add CSP nonce to CSRF rewriting
This commit is contained in:
parent
a7db6f08f5
commit
b1cc0c2b82
|
@ -150,24 +150,25 @@ function csrf_ob_handler($buffer, $flags) {
|
||||||
return $buffer;
|
return $buffer;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
global $cspNonce;
|
||||||
$tokens = csrf_get_tokens();
|
$tokens = csrf_get_tokens();
|
||||||
$name = $GLOBALS['csrf']['input-name'];
|
$name = $GLOBALS['csrf']['input-name'];
|
||||||
$endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : '';
|
$endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : '';
|
||||||
$input = "<input type='hidden' name='$name' value=\"$tokens\"$endslash>";
|
$input = "<input type='hidden' name='$name' value=\"$tokens\"$endslash>";
|
||||||
$buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer);
|
$buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer);
|
||||||
if ($GLOBALS['csrf']['frame-breaker']) {
|
if ($GLOBALS['csrf']['frame-breaker']) {
|
||||||
$buffer = str_ireplace('</head>', '<script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script></head>', $buffer);
|
$buffer = str_ireplace('</head>', '<script nonce="'.$cspNonce.'">if (top != self) {top.location.href = self.location.href;}</script></head>', $buffer);
|
||||||
}
|
}
|
||||||
if ($js = $GLOBALS['csrf']['rewrite-js']) {
|
if ($js = $GLOBALS['csrf']['rewrite-js']) {
|
||||||
$buffer = str_ireplace(
|
$buffer = str_ireplace(
|
||||||
'</head>',
|
'</head>',
|
||||||
'<script type="text/javascript">'.
|
'<script nonce="'.$cspNonce.'">'.
|
||||||
'var csrfMagicToken = "'.$tokens.'";'.
|
'var csrfMagicToken = "'.$tokens.'";'.
|
||||||
'var csrfMagicName = "'.$name.'";</script>'.
|
'var csrfMagicName = "'.$name.'";</script>'.
|
||||||
'<script src="'.$js.'" type="text/javascript"></script></head>',
|
'<script src="'.$js.'"></script></head>',
|
||||||
$buffer
|
$buffer
|
||||||
);
|
);
|
||||||
$script = '<script type="text/javascript">CsrfMagic.end();</script>';
|
$script = '<script nonce="'.$cspNonce.'">CsrfMagic.end();</script>';
|
||||||
$buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
|
$buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
|
||||||
if (!$count) {
|
if (!$count) {
|
||||||
$buffer .= $script;
|
$buffer .= $script;
|
||||||
|
@ -183,6 +184,7 @@ function csrf_ob_handler($buffer, $flags) {
|
||||||
*/
|
*/
|
||||||
function csrf_check($fatal = true) {
|
function csrf_check($fatal = true) {
|
||||||
if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true;
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true;
|
||||||
|
global $cspNonce;
|
||||||
csrf_start();
|
csrf_start();
|
||||||
$name = $GLOBALS['csrf']['input-name'];
|
$name = $GLOBALS['csrf']['input-name'];
|
||||||
$ok = false;
|
$ok = false;
|
||||||
|
|
Loading…
Reference in New Issue