diff options
-rw-r--r-- | application/config/config.php | 11 | ||||
-rw-r--r-- | system/helpers/form_helper.php | 6 | ||||
-rw-r--r-- | system/libraries/Security.php | 16 | ||||
-rw-r--r-- | user_guide/changelog.html | 1 |
4 files changed, 29 insertions, 5 deletions
diff --git a/application/config/config.php b/application/config/config.php index bd1429a46..6e52bcc17 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -267,6 +267,17 @@ $config['global_xss_filtering'] = FALSE; /* |-------------------------------------------------------------------------- +| Cross Site Forgery Request +|-------------------------------------------------------------------------- +| Enables a CSFR cookie token to be set. When set to TRUE, token will be +| checked on a submitted form. If you are accepting user data, it is strongly +| recommended CSRF protection be enabled. +*/ +$config['csrf_protection'] = FALSE; + + +/* +|-------------------------------------------------------------------------- | Output Compression |-------------------------------------------------------------------------- | diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php index 5feb3ce66..632f94505 100644 --- a/system/helpers/form_helper.php +++ b/system/helpers/form_helper.php @@ -62,6 +62,12 @@ if ( ! function_exists('form_open')) $form .= form_hidden($hidden); } + // CSRF + if ($CI->config->item('csrf_protection') === TRUE) + { + $form .= form_hidden($CI->security->csrf_token_name, $CI->security->csrf_hash); + } + return $form; } } diff --git a/system/libraries/Security.php b/system/libraries/Security.php index cdae50168..c8d435046 100644 --- a/system/libraries/Security.php +++ b/system/libraries/Security.php @@ -54,7 +54,7 @@ class CI_Security { { // Set the CSRF hash $this->_csrf_set_hash(); - + log_message('debug', "Security Class Initialized"); } @@ -67,21 +67,24 @@ class CI_Security { * @return null */ function csrf_verify() - { + { // If no POST data exists we will set the CSRF cookie if (count($_POST) == 0) { return $this->csrf_set_cookie(); } + // Append application specific cookie prefix to token name + $csrf_token_name = (config_item('cookie_prefix')) ? config_item('cookie_prefix').$this->csrf_token_name : $this->csrf_token_name; + // Do the tokens exist in both the _POST and _COOKIE arrays? - if ( ! isset($_POST[$this->csrf_token_name]) OR ! isset($_COOKIE[$this->csrf_token_name])) + if ( ! isset($_POST[$this->csrf_token_name]) OR ! isset($_COOKIE[$csrf_token_name])) { $this->csrf_show_error(); } // Do the tokens match? - if ($_POST[$this->csrf_token_name] != $_COOKIE[$this->csrf_token_name]) + if ($_POST[$this->csrf_token_name] != $_COOKIE[$csrf_token_name]) { $this->csrf_show_error(); } @@ -134,7 +137,10 @@ class CI_Security { $this->csrf_hash = md5(uniqid(rand(), TRUE)); } } - + + // Create the cookie before we finish up + $this->csrf_set_cookie(); + return $this->csrf_hash; } diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 94eff05ba..fb39d6060 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -126,6 +126,7 @@ Hg Tag: </p> <li>Modified <kbd>get_file_info</kbd> in the file helper, changing filectime() to filemtime() for dates.</li> <li>Modified <kbd>smiley_js()</kbd> to add optional third parameter to return only the javascript with no script tags.</li> <li>The <kbd>img()</kbd> function of the <a href="./helpers/html_helper.html">HTML helper</a> will now generate an empty string as an alt attribute if one is not provided.</li> + <li>If CSRF is enabled in the application config file, <kbd>form_open()</kbd> will automatically insert it as a hidden field.</li> </ul> </li> <li>Other Changes |