Skip to content
Snippets Groups Projects
Commit a8d3eece authored by Peter Rotich's avatar Peter Rotich
Browse files

Add CSRF interface function and init to core osTicket obj

parent 50258951
No related branches found
No related tags found
No related merge requests found
...@@ -19,6 +19,8 @@ ...@@ -19,6 +19,8 @@
**********************************************************************/ **********************************************************************/
require_once(INCLUDE_DIR.'class.config.php'); //Config helper require_once(INCLUDE_DIR.'class.config.php'); //Config helper
require_once(INCLUDE_DIR.'class.csrf.php'); //CSRF token class.
define('LOG_WARN',LOG_WARNING); define('LOG_WARN',LOG_WARNING);
class osTicket { class osTicket {
...@@ -32,17 +34,19 @@ class osTicket { ...@@ -32,17 +34,19 @@ class osTicket {
var $config; var $config;
var $session; var $session;
var $csrf;
function osTicket($cfgId) { function osTicket($cfgId) {
$this->config = Config::lookup($cfgId); $this->config = Config::lookup($cfgId);
//DB based session storage was added starting with v1.7 //DB based session storage was added starting with v1.7
// which does NOT have DB Version
if($this->config && !$this->getConfig()->getDBVersion()) if($this->config && !$this->getConfig()->getDBVersion())
$this->session = osTicketSession::start(SESSION_TTL); // start DB based session $this->session = osTicketSession::start(SESSION_TTL); // start DB based session
else else
session_start(); session_start();
$this->csrf = new CSRF('__CSRFToken__');
} }
function isSystemOnline() { function isSystemOnline() {
...@@ -74,6 +78,38 @@ class osTicket { ...@@ -74,6 +78,38 @@ class osTicket {
return THIS_VERSION; return THIS_VERSION;
} }
function getCSRF(){
return $this->csrf;
}
function getCSRFToken() {
return $this->getCSRF()->getToken();
}
function getCSRFFormInput() {
return $this->getCSRF()->getFormInput();
}
function validateCSRFToken($token) {
return ($token && $this->getCSRF()->validateToken($token));
}
function checkCSRFToken($name='') {
$name = $name?$name:$this->getCSRF()->getTokenName();
if(isset($_POST[$name]) && $this->validateCSRFToken($_POST[$name]))
return true;
if(isset($_SERVER['HTTP_X_CSRFTOKEN']) && $this->validateCSRFToken($_SERVER['HTTP_X_CSRFTOKEN']))
return true;
$msg=sprintf('Invalid CSRF token [%s] on %s',
($_POST[$name].''.$_SERVER['HTTP_X_CSRFTOKEN']), THISPAGE);
$this->logWarning('Invalid CSRF Token '.$name, $msg);
return false;
}
function addExtraHeader($header) { function addExtraHeader($header) {
$this->headers[md5($header)] = $header; $this->headers[md5($header)] = $header;
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment