diff --git a/include/class.osticket.php b/include/class.osticket.php
index 66938cc7c4cfba0db80439e1de5e9c010923116e..5f75d0fd1fe6ac28feedeea227ef3ad6dc3e7429 100644
--- a/include/class.osticket.php
+++ b/include/class.osticket.php
@@ -19,6 +19,8 @@
**********************************************************************/
require_once(INCLUDE_DIR.'class.config.php'); //Config helper
+require_once(INCLUDE_DIR.'class.csrf.php'); //CSRF token class.
+
define('LOG_WARN',LOG_WARNING);
class osTicket {
@@ -32,17 +34,19 @@ class osTicket {
var $config;
var $session;
+ var $csrf;
function osTicket($cfgId) {
+
$this->config = Config::lookup($cfgId);
//DB based session storage was added starting with v1.7
- // which does NOT have DB Version
if($this->config && !$this->getConfig()->getDBVersion())
$this->session = osTicketSession::start(SESSION_TTL); // start DB based session
else
session_start();
+ $this->csrf = new CSRF('__CSRFToken__');
}
function isSystemOnline() {
@@ -74,6 +78,38 @@ class osTicket {
return THIS_VERSION;
}
+ function getCSRF(){
+ return $this->csrf;
+ }
+
+ function getCSRFToken() {
+ return $this->getCSRF()->getToken();
+ }
+
+ function getCSRFFormInput() {
+ return $this->getCSRF()->getFormInput();
+ }
+
+ function validateCSRFToken($token) {
+ return ($token && $this->getCSRF()->validateToken($token));
+ }
+
+ function checkCSRFToken($name='') {
+
+ $name = $name?$name:$this->getCSRF()->getTokenName();
+ if(isset($_POST[$name]) && $this->validateCSRFToken($_POST[$name]))
+ return true;
+
+ if(isset($_SERVER['HTTP_X_CSRFTOKEN']) && $this->validateCSRFToken($_SERVER['HTTP_X_CSRFTOKEN']))
+ return true;
+
+ $msg=sprintf('Invalid CSRF token [%s] on %s',
+ ($_POST[$name].''.$_SERVER['HTTP_X_CSRFTOKEN']), THISPAGE);
+ $this->logWarning('Invalid CSRF Token '.$name, $msg);
+
+ return false;
+ }
+
function addExtraHeader($header) {
$this->headers[md5($header)] = $header;
}