| 1 | <?php
|
|---|
| 2 | /* -----------------------------------------------------------------------------------------
|
|---|
| 3 | $Id$
|
|---|
| 4 |
|
|---|
| 5 | modified eCommerce Shopsoftware - community made shopping
|
|---|
| 6 | http://www.modified-shop.org
|
|---|
| 7 |
|
|---|
| 8 | Copyright (c) 2009 - 2012 modified eCommerce Shopsoftware
|
|---|
| 9 | -----------------------------------------------------------------------------------------
|
|---|
| 10 | Released under the GNU General Public License
|
|---|
| 11 | ---------------------------------------------------------------------------------------*/
|
|---|
| 12 |
|
|---|
| 13 | // include needed function
|
|---|
| 14 | require_once (DIR_FS_INC . 'xtc_create_password.inc.php');
|
|---|
| 15 |
|
|---|
| 16 | if (defined('CSRF_TOKEN_EXCLUSIONS') && CSRF_TOKEN_EXCLUSIONS != '') {
|
|---|
| 17 | $user_exclusions = preg_replace("'[\r\n\s]+'",'',CSRF_TOKEN_EXCLUSIONS);
|
|---|
| 18 | $user_exclusions = explode(',', $user_exclusions);
|
|---|
| 19 | }
|
|---|
| 20 |
|
|---|
| 21 | if (!isset($module_exclusions) || !is_array($module_exclusions)) {
|
|---|
| 22 | $module_exclusions = array();
|
|---|
| 23 | }
|
|---|
| 24 |
|
|---|
| 25 |
|
|---|
| 26 | // keep Token for popups, user_exclusions, module_exclusions
|
|---|
| 27 | $CSRFKeep = false;
|
|---|
| 28 |
|
|---|
| 29 | if (defined('RUN_MODE_ADMIN')) {
|
|---|
| 30 |
|
|---|
| 31 | // @t10: defaults
|
|---|
| 32 | $exclusions = array('print_order', 'print_packingslip', 'bill', 'popup', 'haendlerbund', 'new_attributes');
|
|---|
| 33 |
|
|---|
| 34 | // @t10: merge in user_exclusions
|
|---|
| 35 | if (isset($user_exclusions) && is_array($user_exclusions))
|
|---|
| 36 | $exclusions = array_merge($exclusions, $user_exclusions);
|
|---|
| 37 |
|
|---|
| 38 | // @t10: merge in module exclusions
|
|---|
| 39 | if (isset($module_exclusions) && is_array($module_exclusions))
|
|---|
| 40 | $exclusions = array_merge($exclusions, $module_exclusions);
|
|---|
| 41 |
|
|---|
| 42 |
|
|---|
| 43 | foreach ($exclusions as $filename) {
|
|---|
| 44 |
|
|---|
| 45 | if (strpos(basename($PHP_SELF), $filename) !== false)
|
|---|
| 46 | $CSRFKeep = true;
|
|---|
| 47 |
|
|---|
| 48 | }
|
|---|
| 49 |
|
|---|
| 50 | }
|
|---|
| 51 |
|
|---|
| 52 |
|
|---|
| 53 | // verfiy CSRF Token
|
|---|
| 54 | if (is_array($_POST) && count($_POST) > 0) {
|
|---|
| 55 | if (isset($_POST[$_SESSION['CSRFName']])) {
|
|---|
| 56 | if ($_POST[$_SESSION['CSRFName']] != $_SESSION['CSRFToken']) {
|
|---|
| 57 | trigger_error("CSRFToken manipulation.\n".print_r($_POST, true), E_USER_WARNING);
|
|---|
| 58 | unset($_POST);
|
|---|
| 59 | unset($_GET['action']);
|
|---|
| 60 | unset($_GET['saction']);
|
|---|
| 61 |
|
|---|
| 62 | // create CSRF Token
|
|---|
| 63 | $_SESSION['CSRFName'] = xtc_RandomString(6);
|
|---|
| 64 | $_SESSION['CSRFToken'] = xtc_RandomString(32);
|
|---|
| 65 | if (defined('RUN_MODE_ADMIN')) {
|
|---|
| 66 | $messageStack->add(CSRF_TOKEN_MANIPULATION, 'warning');
|
|---|
| 67 | $messageStack->add_session(CSRF_TOKEN_MANIPULATION, 'warning');
|
|---|
| 68 | }
|
|---|
| 69 | }
|
|---|
| 70 | } else {
|
|---|
| 71 | trigger_error("CSRFToken not defined.\n".print_r($_POST, true), E_USER_WARNING);
|
|---|
| 72 | unset($_POST);
|
|---|
| 73 | unset($_GET['action']);
|
|---|
| 74 | unset($_GET['saction']);
|
|---|
| 75 |
|
|---|
| 76 | // create CSRF Token
|
|---|
| 77 | $_SESSION['CSRFName'] = xtc_RandomString(6);
|
|---|
| 78 | $_SESSION['CSRFToken'] = xtc_RandomString(32);
|
|---|
| 79 | if (defined('RUN_MODE_ADMIN')) {
|
|---|
| 80 | $messageStack->add(CSRF_TOKEN_NOT_DEFINED, 'warning');
|
|---|
| 81 | $messageStack->add_session(CSRF_TOKEN_NOT_DEFINED, 'warning');
|
|---|
| 82 | }
|
|---|
| 83 | }
|
|---|
| 84 | } elseif ($CSRFKeep === false) {
|
|---|
| 85 | $_SESSION['CSRFName'] = xtc_RandomString(6);
|
|---|
| 86 | $_SESSION['CSRFToken'] = xtc_RandomString(32);
|
|---|
| 87 | }
|
|---|
| 88 | ?>
|
|---|
