Congegni/sintonia
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fixed CSRF prevention checks for REST calls, moved CSRF initialization to Bootstrap

Browse source
This commit is contained in:
Duncan Sommerville 2015-02-20 13:12:49 -05:00
parent 0177e40083
commit be7cae4408
4 changed files with 33 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

5
airtime_mvc/application/controllers/PluploadController.php
View file

@ -32,8 +32,9 @@ class PluploadController extends Zend_Controller_Action
}
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
$csrf_namespace->setExpirationSeconds(5*60*60);
$csrf_namespace->authtoken = sha1(uniqid(rand(),1));
/* Moved to be globally set in Bootstrap */
// $csrf_namespace->setExpirationSeconds(5*60*60);
// $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
$csrf_element = new Zend_Form_Element_Hidden('csrf');
$csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');