More csrf improvements (openemr#2509)

1. converted to class
2. truncate token to length 40

Author: bradymiller

apis/dispatch.php

@@ -71,6 +71,8 @@
 require_once("./../interface/globals.php");
 require_once("./../library/acl.inc");
 
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 if ($isLocalApi) {
     // need to check for csrf match when using api locally
     $csrfFail = false;
@@ -80,7 +82,7 @@
         $csrfFail = true;
     }
 
-    if ((!$csrfFail) && (!verifyCsrfToken($_SERVER['HTTP_APICSRFTOKEN'], 'api'))) {
+    if ((!$csrfFail) && (!CsrfUtils::verifyCsrfToken($_SERVER['HTTP_APICSRFTOKEN'], 'api'))) {
         error_log("OpenEMR Error: internal api failed because csrf token did not match");
         $csrfFail = true;
     }

contrib/forms/assessment_intake/new.php

@@ -12,14 +12,17 @@
 
 require_once("../../globals.php");
 require_once("$srcdir/api.inc");
+
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 formHeader("Form: assessment_intake");
 ?>
 <html><head>
 <link rel=stylesheet href="<?php echo $css_header;?>" type="text/css">
 </head>
 <body <?php echo $top_bg_line;?> topmargin=0 rightmargin=0 leftmargin=2 bottommargin=0 marginwidth=2 marginheight=0>
 <form method=post action="<?php echo $rootdir;?>/forms/assessment_intake/save.php?mode=new" name="my_form">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 <br>
 <span class="title"><center>Assessment and Intake</center></span><br><br>
 <center><a href="javascript:top.restoreSession();document.my_form.submit();" class="link_submit">[Save]</a>

contrib/forms/assessment_intake/save.php

@@ -14,9 +14,11 @@
 require_once("$srcdir/api.inc");
 require_once("$srcdir/forms.inc");
 
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 if (!empty($_POST)) {
-    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
-        csrfNotVerified();
+    if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
+        CsrfUtils::csrfNotVerified();
     }
 }
 

contrib/forms/assessment_intake/view.php

@@ -21,6 +21,9 @@
 ?>
 <?php
 require_once("../../globals.php");
+
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 ?>
 <html><head>
 <link rel=stylesheet href="<?php echo $css_header;?>" type="text/css">
@@ -33,7 +36,7 @@
 
 ?>
 <form method=post action="<?php echo $rootdir?>/forms/assessment_intake/save.php?mode=update&id=<?php echo attr_url($_GET["id"]);?>" name="my_form">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 
 <span class="title"><center><b>Assessment and Intake</b></center></span><br><br>
 

contrib/forms/body_composition/new.php

@@ -18,6 +18,8 @@
 require_once("$srcdir/api.inc");
 require_once("$srcdir/forms.inc");
 
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 $scale_file_name = '/tmp/tanita_scale.txt';
 $scale_file_age = -1;
 $row = array();
@@ -52,8 +54,8 @@ function rbinput($name, $value, $desc, $colname)
 // If Save was clicked, save the info.
 //
 if ($_POST['bn_save']) {
-    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
-        csrfNotVerified();
+    if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
+        CsrfUtils::csrfNotVerified();
     }
 
  // If updating an existing form...
@@ -115,7 +117,7 @@ function rbinput($name, $value, $desc, $colname)
 <body <?php echo $top_bg_line;?> topmargin="0" rightmargin="0" leftmargin="2" bottommargin="0" marginwidth="2" marginheight="0">
 <form method="post" action="<?php echo $rootdir ?>/forms/body_composition/new.php?id=<?php echo attr_url($formid) ?>"
  onsubmit="return top.restoreSession()">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 
 <center>
 

contrib/forms/body_composition/view.php

@@ -17,6 +17,8 @@
 require_once("$srcdir/api.inc");
 require_once("$srcdir/forms.inc");
 
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 $scale_file_name = '/tmp/tanita_scale.txt';
 $scale_file_age = -1;
 $row = array();
@@ -52,8 +54,8 @@ function rbinput($name, $value, $desc, $colname)
 // If Save was clicked, save the info.
 //
 if ($_POST['bn_save']) {
-    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
-        csrfNotVerified();
+    if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
+        CsrfUtils::csrfNotVerified();
     }
 
  // If updating an existing form...
@@ -118,7 +120,7 @@ function rbinput($name, $value, $desc, $colname)
 <body <?php echo $top_bg_line; ?> topmargin="0" rightmargin="0" leftmargin="2" bottommargin="0" marginwidth="2" marginheight="0">
 <form method="post" action="<?php echo $rootdir ?>/forms/body_composition/new.php?id=<?php echo attr_url($formid) ?>"
  onsubmit="return top.restoreSession()">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 
 <center>
 

contrib/forms/clinical_notes/new.php

@@ -18,6 +18,8 @@
 require_once("$srcdir/api.inc");
 require_once("$srcdir/forms.inc");
 
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 $row = array();
 
 if (! $encounter) { // comes from globals.php
@@ -79,8 +81,8 @@ function cbcell($name, $desc, $colname)
 //
 if ($_POST['bn_save']) {
     $fu_timing = $_POST['fu_timing'];
-    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
-        csrfNotVerified();
+    if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
+        CsrfUtils::csrfNotVerified();
     }
 
  // If updating an existing form...
@@ -127,7 +129,7 @@ function cbcell($name, $desc, $colname)
  bottommargin="0" marginwidth="2" marginheight="0">
 <form method="post" action="<?php echo $rootdir ?>/forms/clinical_notes/new.php?id=<?php echo attr_url($formid) ?>"
  onsubmit="return top.restoreSession()">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 
 <center>
 

contrib/forms/clinical_notes/view.php

@@ -18,6 +18,8 @@
 require_once("$srcdir/api.inc");
 require_once("$srcdir/forms.inc");
 
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 $row = array();
 
 if (! $encounter) { // comes from globals.php
@@ -79,8 +81,8 @@ function cbcell($name, $desc, $colname)
 //
 if ($_POST['bn_save']) {
     $fu_timing = $_POST['fu_timing'];
-    if (!verifyCsrfToken($_POST["csrf_token_form"])) {
-        csrfNotVerified();
+    if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
+        CsrfUtils::csrfNotVerified();
     }
 
  // If updating an existing form...
@@ -126,7 +128,7 @@ function cbcell($name, $desc, $colname)
  bottommargin="0" marginwidth="2" marginheight="0">
 <form method="post" action="<?php echo $rootdir ?>/forms/clinical_notes/new.php?id=<?php echo attr_url($formid); ?>"
  onsubmit="return top.restoreSession()">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 
 <center>
 

contrib/forms/contacts/new.php

@@ -23,14 +23,17 @@
 <?php
 require_once("../../globals.php");
 require_once("$srcdir/api.inc");
+
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 formHeader("Form: contacts");
 ?>
 <html><head>
 <link rel=stylesheet href="<?php echo $css_header;?>" type="text/css">
 </head>
 <body <?php echo $top_bg_line;?> topmargin=0 rightmargin=0 leftmargin=2 bottommargin=0 marginwidth=2 marginheight=0>
 <form method=post action="<?php echo $rootdir;?>/forms/contacts/save.php?mode=new" name="my_form">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 <span class="title">Contacts</span><br><br>
 <table>
 <tr>

contrib/forms/contacts/save.php

@@ -18,8 +18,10 @@
 require_once("$srcdir/api.inc");
 require_once("$srcdir/forms.inc");
 
-if (!verifyCsrfToken($_POST["csrf_token_form"])) {
-    csrfNotVerified();
+use OpenEMR\Common\Csrf\CsrfUtils;
+
+if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
+    CsrfUtils::csrfNotVerified();
 }
 
 if ($encounter == "") {

contrib/forms/contacts/view.php

@@ -22,6 +22,9 @@
 <!-- Forms generated from formsWiz -->
 <?php
 require_once("../../globals.php");
+
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 ?>
 <html><head>
 <link rel=stylesheet href="<?php echo $css_header;?>" type="text/css">
@@ -32,7 +35,7 @@
 $obj = formFetch("form_contacts", $_GET["id"]);
 ?>
 <form method=post action="<?php echo $rootdir?>/forms/contacts/save.php?mode=update&id=<?php echo attr_url($_GET["id"]); ?>" name="my_form">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 <span class="title">Contacts</span><Br><br>
 <table>
 <tr>

contrib/forms/evaluation/C_FormEvaluation.class.php

@@ -15,6 +15,7 @@
 require_once("FormEvaluation.class.php");
 
 use OpenEMR\Billing\BillingUtilities;
+use OpenEMR\Common\Csrf\CsrfUtils;
 
 class C_FormEvaluation extends Controller
 {
@@ -29,7 +30,7 @@ function __construct($template_mod = "general")
         $this->assign("FORM_ACTION", $GLOBALS['web_root']);
         $this->assign("DONT_SAVE_LINK", $GLOBALS['form_exit_url']);
         $this->assign("STYLE", $GLOBALS['style']);
-        $this->assign("CSRF_TOKEN_FORM", collectCsrfToken());
+        $this->assign("CSRF_TOKEN_FORM", CsrfUtils::collectCsrfToken());
     }
 
     function default_action()

contrib/forms/evaluation/save.php

@@ -13,8 +13,10 @@
 require_once("$srcdir/api.inc");
 require("C_FormEvaluation.class.php");
 
-if (!verifyCsrfToken($_POST["csrf_token_form"])) {
-    csrfNotVerified();
+use OpenEMR\Common\Csrf\CsrfUtils;
+
+if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
+    CsrfUtils::csrfNotVerified();
 }
 
 $c = new C_FormEvaluation();

contrib/forms/example2/new.php

@@ -13,6 +13,8 @@
 require_once("../../globals.php");
 require_once("$srcdir/api.inc");
 
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 /** CHANGE THIS name to the name of your form **/
 $form_name = "My Example Form";
 
@@ -43,7 +45,7 @@
 <?php echo date("F d, Y", time()); ?>
 
 <form method=post action="<?php echo $rootdir;?>/forms/<?php echo $form_folder; ?>/save.php?mode=new" name="my_form">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 
 <span class="title"><?php echo xlt($form_name); ?></span><br>
 

contrib/forms/example2/print.php

@@ -15,6 +15,8 @@
 require_once("../../globals.php");
 require_once("$srcdir/api.inc");
 
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 /** CHANGE THIS - name of the database table associated with this form **/
 $table_name = "form_example";
 
@@ -64,7 +66,7 @@
 Printed on <?php echo date("F d, Y", time()); ?>
 
 <form method=post action="">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 
 <span class="title"><?php echo xlt($form_name); ?></span><br>
 

contrib/forms/example2/save.php

@@ -17,8 +17,10 @@
 require_once("$srcdir/api.inc");
 require_once("$srcdir/forms.inc");
 
-if (!verifyCsrfToken($_POST["csrf_token_form"])) {
-    csrfNotVerified();
+use OpenEMR\Common\Csrf\CsrfUtils;
+
+if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
+    CsrfUtils::csrfNotVerified();
 }
 
 /** CHANGE THIS - name of the database table associated with this form **/

contrib/forms/example2/view.php

@@ -14,6 +14,8 @@
 require_once("../../globals.php");
 require_once("$srcdir/api.inc");
 
+use OpenEMR\Common\Csrf\CsrfUtils;
+
 /** CHANGE THIS - name of the database table associated with this form **/
 $table_name = "form_example";
 
@@ -71,7 +73,7 @@ function PrintForm() {
 <?php echo date("F d, Y", time()); ?>
 
 <form method=post action="<?php echo $rootdir;?>/forms/<?php echo $form_folder; ?>/save.php?mode=update&id=<?php echo attr_url($_GET["id"]);?>" name="my_form">
-<input type="hidden" name="csrf_token_form" value="<?php echo attr(collectCsrfToken()); ?>" />
+<input type="hidden" name="csrf_token_form" value="<?php echo attr(CsrfUtils::collectCsrfToken()); ?>" />
 
 <span class="title"><?php echo xlt($form_name); ?></span><br>