lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 00:24:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

legacy/csrf check - in some cases people receive a csrf error when posting a legacy form, which does seem to be caused by newToken() registering new session variables onto a closed session. As authgui.inc closes the session after usage, a race might happen. Make sure the session is opened before using it, we likely don't have to bother closing it as the legacy page already assumed it was closed on script exit.

Browse Source
This commit is contained in:
Ad Schellevis 2023-05-04 09:39:37 +02:00
parent 485716532c
commit fcaa6f15a9
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/www/csrf.inc
View File

@ -73,6 +73,10 @@ class LegacyCSRF
{
$random = new \OPNsense\Phalcon\Encryption\Security\Random();
// only request new token when session has none
if (session_status() == PHP_SESSION_NONE) {
// our session is not guaranteed to be started at this point.
session_start();
}
if (empty($_SESSION['$PHALCON/CSRF/KEY$']) || empty($_SESSION['$PHALCON/CSRF$'])) {
$_SESSION['$PHALCON/CSRF$'] = $random->base64Safe(16);
$_SESSION['$PHALCON/CSRF/KEY$'] = $random->base64Safe(16);