From 2fe96c5414e00fc2af8df38f379a02166a563a7d Mon Sep 17 00:00:00 2001
From: Vincent Zanotti <vincent.zanotti@polytechnique.org>
Date: Fri, 25 Apr 2008 11:01:21 +0200
Subject: [PATCH] Adds basic support for XSRF protection.

Signed-off-by: Vincent Zanotti <vincent.zanotti@polytechnique.org>
---
 classes/session.php                   |  8 ++++++++
 plugins/function.xsrf_token.php       | 27 +++++++++++++++++++++++++++
 plugins/function.xsrf_token_field.php | 30 ++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 plugins/function.xsrf_token.php
 create mode 100644 plugins/function.xsrf_token_field.php

diff --git a/classes/session.php b/classes/session.php
index 07f6fab..a1e72da 100644
--- a/classes/session.php
+++ b/classes/session.php
@@ -27,6 +27,9 @@ class Session
         if (empty($_SESSION['challenge'])) {
             $_SESSION['challenge'] = sha1(uniqid(rand(), true));
         }
+        if (empty($_SESSION['xsrf_token'])) {
+            $_SESSION['xsrf_token'] = rand_url_id();
+        }
         if (!isset($_SESSION['perms']) || !($_SESSION['perms'] instanceof FlagSet)) {
             $_SESSION['perms'] = new FlagSet();
         }
@@ -74,6 +77,11 @@ class Session
         return Session::logged() && Session::v('perms')->hasFlag(PERMS_ADMIN);
     }
 
+    public static function has_xsrf_token()
+    {
+        return Session::has('xsrf_token') && Session::v('xsrf_token') == Env::v('token');
+    }
+
     public static function logged()
     {
         return Session::v('auth', AUTH_PUBLIC) >= AUTH_COOKIE;
diff --git a/plugins/function.xsrf_token.php b/plugins/function.xsrf_token.php
new file mode 100644
index 0000000..0258495
--- /dev/null
+++ b/plugins/function.xsrf_token.php
@@ -0,0 +1,27 @@
+<?php
+/***************************************************************************
+ *  Copyright (C) 2003-2008 Polytechnique.org                              *
+ *  http://opensource.polytechnique.org/                                   *
+ *                                                                         *
+ *  This program is free software; you can redistribute it and/or modify   *
+ *  it under the terms of the GNU General Public License as published by   *
+ *  the Free Software Foundation; either version 2 of the License, or      *
+ *  (at your option) any later version.                                    *
+ *                                                                         *
+ *  This program is distributed in the hope that it will be useful,        *
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
+ *  GNU General Public License for more details.                           *
+ *                                                                         *
+ *  You should have received a copy of the GNU General Public License      *
+ *  along with this program; if not, write to the Free Software            *
+ *  Foundation, Inc.,                                                      *
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
+ ***************************************************************************/
+
+function smarty_function_xsrf_token($params, &$smarty) {
+    return Session::v('xsrf_token', '');
+}
+
+// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
+?>
diff --git a/plugins/function.xsrf_token_field.php b/plugins/function.xsrf_token_field.php
new file mode 100644
index 0000000..28f09b8
--- /dev/null
+++ b/plugins/function.xsrf_token_field.php
@@ -0,0 +1,30 @@
+<?php
+/***************************************************************************
+ *  Copyright (C) 2003-2008 Polytechnique.org                              *
+ *  http://opensource.polytechnique.org/                                   *
+ *                                                                         *
+ *  This program is free software; you can redistribute it and/or modify   *
+ *  it under the terms of the GNU General Public License as published by   *
+ *  the Free Software Foundation; either version 2 of the License, or      *
+ *  (at your option) any later version.                                    *
+ *                                                                         *
+ *  This program is distributed in the hope that it will be useful,        *
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
+ *  GNU General Public License for more details.                           *
+ *                                                                         *
+ *  You should have received a copy of the GNU General Public License      *
+ *  along with this program; if not, write to the Free Software            *
+ *  Foundation, Inc.,                                                      *
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
+ ***************************************************************************/
+
+function smarty_function_xsrf_token_field($params, &$smarty) {
+    if (Session::has('xsrf_token')) {
+        return '<input type="hidden" name="token" value="' . Session::v('xsrf_token') . '" />';
+    }
+    return '';
+}
+
+// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
+?>
-- 
2.1.4