paragonie / anti-csrf Goto Github PK

I had to change the version constraint in my project's composer.json from ^2.0 to dev-master in order to use this library because of the typo fixed in #13.

It would be lovely if you could tag a release, as I prefer not to use dev-master if I don't have to. :)

Is there a possible way I can disable this for an API request? I would like to use it on my main project, but not on the API.

the code looks fine, I have tested it on PHP 7.0 and it looks good.

Originally posted by @SnirSofer in #40 (comment)

In the function validateRequestNative(), the path lock is checking against REQUEST_URI (hardcoded), this negates the feature added in #20 when $useNativeSession gets set to true....
this could be easily fixed in-place but the function has already been refactored and the bug looks like it's fixed in the dev branch, for now i've just reverted back to the my forked repo while we wait for a fresh stable release please :)

1. Using just a standard php file.
2. Required the anticsrf.php file.
3. Do not have/use twig so I tried calling it using
   A. generateToken('form.php')
   B. $csrf=$AntiCSRF->generateToken('form.php'); and added the $csrf to the form.
   C. insertToken('form.php')

In any case it simply prints the function name.

If I use the readme example:

use \ParagonIE\AntiCSRF\AntiCSRF;
$twigEnv->addFunction(
    new \Twig_SimpleFunction(
        'form_token',
        function($lock_to = null) {
            static $csrf;
            if ($csrf === null) {
                $csrf = new AntiCSRF;
            }
            return $csrf->insertToken($lock_to, false);
        },
        ['is_safe' => ['html']]
    )
);

if put just this in my twig file

{{ form_csrf() }}

I get an error stating that $lock_to must be a string, not null. Not sure if this is intended or not, but if I define lock_to as '' it works since it is a string now.

-Matt

For some reason its not working with the above mentioned versions... used to work on 7.0 but it stopped abruptly...

I noticed that your LICENSE file is not an MIT license. But the comment at top of the AntiCSRF in the src directory file it says MIT.

Thanks for your awesome library works great with forms but not well with Ajax request and here's what i mean. An example has been sighted #15

If i had an ajax form, on submit... it validates ok and that token is expired from the session etc. But what if the user had entered the wrong information and i needed to submit again with refresh. This becomes a problem. I was able to fix this situation for myself by doing this;

function validateRequest( boolean $is_async = false ) .......... if ( ! $is_async ) { if ($this->deleteToken($sess[$index])) { unset($sess[$index]); } }

Now, if my endpoint is access only via ajax i do $csrf->validateRequest( true );

This way, it doesn't expire the token and index. But when i refresh the form manually, i first unset( $_SESSION['CSRF'] so a new hidden token and index is created.

Is this worth adding to the core, for other users?

Hello,

First of all, thank you for the quality library. I rarely have such a high confidence level for a PHP library after perusing its code.

This is probably a nitpick, but I notice that in the constructor of the AntiCSRF class, both $post and $server are passed by reference. However, there seems to be no code which writes to these variables. This is misleading, because usually passing by reference in PHP is a way to inform users of a class that the value will get mutated.

I think this is important because in some execution environments (for example: automated tests), $_SERVER will not contain the expected information such as REMOTE_ADDR or REQUEST_URI. As such, I need to know that it's okay to simply pass a made-up array that simulates the structure of $_SERVER without impacting the functionality of the library. But the pass-by-reference semantics gives me the opposite impression.

I believe only $session should be passed by reference in the constructor of AntiCSRF.

Would be nice to restrict a token to a specific user agent.

At IE8 (haven't tested other versions) when i submit the form which contains the token, it always return error since the validateRequest returns false.
What could cause this?

(At Chrome,Opera etc. it works ok)

Thanks for creating this library! Below I shared a quick example of how to use it.
Save the code below as a PHP file, put it on your webserver and run it.

Before running:<br>
1. Open a terminal and navigate to your webserver root directory.<br>
2. Download the library with: "composer require paragonie/anti-csrf".<br>
The package is now installed in the vendor/ folder.<br><br>
<?php
//Don't forget to call this:
session_start();

//Because of $_SERVER['DOCUMENT_ROOT'], you can place this PHP-file anywhere on the webserver.
require $_SERVER['DOCUMENT_ROOT'] . '/vendor/autoload.php';

use ParagonIE\ConstantTime\{
    Base64UrlSafe,
    Binary
};
use ParagonIE\AntiCSRF\AntiCSRF;
?>

<form method="POST">
    <?php
    //Generate CSRF token
    $server = $_SERVER;
    $csrft = new AntiCSRF( $server);
    $token_html = $csrft->insertToken('', true);
    ?>
    <input type="submit">
</form><br>

<?php
//Check CSRF token
$csrf = new \ParagonIE\AntiCSRF\AntiCSRF;
if (!empty($_POST)) {
    if ($csrf->validateRequest()) {
        echo 'Valid form';
    } else {
        // Log a CSRF attack attempt
        echo 'Token is invalid';
    }
}
?>

The reason I share this, is because it took me a while to understand how to use the library. So I hope this helped others.
Also, if you are reading this and didn't really use composer before, like me, This tutorial should help you out.

Im kinda confused about the licesing of this package. In some places it states AGPL in some it states MIT and in some both.

I would like to use in in a GPL project and from my understanding that wont work if this library is licensed under AGPL

Facing intermediate token validation while using the server in the container with kubernetes.
I have not made any code change and when I am using bare metal server then things are working fine.
When I am using the container based approach then I am getting the issue for CSRF validation.

I am facing an issue while executing login action from the second time.
I can see the issue is with validateRequest() function where once we find valid CSRF token then we unset the current CSRF token (unset($this->session[$this->sessionIndex][$index]);)
I am validating valid CSRF token in the beginning of the action. I know it will work well if I check for CSRF validity at the end of the function but this seems to be not expected.

Can you please help me with this issue? what is the use of unsetting CSRF token inside validateRequest() ?

Class 'ParagonIE\AntiCSRF\AntiCSRF' not found

structure:
domain.com/index.php ----> require('myincludes/myautoloader.php');
domain.com/my includes/myautoloader.php
domain.com/my includes/ParagonIE/AntiCSRF/AntiCSRF.php
domain.com/my includes/ParagonIE/yourautoloader.php

myautoloader.php calls
ParagonIE/yourautoloader.php

Which is copy/pasted from here.

Inputs on form,

<!--
--><input type="hidden" name="_CSRF_INDEX" value="v6Dzi3KrRDV68kNdPFCES+UU"><!--
--><input type="hidden" name="_CSRF_TOKEN" value="wLoNJygvlKTxBEuhTa/WCjnvtoYldgmTet7MsFQlXU0=">

Session variables dumped at the end of page,

array(1) {
  ["CSRF"]=>
  array(1) {
    ["v6Dzi3KrRDV68kNdPFCES+UU"]=>
    array(4) {
      ["created"]=>
      int(20160114152843)
      ["uri"]=>
      string(1) "/"
      ["token"]=>
      string(44) "T0kXM8I9nzUFv3w7flJTlbOjFa1OEMNR+5xwnHvpqr4="
      ["lockto"]=>
      string(5) "login"
    }
  }
}

Unable to use the reconfigure() function at all. Any array passed throws "PHP Fatal error: Uncaught Error: Cannot access empty property". I believe the cause of this is in AntiCSRF.php:

$this->${$opt} = $val;

should be changed to:

$this->${opt} = $val; or $this->$opt = $val;

As $this->${$opt} where $opt = 'expire_old', for example, gets parsed as $this->$expire_old instead of $this->expire_old.

New one here:
Too few arguments to function {closure}(), 1 passed and exactly 2 expected