diff options
Diffstat (limited to 'vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider')
3 files changed, 184 insertions, 0 deletions
diff --git a/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/CsrfProviderInterface.php b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/CsrfProviderInterface.php new file mode 100644 index 00000000..7143b130 --- /dev/null +++ b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/CsrfProviderInterface.php | |||
@@ -0,0 +1,49 @@ | |||
1 | <?php | ||
2 | |||
3 | /* | ||
4 | * This file is part of the Symfony package. | ||
5 | * | ||
6 | * (c) Fabien Potencier <fabien@symfony.com> | ||
7 | * | ||
8 | * For the full copyright and license information, please view the LICENSE | ||
9 | * file that was distributed with this source code. | ||
10 | */ | ||
11 | |||
12 | namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider; | ||
13 | |||
14 | /** | ||
15 | * Marks classes able to provide CSRF protection | ||
16 | * | ||
17 | * You can generate a CSRF token by using the method generateCsrfToken(). To | ||
18 | * this method you should pass a value that is unique to the page that should | ||
19 | * be secured against CSRF attacks. This value doesn't necessarily have to be | ||
20 | * secret. Implementations of this interface are responsible for adding more | ||
21 | * secret information. | ||
22 | * | ||
23 | * If you want to secure a form submission against CSRF attacks, you could | ||
24 | * supply an "intention" string. This way you make sure that the form can only | ||
25 | * be submitted to pages that are designed to handle the form, that is, that use | ||
26 | * the same intention string to validate the CSRF token with isCsrfTokenValid(). | ||
27 | * | ||
28 | * @author Bernhard Schussek <bschussek@gmail.com> | ||
29 | */ | ||
30 | interface CsrfProviderInterface | ||
31 | { | ||
32 | /** | ||
33 | * Generates a CSRF token for a page of your application. | ||
34 | * | ||
35 | * @param string $intention Some value that identifies the action intention | ||
36 | * (i.e. "authenticate"). Doesn't have to be a secret value. | ||
37 | */ | ||
38 | public function generateCsrfToken($intention); | ||
39 | |||
40 | /** | ||
41 | * Validates a CSRF token. | ||
42 | * | ||
43 | * @param string $intention The intention used when generating the CSRF token | ||
44 | * @param string $token The token supplied by the browser | ||
45 | * | ||
46 | * @return Boolean Whether the token supplied by the browser is correct | ||
47 | */ | ||
48 | public function isCsrfTokenValid($intention, $token); | ||
49 | } | ||
diff --git a/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php new file mode 100644 index 00000000..5354886c --- /dev/null +++ b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php | |||
@@ -0,0 +1,78 @@ | |||
1 | <?php | ||
2 | |||
3 | /* | ||
4 | * This file is part of the Symfony package. | ||
5 | * | ||
6 | * (c) Fabien Potencier <fabien@symfony.com> | ||
7 | * | ||
8 | * For the full copyright and license information, please view the LICENSE | ||
9 | * file that was distributed with this source code. | ||
10 | */ | ||
11 | |||
12 | namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider; | ||
13 | |||
14 | /** | ||
15 | * Default implementation of CsrfProviderInterface. | ||
16 | * | ||
17 | * This provider uses the session ID returned by session_id() as well as a | ||
18 | * user-defined secret value to secure the CSRF token. | ||
19 | * | ||
20 | * @author Bernhard Schussek <bschussek@gmail.com> | ||
21 | */ | ||
22 | class DefaultCsrfProvider implements CsrfProviderInterface | ||
23 | { | ||
24 | /** | ||
25 | * A secret value used for generating the CSRF token | ||
26 | * @var string | ||
27 | */ | ||
28 | protected $secret; | ||
29 | |||
30 | /** | ||
31 | * Initializes the provider with a secret value | ||
32 | * | ||
33 | * A recommended value for the secret is a generated value with at least | ||
34 | * 32 characters and mixed letters, digits and special characters. | ||
35 | * | ||
36 | * @param string $secret A secret value included in the CSRF token | ||
37 | */ | ||
38 | public function __construct($secret) | ||
39 | { | ||
40 | $this->secret = $secret; | ||
41 | } | ||
42 | |||
43 | /** | ||
44 | * {@inheritDoc} | ||
45 | */ | ||
46 | public function generateCsrfToken($intention) | ||
47 | { | ||
48 | return sha1($this->secret.$intention.$this->getSessionId()); | ||
49 | } | ||
50 | |||
51 | /** | ||
52 | * {@inheritDoc} | ||
53 | */ | ||
54 | public function isCsrfTokenValid($intention, $token) | ||
55 | { | ||
56 | return $token === $this->generateCsrfToken($intention); | ||
57 | } | ||
58 | |||
59 | /** | ||
60 | * Returns the ID of the user session. | ||
61 | * | ||
62 | * Automatically starts the session if necessary. | ||
63 | * | ||
64 | * @return string The session ID | ||
65 | */ | ||
66 | protected function getSessionId() | ||
67 | { | ||
68 | if (version_compare(PHP_VERSION, '5.4', '>=')) { | ||
69 | if (PHP_SESSION_NONE === session_status()) { | ||
70 | session_start(); | ||
71 | } | ||
72 | } elseif (!session_id()) { | ||
73 | session_start(); | ||
74 | } | ||
75 | |||
76 | return session_id(); | ||
77 | } | ||
78 | } | ||
diff --git a/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.php b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.php new file mode 100644 index 00000000..ea1fa585 --- /dev/null +++ b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.php | |||
@@ -0,0 +1,57 @@ | |||
1 | <?php | ||
2 | |||
3 | /* | ||
4 | * This file is part of the Symfony package. | ||
5 | * | ||
6 | * (c) Fabien Potencier <fabien@symfony.com> | ||
7 | * | ||
8 | * For the full copyright and license information, please view the LICENSE | ||
9 | * file that was distributed with this source code. | ||
10 | */ | ||
11 | |||
12 | namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider; | ||
13 | |||
14 | use Symfony\Component\HttpFoundation\Session\Session; | ||
15 | |||
16 | /** | ||
17 | * This provider uses a Symfony2 Session object to retrieve the user's | ||
18 | * session ID. | ||
19 | * | ||
20 | * @see DefaultCsrfProvider | ||
21 | * | ||
22 | * @author Bernhard Schussek <bschussek@gmail.com> | ||
23 | */ | ||
24 | class SessionCsrfProvider extends DefaultCsrfProvider | ||
25 | { | ||
26 | /** | ||
27 | * The user session from which the session ID is returned | ||
28 | * @var Session | ||
29 | */ | ||
30 | protected $session; | ||
31 | |||
32 | /** | ||
33 | * Initializes the provider with a Session object and a secret value. | ||
34 | * | ||
35 | * A recommended value for the secret is a generated value with at least | ||
36 | * 32 characters and mixed letters, digits and special characters. | ||
37 | * | ||
38 | * @param Session $session The user session | ||
39 | * @param string $secret A secret value included in the CSRF token | ||
40 | */ | ||
41 | public function __construct(Session $session, $secret) | ||
42 | { | ||
43 | parent::__construct($secret); | ||
44 | |||
45 | $this->session = $session; | ||
46 | } | ||
47 | |||
48 | /** | ||
49 | * {@inheritdoc} | ||
50 | */ | ||
51 | protected function getSessionId() | ||
52 | { | ||
53 | $this->session->start(); | ||
54 | |||
55 | return $this->session->getId(); | ||
56 | } | ||
57 | } | ||