From 4f5b44bd3bd490309eb2ba7b44df4769816ba729 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= <nicolas.loeuillet@gmail.com>
Date: Sat, 3 Aug 2013 19:26:54 +0200
Subject: twig implementation

---
 .../Csrf/CsrfProvider/CsrfProviderInterface.php    | 49 ++++++++++++++
 .../Csrf/CsrfProvider/DefaultCsrfProvider.php      | 78 ++++++++++++++++++++++
 .../Csrf/CsrfProvider/SessionCsrfProvider.php      | 57 ++++++++++++++++
 3 files changed, 184 insertions(+)
 create mode 100644 vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/CsrfProviderInterface.php
 create mode 100644 vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php
 create mode 100644 vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.php

(limited to 'vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider')

diff --git a/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/CsrfProviderInterface.php b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/CsrfProviderInterface.php
new file mode 100644
index 00000000..7143b130
--- /dev/null
+++ b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/CsrfProviderInterface.php
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider;
+
+/**
+ * Marks classes able to provide CSRF protection
+ *
+ * You can generate a CSRF token by using the method generateCsrfToken(). To
+ * this method you should pass a value that is unique to the page that should
+ * be secured against CSRF attacks. This value doesn't necessarily have to be
+ * secret. Implementations of this interface are responsible for adding more
+ * secret information.
+ *
+ * If you want to secure a form submission against CSRF attacks, you could
+ * supply an "intention" string. This way you make sure that the form can only
+ * be submitted to pages that are designed to handle the form, that is, that use
+ * the same intention string to validate the CSRF token with isCsrfTokenValid().
+ *
+ * @author Bernhard Schussek <bschussek@gmail.com>
+ */
+interface CsrfProviderInterface
+{
+    /**
+     * Generates a CSRF token for a page of your application.
+     *
+     * @param string $intention Some value that identifies the action intention
+     *                          (i.e. "authenticate"). Doesn't have to be a secret value.
+     */
+    public function generateCsrfToken($intention);
+
+    /**
+     * Validates a CSRF token.
+     *
+     * @param string $intention The intention used when generating the CSRF token
+     * @param string $token     The token supplied by the browser
+     *
+     * @return Boolean Whether the token supplied by the browser is correct
+     */
+    public function isCsrfTokenValid($intention, $token);
+}
diff --git a/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php
new file mode 100644
index 00000000..5354886c
--- /dev/null
+++ b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider.php
@@ -0,0 +1,78 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider;
+
+/**
+ * Default implementation of CsrfProviderInterface.
+ *
+ * This provider uses the session ID returned by session_id() as well as a
+ * user-defined secret value to secure the CSRF token.
+ *
+ * @author Bernhard Schussek <bschussek@gmail.com>
+ */
+class DefaultCsrfProvider implements CsrfProviderInterface
+{
+    /**
+     * A secret value used for generating the CSRF token
+     * @var string
+     */
+    protected $secret;
+
+    /**
+     * Initializes the provider with a secret value
+     *
+     * A recommended value for the secret is a generated value with at least
+     * 32 characters and mixed letters, digits and special characters.
+     *
+     * @param string $secret A secret value included in the CSRF token
+     */
+    public function __construct($secret)
+    {
+        $this->secret = $secret;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function generateCsrfToken($intention)
+    {
+        return sha1($this->secret.$intention.$this->getSessionId());
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function isCsrfTokenValid($intention, $token)
+    {
+        return $token === $this->generateCsrfToken($intention);
+    }
+
+    /**
+     * Returns the ID of the user session.
+     *
+     * Automatically starts the session if necessary.
+     *
+     * @return string The session ID
+     */
+    protected function getSessionId()
+    {
+        if (version_compare(PHP_VERSION, '5.4', '>=')) {
+            if (PHP_SESSION_NONE === session_status()) {
+                session_start();
+            }
+        } elseif (!session_id()) {
+            session_start();
+        }
+
+        return session_id();
+    }
+}
diff --git a/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.php b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.php
new file mode 100644
index 00000000..ea1fa585
--- /dev/null
+++ b/vendor/symfony/form/Symfony/Component/Form/Extension/Csrf/CsrfProvider/SessionCsrfProvider.php
@@ -0,0 +1,57 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\Extension\Csrf\CsrfProvider;
+
+use Symfony\Component\HttpFoundation\Session\Session;
+
+/**
+ * This provider uses a Symfony2 Session object to retrieve the user's
+ * session ID.
+ *
+ * @see DefaultCsrfProvider
+ *
+ * @author Bernhard Schussek <bschussek@gmail.com>
+ */
+class SessionCsrfProvider extends DefaultCsrfProvider
+{
+    /**
+     * The user session from which the session ID is returned
+     * @var Session
+     */
+    protected $session;
+
+    /**
+     * Initializes the provider with a Session object and a secret value.
+     *
+     * A recommended value for the secret is a generated value with at least
+     * 32 characters and mixed letters, digits and special characters.
+     *
+     * @param Session $session The user session
+     * @param string  $secret  A secret value included in the CSRF token
+     */
+    public function __construct(Session $session, $secret)
+    {
+        parent::__construct($secret);
+
+        $this->session = $session;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function getSessionId()
+    {
+        $this->session->start();
+
+        return $this->session->getId();
+    }
+}
-- 
cgit v1.2.3