Created
March 23, 2018 05:57
-
-
Save nanasess/2a1c5c754963ffb0f0781e7ce14e5e39 to your computer and use it in GitHub Desktop.
CSRF token validation for ajax
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/src/Eccube/Controller/AbstractController.php b/src/Eccube/Controller/AbstractController.php | |
| index 0f1c17500..b4caae677 100644 | |
| --- a/src/Eccube/Controller/AbstractController.php | |
| +++ b/src/Eccube/Controller/AbstractController.php | |
| @@ -32,6 +32,7 @@ use Eccube\Common\EccubeConfig; | |
| use Symfony\Bundle\FrameworkBundle\Controller\Controller; | |
| use Symfony\Component\EventDispatcher\EventDispatcherInterface; | |
| use Symfony\Component\Form\FormFactoryInterface; | |
| +use Symfony\Component\HttpFoundation\Request; | |
| use Symfony\Component\HttpFoundation\Session\Session; | |
| use Symfony\Component\HttpFoundation\Session\SessionInterface; | |
| use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; | |
| @@ -202,9 +203,11 @@ class AbstractController extends Controller | |
| */ | |
| protected function isTokenValid() | |
| { | |
| + /** @var Request $request */ | |
| $request = $this->container->get('request_stack')->getCurrentRequest(); | |
| + $token = $request->get(Constant::TOKEN_NAME) ? $request->get(Constant::TOKEN_NAME) : $request->headers->get('x-csrf-token'); | |
| - if (!$this->isCsrfTokenValid(Constant::TOKEN_NAME, $request->get(Constant::TOKEN_NAME))) { | |
| + if (!$this->isCsrfTokenValid(Constant::TOKEN_NAME, $token)) { | |
| throw new AccessDeniedHttpException('CSRF token is invalid.'); | |
| } | |
| diff --git a/src/Eccube/Controller/Admin/Product/TagController.php b/src/Eccube/Controller/Admin/Product/TagController.php | |
| index 2335e2027..659699480 100644 | |
| --- a/src/Eccube/Controller/Admin/Product/TagController.php | |
| +++ b/src/Eccube/Controller/Admin/Product/TagController.php | |
| @@ -111,6 +111,7 @@ class TagController extends AbstractController | |
| public function moveSortNo(Request $request) | |
| { | |
| if ($request->isXmlHttpRequest()) { | |
| + $this->isTokenValid(); | |
| $sortNos = $request->request->all(); | |
| foreach ($sortNos as $tagId => $sortNo) { | |
| /* @var $Tag \Eccube\Entity\Tag */ | |
| diff --git a/src/Eccube/Resource/template/admin/Product/tag.twig b/src/Eccube/Resource/template/admin/Product/tag.twig | |
| index 66ccd660e..395c3baea 100644 | |
| --- a/src/Eccube/Resource/template/admin/Product/tag.twig | |
| +++ b/src/Eccube/Resource/template/admin/Product/tag.twig | |
| @@ -66,6 +66,9 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
| url: '{{ url('admin_product_tag_sort_no_move') }}', | |
| type: 'POST', | |
| data: newSortNos, | |
| + headers: { | |
| + 'x-csrf-token': $('meta[name="x-csrf-token"]').attr('content') | |
| + } | |
| }).done(function (data) { | |
| doDisableArrow(); | |
| }).fail(function () { | |
| diff --git a/src/Eccube/Resource/template/admin/styleguide_frame.twig b/src/Eccube/Resource/template/admin/styleguide_frame.twig | |
| index 74516e52a..3d9831bb9 100644 | |
| --- a/src/Eccube/Resource/template/admin/styleguide_frame.twig | |
| +++ b/src/Eccube/Resource/template/admin/styleguide_frame.twig | |
| @@ -3,6 +3,7 @@ | |
| <head> | |
| <meta charset="utf-8"> | |
| <meta name="viewport" content="width=device-width, minimum-scale=1, initial-scale=1, user-scalable=no"> | |
| + <meta name="x-csrf-token" content="{{ csrf_token() }}"> | |
| <title>{{ BaseInfo.shop_name }} - 管理画面</title> | |
| <link rel="stylesheet" href="{{ asset('assets/css/bootstrap.css', 'admin') }}"> | |
| <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous"> | |
| diff --git a/src/Eccube/Twig/Extension/CsrfExtension.php b/src/Eccube/Twig/Extension/CsrfExtension.php | |
| index 3068bf1bd..79cc3be87 100644 | |
| --- a/src/Eccube/Twig/Extension/CsrfExtension.php | |
| +++ b/src/Eccube/Twig/Extension/CsrfExtension.php | |
| @@ -32,9 +32,18 @@ class CsrfExtension extends AbstractExtension | |
| { | |
| return [ | |
| new TwigFunction('csrf_token_for_anchor', [$this, 'getCsrfTokenForAnchor'], ['is_safe' => ['all']]), | |
| + new TwigFunction('csrf_token', [$this, 'getCsrfToken'], ['is_safe' => ['all']]) | |
| ]; | |
| } | |
| + /** | |
| + * @return string | |
| + */ | |
| + public function getCsrfToken() | |
| + { | |
| + return $this->tokenManager->getToken(Constant::TOKEN_NAME)->getValue(); | |
| + } | |
| + | |
| /** | |
| * @return string | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment