search

getkirby-v2 / toolkit

This is the deprecated toolkit for Kirby v2.
http://getkirby.com
81 stars 50 forks source link

csrf() helper: Use different default value for param #240

Closed lukasbestle closed 7 years ago

lukasbestle commented 7 years ago

See https://github.com/getkirby/getkirby.com/issues/340.

sebsel commented 7 years ago

This is not the same thing, but also about csrf(): if you use it multiple times on a page (i.e. when you have two forms on one page) it resets the token every time you call the function.

This could solve that:

function csrf($check = null) {

  // make sure a session is started
  s::start();

  // make sure to generate one token per page
  static $token;

  if(is_null($check)) {
    if(!$token) { 
      $token = str::random(64);
      s::set('csrf', $token);
    }
    return $token;
  }

  return ($check === s::get('csrf')) ? true : false;

}

Still has the null issue ofcourse :)

lukasbestle commented 7 years ago

I moved this second issue to the separate issue #242. We will fix both in the next release, thanks for reporting.

lukasbestle commented 7 years ago

This is now fixed on the develop branch. The new solution is actually even better than a different default value as that default param could be faked by an attacker as well.