From 1b6353456321386c0ac46cd544618c93c2e39c2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maurice=20Preu=C3=9F=20=28envoyr=29?= Date: Mon, 26 Dec 2022 14:12:21 +0100 Subject: [PATCH] update csrf initialization MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maurice Preuß (envoyr) --- lib/init.php | 13 +++++++++---- templates/Froxlor/base.html.twig | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/lib/init.php b/lib/init.php index 4081555e..33785834 100644 --- a/lib/init.php +++ b/lib/init.php @@ -314,15 +314,20 @@ $mail = new Mailer(true); // initialize csrf if (CurrentUser::hasSession()) { - $new_token = Froxlor::genSessionId(20); - UI::twig()->addGlobal('csrf_token', $new_token); - if ($_SERVER['REQUEST_METHOD'] === 'POST') { + // create new csrf token if not set + if (!$csrf_token = CurrentUser::getField('csrf_token')) { + $csrf_token = Froxlor::genSessionId(20); + CurrentUser::setField('csrf_token', $csrf_token); + } + // set csrf token for twig + UI::twig()->addGlobal('csrf_token', $csrf_token); + // check if csrf token is valid + if (in_array($_SERVER['REQUEST_METHOD'], ['POST', 'PUT', 'PATCH', 'DELETE'])) { $current_token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null; if ($current_token != CurrentUser::getField('csrf_token')) { Response::dynamicError('CSRF validation failed'); } } - CurrentUser::setField('csrf_token', $new_token); // update cookie lifetime $cookie_params = [ 'expires' => time() + Settings::Get('session.sessiontimeout'), diff --git a/templates/Froxlor/base.html.twig b/templates/Froxlor/base.html.twig index 41b0d018..881184eb 100644 --- a/templates/Froxlor/base.html.twig +++ b/templates/Froxlor/base.html.twig @@ -7,7 +7,7 @@ - + {% if csrf_token %}{% endif %} {% if theme_css is empty %}