diff --git a/plist b/plist
index 67ba8b9db..1ad8909e8 100644
--- a/plist
+++ b/plist
@@ -510,7 +510,6 @@
/usr/local/opnsense/mvc/app/library/OPNsense/Core/Backend.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/Config.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/ConfigException.php
-/usr/local/opnsense/mvc/app/library/OPNsense/Core/Csrf.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/File.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/FileObject.php
/usr/local/opnsense/mvc/app/library/OPNsense/Core/Routing.php
diff --git a/src/opnsense/mvc/app/library/OPNsense/Core/Csrf.php b/src/opnsense/mvc/app/library/OPNsense/Core/Csrf.php
deleted file mode 100644
index 9a5ef47ec..000000000
--- a/src/opnsense/mvc/app/library/OPNsense/Core/Csrf.php
+++ /dev/null
@@ -1,58 +0,0 @@
-base64Safe(16);
- $_SESSION['$PHALCON/CSRF/KEY$'] = $this->base64Safe(16);
- }
- return [
- 'token' => $_SESSION['$PHALCON/CSRF$'],
- 'key' => $_SESSION['$PHALCON/CSRF/KEY$']
- ];
- }
-}
diff --git a/src/www/csrf.inc b/src/www/csrf.inc
index 822657e8b..61e485e6d 100644
--- a/src/www/csrf.inc
+++ b/src/www/csrf.inc
@@ -28,9 +28,6 @@
class LegacyCSRF
{
- private $di = null;
- private $security = null;
- private $session = null;
private $is_html_output = false;
public function __construct()
{
@@ -53,6 +50,32 @@ class LegacyCSRF
ob_start(array($this,'csrfRewriteHandler'), 5242880);
}
+ /**
+ * Generate a random URL-safe base64 string.
+ * Usable base64 characters according to https://www.ietf.org/rfc/rfc3548.txt
+ */
+ public function base64Safe($len = 16)
+ {
+ return rtrim(strtr(base64_encode(random_bytes($len)), "+/", "-_"), '=');
+ }
+
+ public function getToken()
+ {
+ // only request new token when session has none
+ if (session_status() == PHP_SESSION_NONE) {
+ // our session is not guaranteed to be started at this point.
+ session_start();
+ }
+ if (empty($_SESSION['$PHALCON/CSRF/KEY$']) || empty($_SESSION['$PHALCON/CSRF$'])) {
+ $_SESSION['$PHALCON/CSRF$'] = $this->base64Safe(16);
+ $_SESSION['$PHALCON/CSRF/KEY$'] = $this->base64Safe(16);
+ }
+ return [
+ 'token' => $_SESSION['$PHALCON/CSRF$'],
+ 'key' => $_SESSION['$PHALCON/CSRF/KEY$']
+ ];
+ }
+
public function checkToken()
{
$result = false; // default, not valid
@@ -76,7 +99,7 @@ class LegacyCSRF
$this->is_html_output = true;
}
if ($this->is_html_output) {
- $csrf = (new OPNsense\Core\Csrf())->getToken();
+ $csrf = $this->getToken();
$inputtag = "";
$buffer = preg_replace('#(]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $inputtag, $buffer);
// csrf token for Ajax type requests