Pluf Framework

Pluf Framework Git Source Tree

Root/src/Pluf/Middleware/Csrf.php

1<?php
2/* -*- tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
3/*
4# ***** BEGIN LICENSE BLOCK *****
5# This file is part of Plume Framework, a simple PHP Application Framework.
6# Copyright (C) 2001-2007 Loic d'Anterroches and contributors.
7#
8# Plume Framework is free software; you can redistribute it and/or modify
9# it under the terms of the GNU Lesser General Public License as published by
10# the Free Software Foundation; either version 2.1 of the License, or
11# (at your option) any later version.
12#
13# Plume Framework is distributed in the hope that it will be useful,
14# but WITHOUT ANY WARRANTY; without even the implied warranty of
15# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16# GNU Lesser General Public License for more details.
17#
18# You should have received a copy of the GNU Lesser General Public License
19# along with this program; if not, write to the Free Software
20# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21#
22# ***** END LICENSE BLOCK ***** */
23
24/**
25 * Cross Site Request Forgery Middleware.
26 *
27 * This class provides a middleware that implements protection against
28 * request forgeries from other sites. This middleware must be before
29 * the Pluf_Middleware_Session middleware.
30 *
31 * Based on concepts from the Django CSRF middleware.
32 */
33class Pluf_Middleware_Csrf
34{
35 public static function makeToken($session_key)
36 {
37 return md5(Pluf::f('secret_key').$session_key);
38 }
39
40 /**
41 * Process the request.
42 *
43 * When processing the request, if a POST request with a session,
44 * we will check that the token is available and valid.
45 *
46 * @param Pluf_HTTP_Request The request
47 * @return bool false
48 */
49 function process_request(&$request)
50 {
51 if ($request->method != 'POST') {
52 return false;
53 }
54 $cookie_name = Pluf::f('session_cookie_id', 'sessionid');
55 if (!isset($request->COOKIE[$cookie_name])) {
56 // no session, nothing to do
57 return false;
58 }
59 try {
60 $data = Pluf_Middleware_Session::_decodeData($request->COOKIE[$cookie_name]);
61 } catch (Exception $e) {
62 // no valid session
63 return false;
64 }
65 if (!isset($data['Pluf_Session_key'])) {
66 // no session key
67 return false;
68 }
69 $token = self::makeToken($data['Pluf_Session_key']);
70 if (!isset($request->POST['csrfmiddlewaretoken'])) {
71 return new Pluf_HTTP_Response_Forbidden($request);
72 }
73 if ($request->POST['csrfmiddlewaretoken'] != $token) {
74 return new Pluf_HTTP_Response_Forbidden($request);
75 }
76 return false;
77 }
78
79 /**
80 * Process the response of a view.
81 *
82 * If we find a POST form, add the token to it.
83 *
84 * @param Pluf_HTTP_Request The request
85 * @param Pluf_HTTP_Response The response
86 * @return Pluf_HTTP_Response The response
87 */
88 function process_response($request, $response)
89 {
90 $cookie_name = Pluf::f('session_cookie_id', 'sessionid');
91 if (!isset($request->COOKIE[$cookie_name])) {
92 // no session, nothing to do
93 return $response;
94 }
95 if (!isset($response->headers['Content-Type'])) {
96 return $response;
97 }
98 try {
99 $data = Pluf_Middleware_Session::_decodeData($request->COOKIE[$cookie_name]);
100 } catch (Exception $e) {
101 // no valid session
102 return $response;
103 }
104 if (!isset($data['Pluf_Session_key'])) {
105 // no session key
106 return $response;
107 }
108 $ok = false;
109 $cts = array('text/html', 'application/xhtml+xml');
110 foreach ($cts as $ct) {
111 if (false !== strripos($response->headers['Content-Type'], $ct)) {
112 $ok = true;
113 break;
114 }
115 }
116 if (!$ok) {
117 return $response;
118 }
119 $token = self::makeToken($data['Pluf_Session_key']);
120 $extra = '<div style="display:none;"><input type="hidden" name="csrfmiddlewaretoken" value="'.$token.'" /></div>';
121 $response->content = preg_replace('/(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)/i', '$1'.$extra, $response->content);
122 return $response;
123 }
124}

Archive Download this file

Branches

Tags