Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
Y
yii2
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
PSDI Army
yii2
Commits
58e84725
Commit
58e84725
authored
Jan 11, 2014
by
Qiang Xue
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Renamed Request::maskedCsrfToken to csrfToken.
parent
a8068dfe
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
23 additions
and
17 deletions
+23
-17
BaseHtml.php
framework/helpers/BaseHtml.php
+1
-1
Request.php
framework/web/Request.php
+21
-15
View.php
framework/web/View.php
+1
-1
No files found.
framework/helpers/BaseHtml.php
View file @
58e84725
...
...
@@ -241,7 +241,7 @@ class BaseHtml
$method
=
'post'
;
}
if
(
$request
->
enableCsrfValidation
&&
!
strcasecmp
(
$method
,
'post'
))
{
$hiddenInputs
[]
=
static
::
hiddenInput
(
$request
->
csrfVar
,
$request
->
get
Masked
CsrfToken
());
$hiddenInputs
[]
=
static
::
hiddenInput
(
$request
->
csrfVar
,
$request
->
getCsrfToken
());
}
}
...
...
framework/web/Request.php
View file @
58e84725
...
...
@@ -50,7 +50,7 @@ use yii\helpers\StringHelper;
* @property boolean $isPut Whether this is a PUT request. This property is read-only.
* @property boolean $isSecureConnection If the request is sent via secure channel (https). This property is
* read-only.
* @property string $
maskedCsrfToken The masked CSRF token
. This property is read-only.
* @property string $
rawCsrfToken The unmasked CSRF token sent via cookie
. This property is read-only.
* @property string $method Request method, such as GET, POST, HEAD, PUT, PATCH, DELETE. The value returned is
* turned into upper case. This property is read-only.
* @property array $patch The PATCH request parameter values. This property is read-only.
...
...
@@ -1015,12 +1015,12 @@ class Request extends \yii\base\Request
private
$_csrfCookie
;
/**
* Returns the random token used to perform CSRF validation.
* Th
e token will be read from cookie first. If not found
, a new token will be generated.
* Returns the
unmasked
random token used to perform CSRF validation.
* Th
is token is typically sent via a cookie. If such a cookie does not exist
, a new token will be generated.
* @return string the random token for CSRF validation.
* @see enableCsrfValidation
*/
public
function
getCsrfToken
()
public
function
get
Raw
CsrfToken
()
{
if
(
$this
->
_csrfCookie
===
null
)
{
$this
->
_csrfCookie
=
$this
->
getCookies
()
->
get
(
$this
->
csrfVar
);
...
...
@@ -1033,23 +1033,29 @@ class Request extends \yii\base\Request
return
$this
->
_csrfCookie
->
value
;
}
private
$_
maskedC
srfToken
;
private
$_
c
srfToken
;
/**
* Returns the masked CSRF token.
* This method will apply a mask to [[csrfToken]] so that the resulting CSRF token
* will not be exploited by [BREACH attacks](http://breachattack.com/).
* @return string the masked CSRF token.
* Returns the token used to perform CSRF validation.
*
* This token is a masked version of [[rawCsrfToken]] to prevent [BREACH attacks](http://breachattack.com/).
* This token may be passed along via a hidden field of an HTML form or an HTTP header value
* to support CSRF validation.
*
* @return string the token used to perform CSRF validation.
*/
public
function
get
Masked
CsrfToken
()
public
function
getCsrfToken
()
{
if
(
$this
->
_maskedCsrfToken
===
null
)
{
$token
=
$this
->
getCsrfToken
();
$mask
=
Security
::
generateRandomKey
(
self
::
CSRF_MASK_LENGTH
);
if
(
$this
->
_csrfToken
===
null
)
{
// the mask doesn't need to be very random
$chars
=
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.'
;
$mask
=
substr
(
str_shuffle
(
str_repeat
(
$chars
,
5
)),
0
,
self
::
CSRF_MASK_LENGTH
);
$token
=
$this
->
getRawCsrfToken
();
// The + sign may be decoded as blank space later, which will fail the validation
$this
->
_
maskedC
srfToken
=
str_replace
(
'+'
,
'.'
,
base64_encode
(
$mask
.
$this
->
xorTokens
(
$token
,
$mask
)));
$this
->
_
c
srfToken
=
str_replace
(
'+'
,
'.'
,
base64_encode
(
$mask
.
$this
->
xorTokens
(
$token
,
$mask
)));
}
return
$this
->
_
maskedC
srfToken
;
return
$this
->
_
c
srfToken
;
}
/**
...
...
framework/web/View.php
View file @
58e84725
...
...
@@ -406,7 +406,7 @@ class View extends \yii\base\View
$request
=
Yii
::
$app
->
getRequest
();
if
(
$request
instanceof
\yii\web\Request
&&
$request
->
enableCsrfValidation
)
{
$lines
[]
=
Html
::
tag
(
'meta'
,
''
,
[
'name'
=>
'csrf-var'
,
'content'
=>
$request
->
csrfVar
]);
$lines
[]
=
Html
::
tag
(
'meta'
,
''
,
[
'name'
=>
'csrf-token'
,
'content'
=>
$request
->
get
Masked
CsrfToken
()]);
$lines
[]
=
Html
::
tag
(
'meta'
,
''
,
[
'name'
=>
'csrf-token'
,
'content'
=>
$request
->
getCsrfToken
()]);
}
if
(
!
empty
(
$this
->
linkTags
))
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment