diff options
author | Andrew Dolgov <[email protected]> | 2011-12-26 12:02:52 +0400 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2011-12-26 12:02:52 +0400 |
commit | 8484ce22584b8714622833adcc7ebfe3ef9cf90e (patch) | |
tree | 057d7a64c3af60e2389d519ba19e476b5fbe6212 /backend.php | |
parent | 036cd3a4106cf2eee0be72f0695458dfb517976b (diff) |
experimental CSRF protection
Diffstat (limited to 'backend.php')
-rw-r--r-- | backend.php | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/backend.php b/backend.php index 1805ce360..2e4da500f 100644 --- a/backend.php +++ b/backend.php @@ -1,5 +1,5 @@ <?php - set_include_path(get_include_path() . PATH_SEPARATOR . + set_include_path(get_include_path() . PATH_SEPARATOR . dirname(__FILE__) . "/include"); /* remove ill effects of magic quotes */ @@ -20,6 +20,11 @@ $op = $_REQUEST["op"]; @$method = $_REQUEST['subop'] ? $_REQUEST['subop'] : $_REQUEST["method"]; + if (!$method) + $method = 'index'; + else + $method = strtolower($method); + /* Public calls compatibility shim */ $public_calls = array("globalUpdateFeeds", "rss", "getUnread", "getProfiles", "share", @@ -30,6 +35,11 @@ return; } + $csrf_token = $_REQUEST['csrf_token']; + + if (!$csrf_token) + error_log("[$op/$method] CSRF: [$csrf_token]\n", 3, "/tmp/csrf.log"); + require_once "functions.php"; require_once "sessions.php"; require_once "sanity_check.php"; @@ -138,13 +148,17 @@ $handler = new $op($link, $_REQUEST); if ($handler) { - if ($handler->before($method)) { - if ($method && method_exists($handler, $method)) { - $handler->$method(); - } else if (method_exists($handler, 'index')) { - $handler->index(); + if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) { + if ($handler->before($method)) { + if ($method && method_exists($handler, $method)) { + $handler->$method(); + } + $handler->after(); + return; } - $handler->after(); + } else { + header("Content-Type: text/plain"); + print json_encode(array("error" => array("code" => 6))); return; } } |