kevinowino869/mitrobill
1
0
Fork 1
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix csrf token

Browse Source
This commit is contained in:
Focuslinks Digital Solutions 2025-02-09 18:37:19 +01:00
parent 4bc47a8d85
commit 75d6f17eb5
2 changed files with 48 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
system/autoload/Csrf.php
View File

@ -8,81 +8,48 @@
class Csrf class Csrf
{ {
private const int TOKEN_LENGTH = 16; private static $tokenExpiration = 1800; // 30 minutes
private const int TOKEN_EXPIRATION = 1800;
/** public static function generateToken($length = 16)
* Generate a CSRF token.
*
* @param int $length
* @return string
*/
public static function generateToken(int $length = self::TOKEN_LENGTH): string
{ {
return bin2hex(random_bytes($length)); return bin2hex(random_bytes($length));
} }
/** public static function validateToken($token, $storedToken)
* Validate the provided CSRF token against the stored token.
*
* @param string $token
* @param string $storedToken
* @return bool
*/
public static function validateToken(string $token, string $storedToken): bool
{ {
return hash_equals($token, $storedToken); return hash_equals($token, $storedToken);
} }
/** public static function check($token)
* Check if the CSRF token is valid.
*
* @param string|null $token
* @return bool
*/
public static function check(?string $token): bool
{ {
global $config; global $config;
if($config['csrf_enabled'] == 'yes') {
if (isset($_SESSION['csrf_token'], $_SESSION['csrf_token_time'], $token)) {
$storedToken = $_SESSION['csrf_token'];
$tokenTime = $_SESSION['csrf_token_time'];
if ($config['csrf_enabled'] === 'yes') { if (time() - $tokenTime > self::$tokenExpiration) {
if (isset($_SESSION['nux_csrf_token'], $_SESSION['nux_csrf_token_time'], $token)) {
$storedToken = $_SESSION['nux_csrf_token'];
$tokenTime = $_SESSION['nux_csrf_token_time'];
if (time() - $tokenTime > self::TOKEN_EXPIRATION) {
self::clearToken(); self::clearToken();
return false; return false;
} }
return self::validateToken($token, $storedToken); return self::validateToken($token, $storedToken);
} }
return false; return false;
} }
return true;
return true; // CSRF is disabled
} }
/** public static function generateAndStoreToken()
* Generate and store a new CSRF token in the session.
*
* @return string
*/
public static function generateAndStoreToken(): string
{ {
$token = self::generateToken(); $token = self::generateToken();
$_SESSION['nux_csrf_token'] = $token; $_SESSION['csrf_token'] = $token;
$_SESSION['nux_csrf_token_time'] = time(); $_SESSION['csrf_token_time'] = time();
return $token; return $token;
} }
/** public static function clearToken()
* Clear the stored CSRF token from the session.
*
* @return void
*/
public static function clearToken(): void
{ {
unset($_SESSION['nux_csrf_token'], $_SESSION['nux_csrf_token_time']); unset($_SESSION['csrf_token'], $_SESSION['csrf_token_time']);
} }
} }

2
system/controllers/pluginmanager.php
View File

@ -38,7 +38,7 @@ switch ($action) {
r2(getUrl('pluginmanager'), 's', 'Refresh success'); r2(getUrl('pluginmanager'), 's', 'Refresh success');
break; break;
case 'dlinstall': case 'dlinstall':
if ($_app_stage == 'demo') { if ($_app_stage == 'Demo') {
r2(getUrl('pluginmanager'), 'e', 'Demo Mode cannot install as it Security risk'); r2(getUrl('pluginmanager'), 'e', 'Demo Mode cannot install as it Security risk');
} }
if (!is_writeable($CACHE_PATH)) { if (!is_writeable($CACHE_PATH)) {