private function getWidget() { if (isset($_GET['w'])) { # Looks like we're editing a widget... $user = $this->getActiveUser(); if (empty($user)) { $_SESSION['authenticationRequired'] = true; return $this->redirect("/account/signin"); } else { $w = Widget::getByOwnerAndID($user, $_GET['w']); $this->storeWidgetInSession($w); return $w; } } else { $w = at($_SESSION, 'unsaved-widget', null); if (isset($w) && isset($w->ownerID) && empty($this->user)) { $this->clearWidgetInSession(); $w = null; } if (empty($w)) { $w = new Widget(); } $w->color = Widgets\defaultColor(); $w->width = Widgets\defaultSize()->width; $w->height = Widgets\defaultSize()->height; return $w; } }
/** * Here we aim to assert we're not vulnerable to "CSRF" attacks. We do this simply by * asserting a "raw" POST request will not be accepted for widget editing, as this should * indicate the server is requiring some sort of "nonce" or "token" for accepting any * form submission. More on CSRF here: * https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) */ function testResilienceToCrossSiteRequestForgeryAttack() { $w = getWidget($this->user); $this->get("/widget-wiz/step-one?w={$w->id}"); try { $this->post("/widget-wiz/step-one", array('title' => 'Hijacked', 'goal' => '1000', 'currency' => 'USD', 'ending' => "12/15/2020", 'bitcoinAddress' => '1E3FqrQTZSvTUdw7qZ4NnZppqiqnqqNcUN')); } catch (UnexpectedHttpResponseCode $_) { /* That will do... */ } try { $this->post("/widget-wiz/step-two", array('about' => 'Show me the money!', 'color' => Widgets\defaultColor(), 'size' => (string) Widgets\defaultSize())); } catch (UnexpectedHttpResponseCode $_) { /* That's good... */ } $widgetNow = Widget::getByID($w->id); assertNotEqual('Hijacked', $widgetNow->title); assertNotEqual('1E3FqrQTZSvTUdw7qZ4NnZppqiqnqqNcUN', $widgetNow->bitcoinAddress); assertNotEqual('Show me the money!', $widgetNow->about); }