function csrfguard_start() { if (count($_POST)) { if (!isset($_POST['CSRFName']) or !isset($_POST['CSRFToken'])) { trigger_error("No CSRFName found, probable invalid request.", E_USER_ERROR); } $name = $_POST['CSRFName']; $token = $_POST['CSRFToken']; if (!csrfguard_validate_token($name, $token)) { trigger_error("Invalid CSRF token.", E_USER_ERROR); } } ob_start(); /* adding double quotes for "csrfguard_inject" to prevent: Notice: Use of undefined constant csrfguard_inject - assumed 'csrfguard_inject' */ register_shutdown_function("csrfguard_inject"); }
/** * Validates the CSRF tokens found in $_POST variable. Raoses user * errors if the token is not found or invalid. * * @return true if validated correctly, otherwise false */ function csrfguard_start() { if (count($_POST)) { if (!isset($_POST['CSRFName'])) { //trigger_error("No CSRFName found, probable invalid request.",E_USER_ERROR); //return false; redirect($_SESSION['basehref'] . 'error.php?message=No CSRFName found, probable invalid request.'); exit; } // 20151107 $name = trim($_POST['CSRFName']); $token = trim($_POST['CSRFToken']); $good = strlen($name) > 0 && strlen($token) > 0; if (!$good || !csrfguard_validate_token($name, $token)) { //trigger_error("Invalid CSRF token.",E_USER_ERROR); //return false; redirect($_SESSION['basehref'] . 'error.php?message=Invalid CSRF token.'); exit; } } }
/** * A constructor for a CSRF object * * @throws Exception when CSRFName is expected and not found * @throws Exception when token or name is not as stored in session */ public function __construct() { if (!empty($_POST)) { if (!isset($_POST['CSRFName']) || !isset($_POST['CSRFToken'])) { throw Exception('No CSRFName found, probable invalid request.'); } if (!csrfguard_validate_token($_POST['CSRFName'], $_POST['CSRFToken'])) { throw Exception('Invalid CSRF token'); } } }
function csrfguard_start() { if (count($_POST)) { if (!isset($_POST['CSRFName'])) { trigger_error("No CSRFName found, probable invalid request.", E_USER_ERROR); } $name = $_POST['CSRFName']; $token = $_POST['CSRFToken']; if (!csrfguard_validate_token($name, $token)) { trigger_error("Invalid CSRF token.", E_USER_ERROR); } } ob_start(); register_shutdown_function('csrfguard_inject'); }
$role = null; switch ($args->doAction) { case 'delete': $role = tlRole::getByID($db, $args->roleid, tlRole::TLOBJ_O_GET_DETAIL_MINIMUM); if ($role) { $affectedUsers = $role->getAllUsersWithRole($db); $doDelete = sizeof($affectedUsers) == 0; } break; default: break; } $userFeedback = null; if ($doDelete) { // CSRF check if (!is_null($args->csrfid) && !is_null($args->csrftoken) && csrfguard_validate_token($args->csrfid, $args->csrftoken)) { // only NON SYSTEM ROLES CAN be deleted if ($args->roleid > TL_LAST_SYSTEM_ROLE) { $userFeedback = deleteRole($db, $args->roleid); checkSessionValid($db); //refresh the current user } } else { $msg = lang_get('CSRF_attack'); tLog($msg, 'ERROR'); die($msg); } } $roles = tlRole::getAll($db, null, null, null, tlRole::TLOBJ_O_GET_DETAIL_MINIMUM); $highlight = initialize_tabsmenu(); $highlight->view_roles = 1;