paragonie / anti-csrf Goto Github PK
View Code? Open in Web Editor NEWFull-Featured Anti-CSRF Library
Home Page: https://paragonie.com/projects
License: GNU Affero General Public License v3.0
Full-Featured Anti-CSRF Library
Home Page: https://paragonie.com/projects
License: GNU Affero General Public License v3.0
I had to change the version constraint in my project's composer.json from ^2.0
to dev-master
in order to use this library because of the typo fixed in #13.
It would be lovely if you could tag a release, as I prefer not to use dev-master if I don't have to. :)
Is there a possible way I can disable this for an API request? I would like to use it on my main project, but not on the API.
the code looks fine, I have tested it on PHP 7.0 and it looks good.
Originally posted by @SnirSofer in #40 (comment)
In the function validateRequestNative(), the path lock is checking against REQUEST_URI (hardcoded), this negates the feature added in #20 when $useNativeSession gets set to true....
this could be easily fixed in-place but the function has already been refactored and the bug looks like it's fixed in the dev branch, for now i've just reverted back to the my forked repo while we wait for a fresh stable release please :)
In any case it simply prints the function name.
If I use the readme example:
use \ParagonIE\AntiCSRF\AntiCSRF;
$twigEnv->addFunction(
new \Twig_SimpleFunction(
'form_token',
function($lock_to = null) {
static $csrf;
if ($csrf === null) {
$csrf = new AntiCSRF;
}
return $csrf->insertToken($lock_to, false);
},
['is_safe' => ['html']]
)
);
if put just this in my twig file
{{ form_csrf() }}
I get an error stating that $lock_to must be a string, not null. Not sure if this is intended or not, but if I define lock_to as '' it works since it is a string now.
-Matt
For some reason its not working with the above mentioned versions... used to work on 7.0 but it stopped abruptly...
I noticed that your LICENSE
file is not an MIT license. But the comment at top of the AntiCSRF in the src
directory file it says MIT.
Thanks for your awesome library works great with forms but not well with Ajax request and here's what i mean. An example has been sighted #15
If i had an ajax form, on submit... it validates ok and that token is expired from the session etc. But what if the user had entered the wrong information and i needed to submit again with refresh. This becomes a problem. I was able to fix this situation for myself by doing this;
function validateRequest( boolean $is_async = false ) .......... if ( ! $is_async ) { if ($this->deleteToken($sess[$index])) { unset($sess[$index]); } }
Now, if my endpoint is access only via ajax i do $csrf->validateRequest( true );
This way, it doesn't expire the token and index. But when i refresh the form manually, i first unset( $_SESSION['CSRF'] so a new hidden token and index is created.
Is this worth adding to the core, for other users?
Hello,
First of all, thank you for the quality library. I rarely have such a high confidence level for a PHP library after perusing its code.
This is probably a nitpick, but I notice that in the constructor of the AntiCSRF class, both $post
and $server
are passed by reference. However, there seems to be no code which writes to these variables. This is misleading, because usually passing by reference in PHP is a way to inform users of a class that the value will get mutated.
I think this is important because in some execution environments (for example: automated tests), $_SERVER
will not contain the expected information such as REMOTE_ADDR
or REQUEST_URI
. As such, I need to know that it's okay to simply pass a made-up array that simulates the structure of $_SERVER
without impacting the functionality of the library. But the pass-by-reference semantics gives me the opposite impression.
I believe only $session
should be passed by reference in the constructor of AntiCSRF.
Would be nice to restrict a token to a specific user agent.
At IE8 (haven't tested other versions) when i submit the form which contains the token, it always return error since the validateRequest returns false.
What could cause this?
(At Chrome,Opera etc. it works ok)
Thanks for creating this library! Below I shared a quick example of how to use it.
Save the code below as a PHP file, put it on your webserver and run it.
Before running:<br>
1. Open a terminal and navigate to your webserver root directory.<br>
2. Download the library with: "composer require paragonie/anti-csrf".<br>
The package is now installed in the vendor/ folder.<br><br>
<?php
//Don't forget to call this:
session_start();
//Because of $_SERVER['DOCUMENT_ROOT'], you can place this PHP-file anywhere on the webserver.
require $_SERVER['DOCUMENT_ROOT'] . '/vendor/autoload.php';
use ParagonIE\ConstantTime\{
Base64UrlSafe,
Binary
};
use ParagonIE\AntiCSRF\AntiCSRF;
?>
<form method="POST">
<?php
//Generate CSRF token
$server = $_SERVER;
$csrft = new AntiCSRF( $server);
$token_html = $csrft->insertToken('', true);
?>
<input type="submit">
</form><br>
<?php
//Check CSRF token
$csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
if (!empty($_POST)) {
if ($csrf->validateRequest()) {
echo 'Valid form';
} else {
// Log a CSRF attack attempt
echo 'Token is invalid';
}
}
?>
The reason I share this, is because it took me a while to understand how to use the library. So I hope this helped others.
Also, if you are reading this and didn't really use composer
before, like me, This tutorial should help you out.
Im kinda confused about the licesing of this package. In some places it states AGPL in some it states MIT and in some both.
I would like to use in in a GPL project and from my understanding that wont work if this library is licensed under AGPL
Facing intermediate token validation while using the server in the container with kubernetes.
I have not made any code change and when I am using bare metal server then things are working fine.
When I am using the container based approach then I am getting the issue for CSRF validation.
I am facing an issue while executing login action from the second time.
I can see the issue is with validateRequest() function where once we find valid CSRF token then we unset the current CSRF token (unset($this->session[$this->sessionIndex][$index]);)
I am validating valid CSRF token in the beginning of the action. I know it will work well if I check for CSRF validity at the end of the function but this seems to be not expected.
Can you please help me with this issue? what is the use of unsetting CSRF token inside validateRequest() ?
Class 'ParagonIE\AntiCSRF\AntiCSRF' not found
structure:
domain.com/index.php ----> require('myincludes/myautoloader.php');
domain.com/my includes/myautoloader.php
domain.com/my includes/ParagonIE/AntiCSRF/AntiCSRF.php
domain.com/my includes/ParagonIE/yourautoloader.php
myautoloader.php calls
ParagonIE/yourautoloader.php
Which is copy/pasted from here.
Inputs on form,
<!--
--><input type="hidden" name="_CSRF_INDEX" value="v6Dzi3KrRDV68kNdPFCES+UU"><!--
--><input type="hidden" name="_CSRF_TOKEN" value="wLoNJygvlKTxBEuhTa/WCjnvtoYldgmTet7MsFQlXU0=">
Session variables dumped at the end of page,
array(1) {
["CSRF"]=>
array(1) {
["v6Dzi3KrRDV68kNdPFCES+UU"]=>
array(4) {
["created"]=>
int(20160114152843)
["uri"]=>
string(1) "/"
["token"]=>
string(44) "T0kXM8I9nzUFv3w7flJTlbOjFa1OEMNR+5xwnHvpqr4="
["lockto"]=>
string(5) "login"
}
}
}
Unable to use the reconfigure() function at all. Any array passed throws "PHP Fatal error: Uncaught Error: Cannot access empty property". I believe the cause of this is in AntiCSRF.php:
$this->${$opt} = $val;
should be changed to:
$this->${opt} = $val;
or $this->$opt = $val;
As $this->${$opt}
where $opt = 'expire_old', for example, gets parsed as $this->$expire_old
instead of $this->expire_old
.
New one here:
Too few arguments to function {closure}(), 1 passed and exactly 2 expected
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.