summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDerek Allard <derek.allard@ellislab.com>2010-07-22 20:10:26 +0200
committerDerek Allard <derek.allard@ellislab.com>2010-07-22 20:10:26 +0200
commit958543a38c2c97b0ec4c10fc9faf4f0753143880 (patch)
tree3fe57f162c835afc278b537fd2e5932828c55e6c
parent924000e27e10eb32cff6b7666a9d41546fd5f2bd (diff)
Adding CSRF into config
Adding CSRF token into form open()
-rw-r--r--application/config/config.php11
-rw-r--r--system/helpers/form_helper.php6
-rw-r--r--system/libraries/Security.php16
-rw-r--r--user_guide/changelog.html1
4 files changed, 29 insertions, 5 deletions
diff --git a/application/config/config.php b/application/config/config.php
index bd1429a46..6e52bcc17 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -267,6 +267,17 @@ $config['global_xss_filtering'] = FALSE;
/*
|--------------------------------------------------------------------------
+| Cross Site Forgery Request
+|--------------------------------------------------------------------------
+| Enables a CSFR cookie token to be set. When set to TRUE, token will be
+| checked on a submitted form. If you are accepting user data, it is strongly
+| recommended CSRF protection be enabled.
+*/
+$config['csrf_protection'] = FALSE;
+
+
+/*
+|--------------------------------------------------------------------------
| Output Compression
|--------------------------------------------------------------------------
|
diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php
index 5feb3ce66..632f94505 100644
--- a/system/helpers/form_helper.php
+++ b/system/helpers/form_helper.php
@@ -62,6 +62,12 @@ if ( ! function_exists('form_open'))
$form .= form_hidden($hidden);
}
+ // CSRF
+ if ($CI->config->item('csrf_protection') === TRUE)
+ {
+ $form .= form_hidden($CI->security->csrf_token_name, $CI->security->csrf_hash);
+ }
+
return $form;
}
}
diff --git a/system/libraries/Security.php b/system/libraries/Security.php
index cdae50168..c8d435046 100644
--- a/system/libraries/Security.php
+++ b/system/libraries/Security.php
@@ -54,7 +54,7 @@ class CI_Security {
{
// Set the CSRF hash
$this->_csrf_set_hash();
-
+
log_message('debug', "Security Class Initialized");
}
@@ -67,21 +67,24 @@ class CI_Security {
* @return null
*/
function csrf_verify()
- {
+ {
// If no POST data exists we will set the CSRF cookie
if (count($_POST) == 0)
{
return $this->csrf_set_cookie();
}
+ // Append application specific cookie prefix to token name
+ $csrf_token_name = (config_item('cookie_prefix')) ? config_item('cookie_prefix').$this->csrf_token_name : $this->csrf_token_name;
+
// Do the tokens exist in both the _POST and _COOKIE arrays?
- if ( ! isset($_POST[$this->csrf_token_name]) OR ! isset($_COOKIE[$this->csrf_token_name]))
+ if ( ! isset($_POST[$this->csrf_token_name]) OR ! isset($_COOKIE[$csrf_token_name]))
{
$this->csrf_show_error();
}
// Do the tokens match?
- if ($_POST[$this->csrf_token_name] != $_COOKIE[$this->csrf_token_name])
+ if ($_POST[$this->csrf_token_name] != $_COOKIE[$csrf_token_name])
{
$this->csrf_show_error();
}
@@ -134,7 +137,10 @@ class CI_Security {
$this->csrf_hash = md5(uniqid(rand(), TRUE));
}
}
-
+
+ // Create the cookie before we finish up
+ $this->csrf_set_cookie();
+
return $this->csrf_hash;
}
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 94eff05ba..fb39d6060 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -126,6 +126,7 @@ Hg Tag: </p>
<li>Modified <kbd>get_file_info</kbd> in the file helper, changing filectime() to filemtime() for dates.</li>
<li>Modified <kbd>smiley_js()</kbd> to add optional third parameter to return only the javascript with no script tags.</li>
<li>The <kbd>img()</kbd> function of the <a href="./helpers/html_helper.html">HTML helper</a> will now generate an empty string as an alt attribute if one is not provided.</li>
+ <li>If CSRF is enabled in the application config file, <kbd>form_open()</kbd> will automatically insert it as a hidden field.</li>
</ul>
</li>
<li>Other Changes