maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

use Request-wrapper-class for every access to $_POST superglobal

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2024-05-09 15:48:23 +02:00
parent 914204b483
commit fce310049a
42 changed files with 303 additions and 254 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/init.php
View File

@@ -361,7 +361,7 @@ if (CurrentUser::hasSession()) {
UI::twig()->addGlobal('csrf_token', $csrf_token);
// check if csrf token is valid
if (in_array($_SERVER['REQUEST_METHOD'], ['POST', 'PUT', 'PATCH', 'DELETE'])) {
$current_token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null;
$current_token = Request::post('csrf_token', $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null);
if ($current_token != CurrentUser::getField('csrf_token')) {
http_response_code(403);
Response::dynamicError('CSRF validation failed');