From 8ca6cc32b2c789a3149861159ad258f2cb9491e3 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 28 Apr 2024 14:39:39 +0200
Subject: Adding upstream version 2.11.4.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../Icinga/Web/Form/Element/CsrfCounterMeasure.php | 99 ++++++++++++++++++++++
 1 file changed, 99 insertions(+)
 create mode 100644 library/Icinga/Web/Form/Element/CsrfCounterMeasure.php

(limited to 'library/Icinga/Web/Form/Element/CsrfCounterMeasure.php')

diff --git a/library/Icinga/Web/Form/Element/CsrfCounterMeasure.php b/library/Icinga/Web/Form/Element/CsrfCounterMeasure.php
new file mode 100644
index 0000000..c59e1f9
--- /dev/null
+++ b/library/Icinga/Web/Form/Element/CsrfCounterMeasure.php
@@ -0,0 +1,99 @@
+<?php
+/* Icinga Web 2 | (c) 2014 Icinga Development Team | GPLv2+ */
+
+namespace Icinga\Web\Form\Element;
+
+use Icinga\Web\Session;
+use Icinga\Web\Form\FormElement;
+use Icinga\Web\Form\InvalidCSRFTokenException;
+
+/**
+ * CSRF counter measure element
+ *
+ * You must not set a value to successfully use this element, just give it a name and you're good to go.
+ */
+class CsrfCounterMeasure extends FormElement
+{
+    /**
+     * Default form view helper to use for rendering
+     *
+     * @var string
+     */
+    public $helper = 'formHidden';
+
+    /**
+     * Counter measure element is required
+     *
+     * @var bool
+     */
+    protected $_ignore = true;
+
+    /**
+     * Ignore element when retrieving values at form level
+     *
+     * @var bool
+     */
+    protected $_required = true;
+
+    /**
+     * Initialize this form element
+     */
+    public function init()
+    {
+        $this->setDecorators(['ViewHelper']);
+        $this->setValue($this->generateCsrfToken());
+    }
+
+    /**
+     * Check whether $value is a valid CSRF token
+     *
+     * @param   string      $value          The value to check
+     * @param   mixed       $context        Context to use
+     *
+     * @return  bool                        True, in case the CSRF token is valid
+     *
+     * @throws  InvalidCSRFTokenException   In case the CSRF token is not valid
+     */
+    public function isValid($value, $context = null)
+    {
+        if (parent::isValid($value, $context) && $this->isValidCsrfToken($value)) {
+            return true;
+        }
+
+        throw new InvalidCSRFTokenException();
+    }
+
+    /**
+     * Check whether the given value is a valid CSRF token for the current session
+     *
+     * @param   string  $token  The CSRF token
+     *
+     * @return  bool
+     */
+    protected function isValidCsrfToken($token)
+    {
+        if (strpos($token, '|') === false) {
+            return false;
+        }
+
+        list($seed, $hash) = explode('|', $token);
+
+        if (false === is_numeric($seed)) {
+            return false;
+        }
+
+        return $hash === hash('sha256', Session::getSession()->getId() . $seed);
+    }
+
+    /**
+     * Generate a new (seed, token) pair
+     *
+     * @return  string
+     */
+    protected function generateCsrfToken()
+    {
+        $seed = mt_rand();
+        $hash = hash('sha256', Session::getSession()->getId() . $seed);
+        return sprintf('%s|%s', $seed, $hash);
+    }
+}
-- 
cgit v1.2.3