From 958543a38c2c97b0ec4c10fc9faf4f0753143880 Mon Sep 17 00:00:00 2001
From: Derek Allard <derek.allard@ellislab.com>
Date: Thu, 22 Jul 2010 14:10:26 -0400
Subject: Adding CSRF into config Adding CSRF token into form open()

---
 system/helpers/form_helper.php |  6 ++++++
 system/libraries/Security.php  | 16 +++++++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

(limited to 'system')

diff --git a/system/helpers/form_helper.php b/system/helpers/form_helper.php
index 5feb3ce66..632f94505 100644
--- a/system/helpers/form_helper.php
+++ b/system/helpers/form_helper.php
@@ -62,6 +62,12 @@ if ( ! function_exists('form_open'))
 			$form .= form_hidden($hidden);
 		}
 
+		// CSRF
+		if ($CI->config->item('csrf_protection') === TRUE)
+		{
+			$form .= form_hidden($CI->security->csrf_token_name, $CI->security->csrf_hash);
+		}
+
 		return $form;
 	}
 }
diff --git a/system/libraries/Security.php b/system/libraries/Security.php
index cdae50168..c8d435046 100644
--- a/system/libraries/Security.php
+++ b/system/libraries/Security.php
@@ -54,7 +54,7 @@ class CI_Security {
 	{
 		// Set the CSRF hash
 		$this->_csrf_set_hash();
-		
+
 		log_message('debug', "Security Class Initialized");
 	}
 
@@ -67,21 +67,24 @@ class CI_Security {
 	 * @return	null
 	 */
 	function csrf_verify()
-	{	
+	{
 		// If no POST data exists we will set the CSRF cookie
 		if (count($_POST) == 0)
 		{
 			return $this->csrf_set_cookie();
 		}
 
+		// Append application specific cookie prefix to token name
+		$csrf_token_name = (config_item('cookie_prefix')) ? config_item('cookie_prefix').$this->csrf_token_name : $this->csrf_token_name;
+
 		// Do the tokens exist in both the _POST and _COOKIE arrays?
-		if ( ! isset($_POST[$this->csrf_token_name]) OR ! isset($_COOKIE[$this->csrf_token_name]))
+		if ( ! isset($_POST[$this->csrf_token_name]) OR ! isset($_COOKIE[$csrf_token_name]))
 		{
 			$this->csrf_show_error();
 		}
 
 		// Do the tokens match?
-		if ($_POST[$this->csrf_token_name] != $_COOKIE[$this->csrf_token_name])
+		if ($_POST[$this->csrf_token_name] != $_COOKIE[$csrf_token_name])
 		{
 			$this->csrf_show_error();
 		}
@@ -134,7 +137,10 @@ class CI_Security {
 				$this->csrf_hash = md5(uniqid(rand(), TRUE));
 			}
 		}
-		
+
+		// Create the cookie before we finish up
+		$this->csrf_set_cookie();
+
 		return $this->csrf_hash;
 	}
 
-- 
cgit v1.2.3-24-g4f1b