Skip to content

Y
yii2
Commit 36f6ebab by Qiang Xue
Options

Fixes issue #539: Yii2 Csrf protection broken

parent 5a8e4b64
Showing with 15 additions and 10 deletions
framework/yii/validators/CaptchaValidator.php
...@@ -21,6 +21,9 @@ use yii\helpers\Html; ...@@ -21,6 +21,9 @@ use yii\helpers\Html;
*/ */
class CaptchaValidator extends Validator class CaptchaValidator extends Validator
{ {
/**
* @var boolean whether to skip this validator if the input is empty.
*/
public $skipOnEmpty = false; public $skipOnEmpty = false;
/** /**
* @var boolean whether the comparison is case sensitive. Defaults to false. * @var boolean whether the comparison is case sensitive. Defaults to false.
......
framework/yii/web/CaptchaAction.php
...@@ -173,7 +173,7 @@ class CaptchaAction extends Action ...@@ -173,7 +173,7 @@ class CaptchaAction extends Action
{ {
$code = $this->getVerifyCode(); $code = $this->getVerifyCode();
$valid = $caseSensitive ? ($input === $code) : strcasecmp($input, $code) === 0; $valid = $caseSensitive ? ($input === $code) : strcasecmp($input, $code) === 0;
$session = Yii::$app->session; $session = Yii::$app->getSession();
$session->open(); $session->open();
$name = $this->getSessionKey() . 'count'; $name = $this->getSessionKey() . 'count';
$session[$name] = $session[$name] + 1; $session[$name] = $session[$name] + 1;
......
framework/yii/web/Request.php
...@@ -27,7 +27,7 @@ class Request extends \yii\base\Request ...@@ -27,7 +27,7 @@ class Request extends \yii\base\Request
* You may use [[\yii\web\Html::beginForm()]] to generate his hidden input. * You may use [[\yii\web\Html::beginForm()]] to generate his hidden input.
* @see http://en.wikipedia.org/wiki/Cross-site_request_forgery * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
*/ */
public $enableCsrfValidation = false; public $enableCsrfValidation = true;
/** /**
* @var string the name of the token used to prevent CSRF. Defaults to 'YII_CSRF_TOKEN'. * @var string the name of the token used to prevent CSRF. Defaults to 'YII_CSRF_TOKEN'.
* This property is effectively only when {@link enableCsrfValidation} is true. * This property is effectively only when {@link enableCsrfValidation} is true.
...@@ -771,7 +771,10 @@ class Request extends \yii\base\Request ...@@ -771,7 +771,10 @@ class Request extends \yii\base\Request
$this->_cookieValidationKey = $value; $this->_cookieValidationKey = $value;
} }
private $_csrfToken; /**
* @var Cookie
*/
private $_csrfCookie;
/** /**
* Returns the random token used to perform CSRF validation. * Returns the random token used to perform CSRF validation.
...@@ -781,16 +784,15 @@ class Request extends \yii\base\Request ...@@ -781,16 +784,15 @@ class Request extends \yii\base\Request
*/ */
public function getCsrfToken() public function getCsrfToken()
{ {
if ($this->_csrfToken === null) { if ($this->_csrfCookie === null) {
$cookies = $this->getCookies(); $this->_csrfCookie = $this->getCookies()->get($this->csrfTokenName);
if (($this->_csrfToken = $cookies->getValue($this->csrfTokenName)) === null) { if ($this->_csrfCookie === null) {
$cookie = $this->createCsrfCookie(); $this->_csrfCookie = $this->createCsrfCookie();
$this->_csrfToken = $cookie->value; Yii::$app->getResponse()->getCookies()->add($this->_csrfCookie);
$cookies->add($cookie);
} }
} }
return $this->_csrfToken; return $this->_csrfCookie->value;
} }
/** /**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment