Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EZP-30161: Handle form token in both custom and also for historical reasons default value #166

Merged
merged 1 commit into from
Oct 11, 2019
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 20 additions & 6 deletions extension/ezformtoken/event/ezxformtoken.php
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ class ezxFormToken
static protected $intention = 'legacy';

/**
* @var string
* @var string Custom Form field, by default set to system default form field (self::FORM_FIELD).
*/
static protected $formField = self::FORM_FIELD;

Expand Down Expand Up @@ -90,6 +90,8 @@ static public function setIntention( $intention )
}

/**
* Get the custom form field.
*
* @return string
*/
static protected function getFormField()
Expand All @@ -98,6 +100,8 @@ static protected function getFormField()
}

/**
* Set the custom form field.
*
* @param string $formField
*/
static public function setFormField( $formField )
Expand Down Expand Up @@ -137,6 +141,11 @@ static public function input( eZURI $uri )
{
$token = $_POST[self::getFormField()];
}
// For historical reasons also check the system default form field
else if ( !empty( $_POST[self::FORM_FIELD] ) )
{
$token = $_POST[self::FORM_FIELD];
}
// allow ajax calls using POST with other formats than forms (such as
// json or xml) to still validate using a custom http header
else if ( !empty( $_SERVER['HTTP_X_CSRF_TOKEN'] ) )
Expand Down Expand Up @@ -188,19 +197,22 @@ static public function output( $templateResult, $filterForms = true )
}

$token = self::getToken();
$field = self::getFormField();
$customfield = self::getFormField();
$defaultField = self::FORM_FIELD;
$replaceKey = self::REPLACE_KEY;

eZDebugSetting::writeDebug( 'ezformtoken', 'Output protected (all forms will be modified)', __METHOD__ );

// Inject token for programmatical use (also system default for historical reasons)
// If document has head tag, insert in a html5 valid and semi standard way
if ( strpos( $templateResult, '<head>' ) !== false )
{
$templateResult = str_replace(
'<head>',
"<head>\n"
. "<meta name=\"csrf-param\" content=\"{$field}\" />\n"
. "<meta name=\"csrf-token\" id=\"{$field}_js\" title=\"{$token}\" content=\"{$token}\" />\n",
. "<meta name=\"csrf-param\" content=\"{$customfield}\" />\n"
. "<meta name=\"csrf-token\" id=\"{$customfield}_js\" title=\"{$token}\" content=\"{$token}\" />\n"
. ($defaultField !== $customfield ? "<meta name=\"csrf-token-x\" id=\"{$defaultField}_js\" title=\"{$token}\" content=\"{$token}\" />\n" : ''),
$templateResult
);
}
Expand All @@ -209,16 +221,18 @@ static public function output( $templateResult, $filterForms = true )
{
$templateResult = preg_replace(
'/(<body[^>]*>)/i',
'\\1' . "\n<span style='display:none;' id=\"{$field}_js\" title=\"{$token}\"></span>\n",
'\\1' . "\n<span style='display:none;' id=\"{$customfield}_js\" title=\"{$token}\"></span>\n"
. ($defaultField !== $customfield ? "\n<span style='display:none;' id=\"{$defaultField}_js\" title=\"{$token}\"></span>\n" : ''),
$templateResult
);
}

// For forms we set the custom field which will be sent back to this class and evaluated
if ( $filterForms )
{
$templateResult = preg_replace(
'/(<form\W[^>]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)/i',
'\\1' . "\n<input type=\"hidden\" name=\"{$field}\" value=\"{$token}\" />\n",
'\\1' . "\n<input type=\"hidden\" name=\"{$customfield}\" value=\"{$token}\" />\n",
$templateResult
);
}
Expand Down