Skip to content

Commit

Permalink
Remove CSRF class and check behavior
Browse files Browse the repository at this point in the history 
* CSRF is Cross-Site Request Forgery.
* The class was mislabeled CSRF instead of AntiCSRF when it was created.
* Anti-CSRF features worked well but was seen as unnecessary.
* Since Memcache is being ripped out which this depends on, this is
  going with.
  • Loading branch information
@carlbennett
carlbennett committed Mar 3, 2021
1 parent 2302413 commit 97d4a5f
Show file tree
Hide file tree
Showing 45 changed files with 12 additions and 402 deletions.
15 changes: 0 additions & 15 deletions src/controllers/Comment/Delete.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace BNETDocs\Controllers\Comment;

use \BNETDocs\Libraries\Authentication;
use \BNETDocs\Libraries\CSRF;
use \BNETDocs\Libraries\Comment;
use \BNETDocs\Libraries\EventTypes;
use \BNETDocs\Libraries\Exceptions\CommentNotFoundException;
Expand All @@ -24,8 +23,6 @@ public function &run(Router &$router, View &$view, array &$args) {
$data = $router->getRequestQueryArray();
$model = new CommentDeleteModel();
$model->comment = null;
$model->csrf_id = mt_rand();
$model->csrf_token = CSRF::generate($model->csrf_id);
$model->error = null;
$model->id = (isset($data['id']) ? $data['id'] : null);
$model->parent_id = null;
Expand Down Expand Up @@ -68,19 +65,7 @@ protected function tryDelete(Router &$router, CommentDeleteModel &$model) {
return;
}

$data = $router->getRequestBodyArray();
$csrf_id = (isset($data['csrf_id' ]) ? $data['csrf_id' ] : null);
$csrf_token = (isset($data['csrf_token']) ? $data['csrf_token'] : null);
$csrf_valid = CSRF::validate($csrf_id, $csrf_token);

if (!$csrf_valid) {
$model->error = 'INVALID_CSRF';
return;
}
CSRF::invalidate($csrf_id);

$model->error = false;

$id = (int) $model->id;
$parent_type = (int) $model->parent_type;
$parent_id = (int) $model->parent_id;
Expand Down
28 changes: 2 additions & 26 deletions src/controllers/Comment/Edit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace BNETDocs\Controllers\Comment;

use \BNETDocs\Libraries\Authentication;
use \BNETDocs\Libraries\CSRF;
use \BNETDocs\Libraries\Comment;
use \BNETDocs\Libraries\EventTypes;
use \BNETDocs\Libraries\Exceptions\CommentNotFoundException;
Expand All @@ -30,14 +29,8 @@ public function &run( Router &$router, View &$view, array &$args ) {
$post_data = $router->getRequestBodyArray();

$model = new CommentEditModel();

$model->csrf_id = mt_rand();
$model->csrf_token = CSRF::generate( $model->csrf_id );
$model->user = Authentication::$user;

$model->id = (
isset( $query_data[ 'id' ]) ? $query_data[ 'id' ] : null
);
$model->user = Authentication::$user;
$model->id = (isset( $query_data[ 'id' ]) ? $query_data[ 'id' ] : null);
$model->content = (
isset( $post_data[ 'content' ]) ? $post_data[ 'content' ] : null
);
Expand Down Expand Up @@ -100,23 +93,6 @@ protected function tryModify( Router &$router, CommentEditModel &$model ) {
return;
}

$post_data = $router->getRequestBodyArray();

$csrf_id = (
isset( $post_data[ 'csrf_id' ]) ? $post_data[ 'csrf_id' ] : null
);
$csrf_token = (
isset( $post_data[ 'csrf_token' ]) ? $post_data[ 'csrf_token' ] : null
);
$csrf_valid = CSRF::validate( $csrf_id, $csrf_token );

if ( !$csrf_valid ) {
$model->error = 'INVALID_CSRF';
return;
}

CSRF::invalidate( $csrf_id );

$model->error = false;

$id = (int) $model->id;
Expand Down
12 changes: 0 additions & 12 deletions src/controllers/Document/Create.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace BNETDocs\Controllers\Document;

use \BNETDocs\Libraries\Authentication;
use \BNETDocs\Libraries\CSRF;
use \BNETDocs\Libraries\Document;
use \BNETDocs\Libraries\EventTypes;
use \BNETDocs\Libraries\Logger;
Expand All @@ -19,8 +18,6 @@
class Create extends Controller {
public function &run(Router &$router, View &$view, array &$args) {
$model = new DocumentCreateModel();
$model->csrf_id = mt_rand();
$model->csrf_token = CSRF::generate($model->csrf_id, 7200); // 2 hours
$model->error = null;
$model->user = Authentication::$user;

Expand Down Expand Up @@ -48,9 +45,6 @@ protected function handlePost(Router &$router, DocumentCreateModel &$model) {
Common::$database = DatabaseDriver::getDatabaseObject();
}
$data = $router->getRequestBodyArray();
$csrf_id = (isset($data['csrf_id' ]) ? $data['csrf_id' ] : null);
$csrf_token = (isset($data['csrf_token']) ? $data['csrf_token'] : null);
$csrf_valid = CSRF::validate($csrf_id, $csrf_token);
$title = (isset($data['title' ]) ? $data['title' ] : null);
$markdown = (isset($data['markdown' ]) ? $data['markdown' ] : null);
$content = (isset($data['content' ]) ? $data['content' ] : null);
Expand All @@ -61,12 +55,6 @@ protected function handlePost(Router &$router, DocumentCreateModel &$model) {
$model->markdown = $markdown;
$model->content = $content;

if (!$csrf_valid) {
$model->error = 'INVALID_CSRF';
return;
}
CSRF::invalidate($csrf_id);

if (empty($title)) {
$model->error = 'EMPTY_TITLE';
} else if (empty($content)) {
Expand Down
14 changes: 0 additions & 14 deletions src/controllers/Document/Delete.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace BNETDocs\Controllers\Document;

use \BNETDocs\Libraries\Authentication;
use \BNETDocs\Libraries\CSRF;
use \BNETDocs\Libraries\Document;
use \BNETDocs\Libraries\EventTypes;
use \BNETDocs\Libraries\Exceptions\DocumentNotFoundException;
Expand All @@ -22,8 +21,6 @@ class Delete extends Controller {
public function &run(Router &$router, View &$view, array &$args) {
$data = $router->getRequestQueryArray();
$model = new DocumentDeleteModel();
$model->csrf_id = mt_rand();
$model->csrf_token = CSRF::generate($model->csrf_id);
$model->document = null;
$model->error = null;
$model->id = (isset($data['id']) ? $data['id'] : null);
Expand Down Expand Up @@ -59,17 +56,6 @@ protected function tryDelete(Router &$router, DocumentDeleteModel &$model) {
return;
}

$data = $router->getRequestBodyArray();
$csrf_id = (isset($data['csrf_id' ]) ? $data['csrf_id' ] : null);
$csrf_token = (isset($data['csrf_token']) ? $data['csrf_token'] : null);
$csrf_valid = CSRF::validate($csrf_id, $csrf_token);

if (!$csrf_valid) {
$model->error = 'INVALID_CSRF';
return;
}
CSRF::invalidate($csrf_id);

if (!$model->acl_allowed) {
$model->error = 'ACL_NOT_SET';
return;
Expand Down
12 changes: 0 additions & 12 deletions src/controllers/Document/Edit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace BNETDocs\Controllers\Document;

use \BNETDocs\Libraries\Authentication;
use \BNETDocs\Libraries\CSRF;
use \BNETDocs\Libraries\Document;
use \BNETDocs\Libraries\EventTypes;
use \BNETDocs\Libraries\Exceptions\DocumentNotFoundException;
Expand All @@ -26,8 +25,6 @@ public function &run(Router &$router, View &$view, array &$args) {
$data = $router->getRequestQueryArray();
$model = new DocumentEditModel();
$model->content = null;
$model->csrf_id = mt_rand();
$model->csrf_token = CSRF::generate($model->csrf_id, 7200); // 2 hours
$model->document = null;
$model->document_id = (isset($data['id']) ? $data['id'] : null);
$model->error = null;
Expand Down Expand Up @@ -74,9 +71,6 @@ protected function handlePost(Router &$router, DocumentEditModel &$model) {
}

$data = $router->getRequestBodyArray();
$csrf_id = (isset($data['csrf_id' ]) ? $data['csrf_id' ] : null);
$csrf_token = (isset($data['csrf_token']) ? $data['csrf_token'] : null);
$csrf_valid = CSRF::validate($csrf_id, $csrf_token);
$category = (isset($data['category' ]) ? $data['category' ] : null);
$title = (isset($data['title' ]) ? $data['title' ] : null);
$markdown = (isset($data['markdown' ]) ? $data['markdown' ] : null);
Expand All @@ -89,12 +83,6 @@ protected function handlePost(Router &$router, DocumentEditModel &$model) {
$model->markdown = $markdown;
$model->content = $content;

if (!$csrf_valid) {
$model->error = 'INVALID_CSRF';
return;
}
CSRF::invalidate($csrf_id);

if (empty($title)) {
$model->error = 'EMPTY_TITLE';
} else if (empty($content)) {
Expand Down
12 changes: 0 additions & 12 deletions src/controllers/News/Create.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace BNETDocs\Controllers\News;

use \BNETDocs\Libraries\Authentication;
use \BNETDocs\Libraries\CSRF;
use \BNETDocs\Libraries\EventTypes;
use \BNETDocs\Libraries\Exceptions\UnspecifiedViewException;
use \BNETDocs\Libraries\Logger;
Expand All @@ -21,8 +20,6 @@
class Create extends Controller {
public function &run(Router &$router, View &$view, array &$args) {
$model = new NewsCreateModel();
$model->csrf_id = mt_rand();
$model->csrf_token = CSRF::generate($model->csrf_id, 7200); // 2 hours
$model->error = null;
$model->news_categories = null;
$model->user = Authentication::$user;
Expand Down Expand Up @@ -60,9 +57,6 @@ protected function handlePost(Router &$router, NewsCreateModel &$model) {
Common::$database = DatabaseDriver::getDatabaseObject();
}
$data = $router->getRequestBodyArray();
$csrf_id = (isset($data['csrf_id' ]) ? $data['csrf_id' ] : null);
$csrf_token = (isset($data['csrf_token']) ? $data['csrf_token'] : null);
$csrf_valid = CSRF::validate($csrf_id, $csrf_token);
$category = (isset($data['category' ]) ? $data['category' ] : null);
$title = (isset($data['title' ]) ? $data['title' ] : null);
$markdown = (isset($data['markdown' ]) ? $data['markdown' ] : null);
Expand All @@ -77,12 +71,6 @@ protected function handlePost(Router &$router, NewsCreateModel &$model) {
$model->content = $content;
$model->rss_exempt = $rss_exempt;

if (!$csrf_valid) {
$model->error = 'INVALID_CSRF';
return;
}
CSRF::invalidate($csrf_id);

if (empty($title)) {
$model->error = 'EMPTY_TITLE';
} else if (empty($content)) {
Expand Down
14 changes: 0 additions & 14 deletions src/controllers/News/Delete.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace BNETDocs\Controllers\News;

use \BNETDocs\Libraries\Authentication;
use \BNETDocs\Libraries\CSRF;
use \BNETDocs\Libraries\EventTypes;
use \BNETDocs\Libraries\Exceptions\NewsPostNotFoundException;
use \BNETDocs\Libraries\Logger;
Expand All @@ -22,8 +21,6 @@ class Delete extends Controller {
public function &run(Router &$router, View &$view, array &$args) {
$data = $router->getRequestQueryArray();
$model = new NewsDeleteModel();
$model->csrf_id = mt_rand();
$model->csrf_token = CSRF::generate($model->csrf_id);
$model->error = null;
$model->id = (isset($data['id']) ? $data['id'] : null);
$model->news_post = null;
Expand Down Expand Up @@ -59,17 +56,6 @@ protected function tryDelete(Router &$router, NewsDeleteModel &$model) {
return;
}

$data = $router->getRequestBodyArray();
$csrf_id = (isset($data['csrf_id' ]) ? $data['csrf_id' ] : null);
$csrf_token = (isset($data['csrf_token']) ? $data['csrf_token'] : null);
$csrf_valid = CSRF::validate($csrf_id, $csrf_token);

if (!$csrf_valid) {
$model->error = 'INVALID_CSRF';
return;
}
CSRF::invalidate($csrf_id);

if (!$model->acl_allowed) {
$model->error = 'ACL_NOT_SET';
return;
Expand Down
12 changes: 0 additions & 12 deletions src/controllers/News/Edit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace BNETDocs\Controllers\News;

use \BNETDocs\Libraries\Authentication;
use \BNETDocs\Libraries\CSRF;
use \BNETDocs\Libraries\EventTypes;
use \BNETDocs\Libraries\Exceptions\NewsPostNotFoundException;
use \BNETDocs\Libraries\Logger;
Expand All @@ -28,8 +27,6 @@ public function &run(Router &$router, View &$view, array &$args) {
$model = new NewsEditModel();
$model->category = null;
$model->content = null;
$model->csrf_id = mt_rand();
$model->csrf_token = CSRF::generate($model->csrf_id, 7200); // 2 hours
$model->error = null;
$model->markdown = null;
$model->news_categories = null;
Expand Down Expand Up @@ -88,9 +85,6 @@ protected function handlePost(Router &$router, NewsEditModel &$model) {
}

$data = $router->getRequestBodyArray();
$csrf_id = (isset($data['csrf_id' ]) ? $data['csrf_id' ] : null);
$csrf_token = (isset($data['csrf_token']) ? $data['csrf_token'] : null);
$csrf_valid = CSRF::validate($csrf_id, $csrf_token);
$category = (isset($data['category' ]) ? $data['category' ] : null);
$title = (isset($data['title' ]) ? $data['title' ] : null);
$markdown = (isset($data['markdown' ]) ? $data['markdown' ] : null);
Expand All @@ -105,12 +99,6 @@ protected function handlePost(Router &$router, NewsEditModel &$model) {
$model->content = $content;
$model->rss_exempt = $rss_exempt;

if (!$csrf_valid) {
$model->error = 'INVALID_CSRF';
return;
}
CSRF::invalidate($csrf_id);

if (empty($title)) {
$model->error = 'EMPTY_TITLE';
} else if (empty($content)) {
Expand Down
14 changes: 0 additions & 14 deletions src/controllers/Packet/Delete.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace BNETDocs\Controllers\Packet;

use \BNETDocs\Libraries\Authentication;
use \BNETDocs\Libraries\CSRF;
use \BNETDocs\Libraries\Packet;
use \BNETDocs\Libraries\EventTypes;
use \BNETDocs\Libraries\Exceptions\PacketNotFoundException;
Expand All @@ -22,8 +21,6 @@ class Delete extends Controller {
public function &run(Router &$router, View &$view, array &$args) {
$data = $router->getRequestQueryArray();
$model = new PacketDeleteModel();
$model->csrf_id = mt_rand();
$model->csrf_token = CSRF::generate($model->csrf_id);
$model->error = null;
$model->id = (isset($data['id']) ? $data['id'] : null);
$model->packet = null;
Expand Down Expand Up @@ -60,17 +57,6 @@ protected function tryDelete(Router &$router, PacketDeleteModel &$model) {
return;
}

$data = $router->getRequestBodyArray();
$csrf_id = (isset($data['csrf_id' ]) ? $data['csrf_id' ] : null);
$csrf_token = (isset($data['csrf_token']) ? $data['csrf_token'] : null);
$csrf_valid = CSRF::validate($csrf_id, $csrf_token);

if (!$csrf_valid) {
$model->error = 'INVALID_CSRF';
return;
}
CSRF::invalidate($csrf_id);

if (!$model->acl_allowed) {
$model->error = 'ACL_NOT_SET';
return;
Expand Down
12 changes: 0 additions & 12 deletions src/controllers/Packet/Edit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
namespace BNETDocs\Controllers\Packet;

use \BNETDocs\Libraries\Authentication;
use \BNETDocs\Libraries\CSRF;
use \BNETDocs\Libraries\EventTypes;
use \BNETDocs\Libraries\Exceptions\PacketNotFoundException;
use \BNETDocs\Libraries\Logger;
Expand All @@ -26,8 +25,6 @@ class Edit extends Controller {
public function &run(Router &$router, View &$view, array &$args) {
$data = $router->getRequestQueryArray();
$model = new PacketEditModel();
$model->csrf_id = mt_rand();
$model->csrf_token = CSRF::generate($model->csrf_id, 7200); // 2 hours
$model->deprecated = null;
$model->error = null;
$model->format = null;
Expand Down Expand Up @@ -84,9 +81,6 @@ protected function handlePost(Router &$router, PacketEditModel &$model) {
}

$data = $router->getRequestBodyArray();
$csrf_id = (isset($data['csrf_id' ]) ? $data['csrf_id' ] : null);
$csrf_token = (isset($data['csrf_token']) ? $data['csrf_token'] : null);
$csrf_valid = CSRF::validate($csrf_id, $csrf_token);
$id = (isset($data['id' ]) ? $data['id' ] : null);
$name = (isset($data['name' ]) ? $data['name' ] : null);
$format = (isset($data['format' ]) ? $data['format' ] : null);
Expand All @@ -108,12 +102,6 @@ protected function handlePost(Router &$router, PacketEditModel &$model) {
$model->research = $research;
$model->published = $published;

if (!$csrf_valid) {
$model->error = 'INVALID_CSRF';
return;
}
CSRF::invalidate($csrf_id);

if (empty($name)) {
$model->error = 'EMPTY_NAME';
} else if (empty($format)) {
Expand Down
Loading

0 comments on commit 97d4a5f

Please sign in to comment.