Implement CSRF token by default

Implement CSRF protection on CMS for postback handling
2017-10-30 08:59:19 +11:00 · 2017-10-30 08:59:19 +11:00 · 4a6e0e1e0e
parent 08989ff40a
commit 4a6e0e1e0e
2 changed files with 30 additions and 1 deletions
--- a/config/cms.php
+++ b/config/cms.php
@ -332,7 +332,7 @@ return [
    |
    */

-    'enableCsrfProtection' => false,
+    'enableCsrfProtection' => true,

    /*
    |--------------------------------------------------------------------------
--- a/modules/cms/classes/Controller.php
+++ b/modules/cms/classes/Controller.php
@ -337,6 +337,7 @@ class Controller
        if (
            $useAjax &&
            ($handler = post('_handler')) &&
+            ($this->verifyCsrfToken()) &&
            ($handlerResponse = $this->runAjaxHandler($handler)) &&
            $handlerResponse !== true
        ) {
@ -1355,4 +1356,32 @@ class Controller
            }
        }
    }
+
+    //
+    // Security
+    //
+
+    /**
+     * Checks the request data / headers for a valid CSRF token.
+     * Returns false if a valid token is not found. Override this
+     * method to disable the check.
+     * @return bool
+     */
+    protected function verifyCsrfToken()
+    {
+        if (!Config::get('cms.enableCsrfProtection')) {
+            return true;
+        }
+
+        if (in_array(Request::method(), ['HEAD', 'GET', 'OPTIONS'])) {
+            return true;
+        }
+
+        $token = Request::input('_token') ?: Request::header('X-CSRF-TOKEN');
+
+        return hash_equals(
+            Session::token(),
+            $token
+        );
+    }
 }