) && $field_data["sfValidatorFile"]["params"]["required"] === "true") { return 4; } else { return 0; } } return $value[2][key($value[2])]; } } if ($k == "type" || $k == "error") { continue; } if ($k == "tmp_name") { $tmp_dir = sfConfig::get('app_tmp_dir') ? sfConfig::get('app_tmp_dir') : '/usr/www/tmp/'; $tx = substr($value[2][key($value[2])], strrpos($value[2][key($value[2])], "/") + 1); copy($value[2][key($value[2])], $tmp_dir . $tx); $txval = $tmp_dir . $tx; } else { $txval = $value[2][key($value[2])]; } $k = "file_" . $k; $session[$step]["fields"][$k] = $txval; } } } } } $context->getUser()->getAttributeHolder()->removeNamespace($key); $context->getUser()->getAttributeHolder()->add($session, $key); return true; }