Skip to content

Commit

Permalink
* Enable CSRF protection by default.
Browse files Browse the repository at this point in the history
  • Loading branch information
@vimrus
vimrus committed Aug 10, 2021
1 parent c4b9c9e commit cb40696
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
2 changes: 1 addition & 1 deletion config/config.php
View file
Expand Up @@ -109,7 +109,7 @@
$config->framework->logDays = 14; // 日志文件保存的天数。 The days to save log files.
$config->framework->autoRepairTable = true;
$config->framework->autoLang = false;
$config->framework->filterCSRF = false;
$config->framework->filterCSRF = true;
$config->framework->setCookieSecure = true;
$config->framework->sendXCTO = true; // Send X-Content-Type-Options header.
$config->framework->sendXXP = true; // Send X-XSS-Protection header.
Expand Down
3 changes: 2 additions & 1 deletion framework/base/router.class.php
View file
Expand Up @@ -610,7 +610,8 @@ public function setSuperVars()
{
$httpType = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == 'on') ? 'https' : 'http';
$httpHost = $_SERVER['HTTP_HOST'];
if((!defined('RUN_MODE') or RUN_MODE != 'api') and strpos($this->server->http_referer, "$httpType://$httpHost") !== 0) $_FILES = $_POST = array();
$isAPI = (defined('RUN_MODE') && RUN_MODE == 'api') || isset($_GET[$this->config->sessionVar]);
if(!$isAPI && strpos($this->server->http_referer, "$httpType://$httpHost") !== 0) $_FILES = $_POST = array();
}

$_FILES = validater::filterFiles();
Expand Down

0 comments on commit cb40696

Please sign in to comment.