mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
3873e4ba00
See https://github.com/silverstripe/silverstripe-framework/pull/7037 and https://github.com/silverstripe/silverstripe-framework/issues/6681 Squashed commit of the following: commit8f65e56532Author: Ingo Schommer <me@chillu.com> Date: Thu Jun 22 22:25:50 2017 +1200 Fixed upgrade guide spelling commit76f95944faAuthor: Damian Mooyman <damian@silverstripe.com> Date: Thu Jun 22 16:38:34 2017 +1200 BUG Fix non-test class manifest including sapphiretest / functionaltest commit9379834cb4Author: Damian Mooyman <damian@silverstripe.com> Date: Thu Jun 22 15:50:47 2017 +1200 BUG Fix nesting bug in Kernel commit188ce35d82Author: Damian Mooyman <damian@silverstripe.com> Date: Thu Jun 22 15:14:51 2017 +1200 BUG fix db bootstrapping issues commit7ed4660e7aAuthor: Damian Mooyman <damian@silverstripe.com> Date: Thu Jun 22 14:49:07 2017 +1200 BUG Fix issue in DetailedErrorFormatter commit738f50c497Author: Damian Mooyman <damian@silverstripe.com> Date: Thu Jun 22 11:49:19 2017 +1200 Upgrading notes on mysite/_config.php commit6279d28e5eAuthor: Damian Mooyman <damian@silverstripe.com> Date: Thu Jun 22 11:43:28 2017 +1200 Update developer documentation commit5c90d53a84Author: Damian Mooyman <damian@silverstripe.com> Date: Thu Jun 22 10:48:44 2017 +1200 Update installer to not use global databaseConfig commitf9b2ba4755Author: Damian Mooyman <damian@silverstripe.com> Date: Wed Jun 21 21:04:39 2017 +1200 Fix behat issues commit5b59a912b6Author: Damian Mooyman <damian@silverstripe.com> Date: Wed Jun 21 17:07:11 2017 +1200 Move HTTPApplication to SilverStripe\Control namespace commite2c4a18f63Author: Damian Mooyman <damian@silverstripe.com> Date: Wed Jun 21 16:29:03 2017 +1200 More documentation Fix up remaining tests Refactor temp DB into TempDatabase class so it’s available outside of unit tests. commit5d235e64f3Author: Damian Mooyman <damian@silverstripe.com> Date: Wed Jun 21 12:13:15 2017 +1200 API HTTPRequestBuilder::createFromEnvironment() now cleans up live globals BUG Fix issue with SSViewer Fix Security / View tests commitd88d4ed4e4Author: Damian Mooyman <damian@silverstripe.com> Date: Tue Jun 20 16:39:43 2017 +1200 API Refactor AppKernel into CoreKernel commitf7946aec33Author: Damian Mooyman <damian@silverstripe.com> Date: Tue Jun 20 16:00:40 2017 +1200 Docs and minor cleanup commit12bd31f936Author: Damian Mooyman <damian@silverstripe.com> Date: Tue Jun 20 15:34:34 2017 +1200 API Remove OutputMiddleware API Move environment / global / ini management into Environment class API Move getTempFolder into TempFolder class API Implement HTTPRequestBuilder / CLIRequestBuilder BUG Restore SS_ALLOWED_HOSTS check in original location API CoreKernel now requires $basePath to be passed in API Refactor installer.php to use application to bootstrap API move memstring conversion globals to Convert BUG Fix error in CoreKernel nesting not un-nesting itself properly. commitbba9791146Author: Damian Mooyman <damian@silverstripe.com> Date: Mon Jun 19 18:07:53 2017 +1200 API Create HTTPMiddleware and standardise middleware for request handling commit2a10c2397bAuthor: Damian Mooyman <damian@silverstripe.com> Date: Mon Jun 19 17:42:42 2017 +1200 Fixed ORM tests commitd75a8d1d93Author: Damian Mooyman <damian@silverstripe.com> Date: Mon Jun 19 17:15:07 2017 +1200 FIx i18n tests commit06364af3c3Author: Damian Mooyman <damian@silverstripe.com> Date: Mon Jun 19 16:59:34 2017 +1200 Fix controller namespace Move states to sub namespace commit2a278e2953Author: Damian Mooyman <damian@silverstripe.com> Date: Mon Jun 19 12:49:45 2017 +1200 Fix forms namespace commitb65c21241bAuthor: Damian Mooyman <damian@silverstripe.com> Date: Thu Jun 15 18:56:48 2017 +1200 Update API usages commitd1d4375c95Author: Damian Mooyman <damian@silverstripe.com> Date: Thu Jun 15 18:41:44 2017 +1200 API Refactor $flush into HTPPApplication API Enforce health check in Controller::pushCurrent() API Better global backup / restore Updated Director::test() to use new API commitb220534f06Author: Damian Mooyman <damian@silverstripe.com> Date: Tue Jun 13 22:05:57 2017 +1200 Move app nesting to a test state helper commit603704165cAuthor: Damian Mooyman <damian@silverstripe.com> Date: Tue Jun 13 21:46:04 2017 +1200 Restore kernel stack to fix multi-level nesting commit2f6336a15bAuthor: Damian Mooyman <damian@silverstripe.com> Date: Tue Jun 13 17:23:21 2017 +1200 API Implement kernel nesting commitfc7188da7dAuthor: Damian Mooyman <damian@silverstripe.com> Date: Tue Jun 13 15:43:13 2017 +1200 Fix core tests commita0ae723514Author: Damian Mooyman <damian@silverstripe.com> Date: Tue Jun 13 15:23:52 2017 +1200 Fix manifest tests commitca03395251Author: Damian Mooyman <damian@silverstripe.com> Date: Tue Jun 13 15:00:00 2017 +1200 API Move extension management into test state commitc66d433977Author: Damian Mooyman <damian@silverstripe.com> Date: Tue Jun 13 14:10:59 2017 +1200 API Refactor SapphireTest state management into SapphireTestState API Remove Injector::unregisterAllObjects() API Remove FakeController commitf26ae75c6eAuthor: Damian Mooyman <damian@silverstripe.com> Date: Mon Jun 12 18:04:34 2017 +1200 Implement basic CLI application object commit001d559662Author: Damian Mooyman <damian@silverstripe.com> Date: Mon Jun 12 17:39:38 2017 +1200 Remove references to SapphireTest::is_running_test() Upgrade various code commitde079c041dAuthor: Damian Mooyman <damian@silverstripe.com> Date: Wed Jun 7 18:07:33 2017 +1200 API Implement APP object API Refactor of Session
291 lines
6.8 KiB
PHP
291 lines
6.8 KiB
PHP
<?php
|
|
|
|
namespace SilverStripe\Security;
|
|
|
|
use SilverStripe\Control\Controller;
|
|
use SilverStripe\Control\HTTPRequest;
|
|
use SilverStripe\Control\Session;
|
|
use SilverStripe\Core\Config\Configurable;
|
|
use SilverStripe\Core\Injector\Injectable;
|
|
use SilverStripe\Forms\FieldList;
|
|
use SilverStripe\Forms\HiddenField;
|
|
use SilverStripe\View\TemplateGlobalProvider;
|
|
|
|
/**
|
|
* Cross Site Request Forgery (CSRF) protection for the {@link Form} class and other GET links.
|
|
* Can be used globally (through {@link SecurityToken::inst()})
|
|
* or on a form-by-form basis {@link Form->getSecurityToken()}.
|
|
*
|
|
* <b>Usage in forms</b>
|
|
*
|
|
* This protective measure is automatically turned on for all new {@link Form} instances,
|
|
* and can be globally disabled through {@link disable()}.
|
|
*
|
|
* <b>Usage in custom controller actions</b>
|
|
*
|
|
* <code>
|
|
* class MyController extends Controller {
|
|
* function mygetaction($request) {
|
|
* if(!SecurityToken::inst()->checkRequest($request)) return $this->httpError(400);
|
|
*
|
|
* // valid action logic ...
|
|
* }
|
|
* }
|
|
* </code>
|
|
*
|
|
* @todo Make token name form specific for additional forgery protection.
|
|
*/
|
|
class SecurityToken implements TemplateGlobalProvider
|
|
{
|
|
use Configurable;
|
|
use Injectable;
|
|
|
|
/**
|
|
* @var string
|
|
*/
|
|
protected static $default_name = 'SecurityID';
|
|
|
|
/**
|
|
* @var SecurityToken
|
|
*/
|
|
protected static $inst = null;
|
|
|
|
/**
|
|
* @var boolean
|
|
*/
|
|
protected static $enabled = true;
|
|
|
|
/**
|
|
* @var String $name
|
|
*/
|
|
protected $name = null;
|
|
|
|
/**
|
|
* @param string $name
|
|
*/
|
|
public function __construct($name = null)
|
|
{
|
|
$this->name = $name ?: self::get_default_name();
|
|
}
|
|
|
|
/**
|
|
* Gets a global token (or creates one if it doesnt exist already).
|
|
*
|
|
* @return SecurityToken
|
|
*/
|
|
public static function inst()
|
|
{
|
|
if (!self::$inst) {
|
|
self::$inst = new SecurityToken();
|
|
}
|
|
|
|
return self::$inst;
|
|
}
|
|
|
|
/**
|
|
* Globally disable the token (override with {@link NullSecurityToken})
|
|
* implementation. Note: Does not apply for
|
|
*/
|
|
public static function disable()
|
|
{
|
|
self::$enabled = false;
|
|
self::$inst = new NullSecurityToken();
|
|
}
|
|
|
|
/**
|
|
* Globally enable tokens that have been previously disabled through {@link disable}.
|
|
*/
|
|
public static function enable()
|
|
{
|
|
self::$enabled = true;
|
|
self::$inst = new SecurityToken();
|
|
}
|
|
|
|
/**
|
|
* @return boolean
|
|
*/
|
|
public static function is_enabled()
|
|
{
|
|
return self::$enabled;
|
|
}
|
|
|
|
/**
|
|
* @return String
|
|
*/
|
|
public static function get_default_name()
|
|
{
|
|
return self::$default_name;
|
|
}
|
|
|
|
/**
|
|
* Returns the value of an the global SecurityToken in the current session
|
|
* @return int
|
|
*/
|
|
public static function getSecurityID()
|
|
{
|
|
$token = SecurityToken::inst();
|
|
return $token->getValue();
|
|
}
|
|
|
|
/**
|
|
* @param string $name
|
|
*/
|
|
public function setName($name)
|
|
{
|
|
$val = $this->getValue();
|
|
$this->name = $name;
|
|
$this->setValue($val);
|
|
}
|
|
|
|
/**
|
|
* @return string
|
|
*/
|
|
public function getName()
|
|
{
|
|
return $this->name;
|
|
}
|
|
|
|
/**
|
|
* @return String
|
|
*/
|
|
public function getValue()
|
|
{
|
|
$session = Controller::curr()->getRequest()->getSession();
|
|
$value = $session->get($this->getName());
|
|
|
|
// only regenerate if the token isn't already set in the session
|
|
if (!$value) {
|
|
$value = $this->generate();
|
|
$this->setValue($value);
|
|
}
|
|
|
|
return $value;
|
|
}
|
|
|
|
/**
|
|
* @param String $val
|
|
*/
|
|
public function setValue($val)
|
|
{
|
|
$session = Controller::curr()->getRequest()->getSession();
|
|
$session->set($this->getName(), $val);
|
|
}
|
|
|
|
/**
|
|
* Reset the token to a new value.
|
|
*/
|
|
public function reset()
|
|
{
|
|
$this->setValue($this->generate());
|
|
}
|
|
|
|
/**
|
|
* Checks for an existing CSRF token in the current users session.
|
|
* This check is automatically performed in {@link Form->httpSubmission()}
|
|
* if a form has security tokens enabled.
|
|
* This direct check is mainly used for URL actions on {@link FormField} that are not routed
|
|
* through {@link Form->httpSubmission()}.
|
|
*
|
|
* Typically you'll want to check {@link Form->securityTokenEnabled()} before calling this method.
|
|
*
|
|
* @param String $compare
|
|
* @return Boolean
|
|
*/
|
|
public function check($compare)
|
|
{
|
|
return ($compare && $this->getValue() && $compare == $this->getValue());
|
|
}
|
|
|
|
/**
|
|
* See {@link check()}.
|
|
*
|
|
* @param HTTPRequest $request
|
|
* @return bool
|
|
*/
|
|
public function checkRequest($request)
|
|
{
|
|
$token = $this->getRequestToken($request);
|
|
return $this->check($token);
|
|
}
|
|
|
|
/**
|
|
* Get security token from request
|
|
*
|
|
* @param HTTPRequest $request
|
|
* @return string
|
|
*/
|
|
protected function getRequestToken($request)
|
|
{
|
|
$name = $this->getName();
|
|
$header = 'X-' . ucwords(strtolower($name));
|
|
if ($token = $request->getHeader($header)) {
|
|
return $token;
|
|
}
|
|
|
|
// Get from request var
|
|
return $request->requestVar($name);
|
|
}
|
|
|
|
/**
|
|
* Note: Doesn't call {@link FormField->setForm()}
|
|
* on the returned {@link HiddenField}, you'll need to take
|
|
* care of this yourself.
|
|
*
|
|
* @param FieldList $fieldset
|
|
* @return HiddenField|false
|
|
*/
|
|
public function updateFieldSet(&$fieldset)
|
|
{
|
|
if (!$fieldset->fieldByName($this->getName())) {
|
|
$field = new HiddenField($this->getName(), null, $this->getValue());
|
|
$fieldset->push($field);
|
|
return $field;
|
|
} else {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @param String $url
|
|
* @return String
|
|
*/
|
|
public function addToUrl($url)
|
|
{
|
|
return Controller::join_links($url, sprintf('?%s=%s', $this->getName(), $this->getValue()));
|
|
}
|
|
|
|
/**
|
|
* You can't disable an existing instance, it will need to be overwritten like this:
|
|
* <code>
|
|
* $old = SecurityToken::inst(); // isEnabled() returns true
|
|
* SecurityToken::disable();
|
|
* $new = SecurityToken::inst(); // isEnabled() returns false
|
|
* </code>
|
|
*
|
|
* @return boolean
|
|
*/
|
|
public function isEnabled()
|
|
{
|
|
return !($this instanceof NullSecurityToken);
|
|
}
|
|
|
|
/**
|
|
* @uses RandomGenerator
|
|
*
|
|
* @return String
|
|
*/
|
|
protected function generate()
|
|
{
|
|
$generator = new RandomGenerator();
|
|
return $generator->randomToken('sha1');
|
|
}
|
|
|
|
public static function get_template_global_variables()
|
|
{
|
|
return array(
|
|
'getSecurityID',
|
|
'SecurityID' => 'getSecurityID'
|
|
);
|
|
}
|
|
}
|