Change Core\Csrf
Add getError() method. Returns the error text for verify(): 'Expired token' or 'Bad token'.
This commit is contained in:
Visman
parent
74c5b7d7a5
commit
2df6800f6f
13 changed files with 54 additions and 16 deletions
|
|
@ -16,6 +16,11 @@ class Csrf
|
|||
*/
|
||||
protected $key;
|
||||
|
||||
/**
|
||||
* @var ?string
|
||||
*/
|
||||
protected $error;
|
||||
|
||||
public function __construct(Secury $secury, string $key)
|
||||
{
|
||||
$this->secury = $secury;
|
||||
|
|
@ -27,6 +32,8 @@ class Csrf
|
|||
*/
|
||||
public function create(string $marker, array $args = [], /* string|int */ $time = null): string
|
||||
{
|
||||
$this->error = null;
|
||||
|
||||
unset($args['token'], $args['#']);
|
||||
\ksort($args);
|
||||
$marker .= '|';
|
||||
|
|
@ -43,10 +50,35 @@ class Csrf
|
|||
*/
|
||||
public function verify($token, string $marker, array $args = []): bool
|
||||
{
|
||||
return \is_string($token)
|
||||
$this->error = null;
|
||||
$now = \time();
|
||||
$matches = null;
|
||||
|
||||
$result = \is_string($token)
|
||||
&& \preg_match('%f(\d+)$%D', $token, $matches)
|
||||
&& $matches[1] < \time()
|
||||
&& $matches[1] + 1800 > \time()
|
||||
&& $matches[1] + 0 < $now
|
||||
&& $matches[1] + 1800 >= $now
|
||||
&& \hash_equals($this->create($marker, $args, $matches[1]), $token);
|
||||
|
||||
if (! $result) {
|
||||
if (
|
||||
isset($matches[1])
|
||||
&& $matches[1] + 1800 < $now
|
||||
) {
|
||||
$this->error = 'Expired token';
|
||||
} else {
|
||||
$this->error = 'Bad token';
|
||||
}
|
||||
}
|
||||
|
||||
return $result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Возвращает ошибку из метода verify
|
||||
*/
|
||||
public function getError(): ?string
|
||||
{
|
||||
return $this->error;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -708,7 +708,7 @@ class Validator
|
|||
! \is_string($value)
|
||||
|| ! $this->c->Csrf->verify($value, $attr, $args)
|
||||
) {
|
||||
$this->addError('Bad token', 'e');
|
||||
$this->addError($this->c->Csrf->getError(), 'e');
|
||||
|
||||
return null;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -862,7 +862,7 @@ class Bans extends Admin
|
|||
public function delete(array $args, string $method): Page
|
||||
{
|
||||
if (! $this->c->Csrf->verify($args['token'], 'AdminBansDelete', $args)) {
|
||||
return $this->c->Message->message('Bad token');
|
||||
return $this->c->Message->message($this->c->Csrf->getError());
|
||||
}
|
||||
|
||||
$ids = [
|
||||
|
|
|
|||
|
|
@ -217,7 +217,7 @@ class BBCode extends Parser
|
|||
public function delete(array $args, string $method): Page
|
||||
{
|
||||
if (! $this->c->Csrf->verify($args['token'], 'AdminBBCodeDelete', $args)) {
|
||||
return $this->c->Message->message('Bad token');
|
||||
return $this->c->Message->message($this->c->Csrf->getError());
|
||||
}
|
||||
|
||||
$this->c->bbcode->delete((int) $args['id']);
|
||||
|
|
@ -631,7 +631,7 @@ class BBCode extends Parser
|
|||
public function default(array $args, string $method): Page
|
||||
{
|
||||
if (! $this->c->Csrf->verify($args['token'], 'AdminBBCodeDefault', $args)) {
|
||||
return $this->c->Message->message('Bad token');
|
||||
return $this->c->Message->message($this->c->Csrf->getError());
|
||||
}
|
||||
|
||||
$id = (int) $args['id'];
|
||||
|
|
|
|||
|
|
@ -345,7 +345,7 @@ class Smilies extends Parser
|
|||
public function delete(array $args, string $method): Page
|
||||
{
|
||||
if (! $this->c->Csrf->verify($args['token'], 'AdminSmiliesDelete', $args)) {
|
||||
return $this->c->Message->message('Bad token');
|
||||
return $this->c->Message->message($this->c->Csrf->getError());
|
||||
}
|
||||
|
||||
if (
|
||||
|
|
|
|||
|
|
@ -136,7 +136,7 @@ class Reports extends Admin
|
|||
public function zap(array $args, string $method): Page
|
||||
{
|
||||
if (! $this->c->Csrf->verify($args['token'], 'AdminReportsZap', $args)) {
|
||||
return $this->c->Message->message('Bad token');
|
||||
return $this->c->Message->message($this->c->Csrf->getError());
|
||||
}
|
||||
|
||||
$this->c->Lang->load('admin_reports');
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ class Action extends Users
|
|||
{
|
||||
if (isset($args['token'])) {
|
||||
if (! $this->c->Csrf->verify($args['token'], 'AdminUsersAction', $args)) {
|
||||
return $this->c->Message->message('Bad token');
|
||||
return $this->c->Message->message($this->c->Csrf->getError());
|
||||
}
|
||||
$profile = true;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ class Promote extends Users
|
|||
public function promote(array $args, string $method): Page
|
||||
{
|
||||
if (! $this->c->Csrf->verify($args['token'], 'AdminUserPromote', $args)) {
|
||||
return $this->c->Message->message('Bad token');
|
||||
return $this->c->Message->message($this->c->Csrf->getError());
|
||||
}
|
||||
|
||||
$user = $this->c->users->load((int) $args['uid']);
|
||||
|
|
|
|||
|
|
@ -422,7 +422,7 @@ class View extends Users
|
|||
]);
|
||||
|
||||
if (! $v->validation($_POST)) {
|
||||
return $this->c->Message->message('Bad token');
|
||||
return $this->c->Message->message($this->c->Csrf->getError() ?? 'Bad token');
|
||||
}
|
||||
|
||||
$this->c->users->updateCountPosts();
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ class Auth extends Page
|
|||
public function logout(array $args): Page
|
||||
{
|
||||
if (! $this->c->Csrf->verify($args['token'], 'Logout', $args)) {
|
||||
return $this->c->Redirect->page('Index')->message('Bad token');
|
||||
return $this->c->Redirect->page('Index')->message($this->c->Csrf->getError());
|
||||
}
|
||||
|
||||
$this->c->Cookie->deleteUser();
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ class Misc extends Page
|
|||
}
|
||||
|
||||
if (! $this->c->Csrf->verify($args['token'], 'MarkRead', $args)) {
|
||||
return $this->c->Redirect->url($forum->link)->message('Bad token');
|
||||
return $this->c->Redirect->url($forum->link)->message($this->c->Csrf->getError());
|
||||
}
|
||||
|
||||
$this->c->forums->markread($forum, $this->user); // ???? флуд интервал?
|
||||
|
|
@ -38,7 +38,7 @@ class Misc extends Page
|
|||
public function forumSubscription(array $args): Page
|
||||
{
|
||||
if (! $this->c->Csrf->verify($args['token'], 'ForumSubscription', $args)) {
|
||||
return $this->c->Message->message('Bad token');
|
||||
return $this->c->Message->message($this->c->Csrf->getError());
|
||||
}
|
||||
|
||||
$forum = $this->c->forums->get((int) $args['fid']);
|
||||
|
|
@ -71,7 +71,7 @@ class Misc extends Page
|
|||
public function topicSubscription(array $args): Page
|
||||
{
|
||||
if (! $this->c->Csrf->verify($args['token'], 'TopicSubscription', $args)) {
|
||||
return $this->c->Message->message('Bad token');
|
||||
return $this->c->Message->message($this->c->Csrf->getError());
|
||||
}
|
||||
|
||||
$topic = $this->c->topics->load((int) $args['tid']);
|
||||
|
|
|
|||
|
|
@ -61,6 +61,9 @@ msgstr "When sending email there was an error. Please try again later or contact
|
|||
msgid "Bad token"
|
||||
msgstr "Bad token."
|
||||
|
||||
msgid "Expired token"
|
||||
msgstr "Expired token."
|
||||
|
||||
msgid "Bad request"
|
||||
msgstr "Bad request. The link you followed is incorrect or outdated."
|
||||
|
||||
|
|
|
|||
|
|
@ -70,6 +70,9 @@ msgstr "У вас нет прав на просмотр этой страниц
|
|||
msgid "Bad token"
|
||||
msgstr "Неверный токен."
|
||||
|
||||
msgid "Expired token"
|
||||
msgstr "Токен просрочен."
|
||||
|
||||
msgid "No cookie"
|
||||
msgstr "Вы вошли, но куки (cookie) не были установлены. Пожалуйста проверьте настройки браузера и, если возможно, разрешите куки для этого сайта."
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue