From b1cc0c2b821a030fdeb32b7c6b6b30b3a485ac98 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 16 Jan 2019 14:04:07 -0500 Subject: [PATCH] add CSP nonce to CSRF rewriting --- web/includes/csrf/csrf-magic.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/web/includes/csrf/csrf-magic.php b/web/includes/csrf/csrf-magic.php index 55819329c..692015e70 100644 --- a/web/includes/csrf/csrf-magic.php +++ b/web/includes/csrf/csrf-magic.php @@ -150,24 +150,25 @@ function csrf_ob_handler($buffer, $flags) { return $buffer; } } + global $cspNonce; $tokens = csrf_get_tokens(); $name = $GLOBALS['csrf']['input-name']; $endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : ''; $input = ""; $buffer = preg_replace('#(]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer); if ($GLOBALS['csrf']['frame-breaker']) { - $buffer = str_ireplace('', '', $buffer); + $buffer = str_ireplace('', '', $buffer); } if ($js = $GLOBALS['csrf']['rewrite-js']) { $buffer = str_ireplace( '', - ''. - '', + '', $buffer ); - $script = ''; + $script = ''; $buffer = str_ireplace('', $script . '', $buffer, $count); if (!$count) { $buffer .= $script; @@ -183,6 +184,7 @@ function csrf_ob_handler($buffer, $flags) { */ function csrf_check($fatal = true) { if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true; + global $cspNonce; csrf_start(); $name = $GLOBALS['csrf']['input-name']; $ok = false;