add CSP nonce to CSRF rewriting

This commit is contained in:
Isaac Connor 2019-01-16 14:04:07 -05:00
parent a7db6f08f5
commit b1cc0c2b82
1 changed files with 6 additions and 4 deletions

View File

@ -150,24 +150,25 @@ function csrf_ob_handler($buffer, $flags) {
return $buffer; return $buffer;
} }
} }
global $cspNonce;
$tokens = csrf_get_tokens(); $tokens = csrf_get_tokens();
$name = $GLOBALS['csrf']['input-name']; $name = $GLOBALS['csrf']['input-name'];
$endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : ''; $endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : '';
$input = "<input type='hidden' name='$name' value=\"$tokens\"$endslash>"; $input = "<input type='hidden' name='$name' value=\"$tokens\"$endslash>";
$buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer); $buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer);
if ($GLOBALS['csrf']['frame-breaker']) { if ($GLOBALS['csrf']['frame-breaker']) {
$buffer = str_ireplace('</head>', '<script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script></head>', $buffer); $buffer = str_ireplace('</head>', '<script nonce="'.$cspNonce.'">if (top != self) {top.location.href = self.location.href;}</script></head>', $buffer);
} }
if ($js = $GLOBALS['csrf']['rewrite-js']) { if ($js = $GLOBALS['csrf']['rewrite-js']) {
$buffer = str_ireplace( $buffer = str_ireplace(
'</head>', '</head>',
'<script type="text/javascript">'. '<script nonce="'.$cspNonce.'">'.
'var csrfMagicToken = "'.$tokens.'";'. 'var csrfMagicToken = "'.$tokens.'";'.
'var csrfMagicName = "'.$name.'";</script>'. 'var csrfMagicName = "'.$name.'";</script>'.
'<script src="'.$js.'" type="text/javascript"></script></head>', '<script src="'.$js.'"></script></head>',
$buffer $buffer
); );
$script = '<script type="text/javascript">CsrfMagic.end();</script>'; $script = '<script nonce="'.$cspNonce.'">CsrfMagic.end();</script>';
$buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count); $buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
if (!$count) { if (!$count) {
$buffer .= $script; $buffer .= $script;
@ -183,6 +184,7 @@ function csrf_ob_handler($buffer, $flags) {
*/ */
function csrf_check($fatal = true) { function csrf_check($fatal = true) {
if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true; if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true;
global $cspNonce;
csrf_start(); csrf_start();
$name = $GLOBALS['csrf']['input-name']; $name = $GLOBALS['csrf']['input-name'];
$ok = false; $ok = false;