From 18d8aadf6dd379635f4acfb867044e1defa4354c Mon Sep 17 00:00:00 2001 From: Mojtaba Date: Sat, 2 Oct 2021 23:00:59 +0200 Subject: [PATCH] Force global secure request has been activated. CSRF-Token on all forms has been implemented. --- nodcms-core/Config/App.php | 12 ++++++------ nodcms-core/Config/Filters.php | 2 +- nodcms-core/Libraries/Form.php | 15 +++++++++++++++ 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/nodcms-core/Config/App.php b/nodcms-core/Config/App.php index 578ac1b2..2f21ab9f 100644 --- a/nodcms-core/Config/App.php +++ b/nodcms-core/Config/App.php @@ -124,7 +124,7 @@ class App extends BaseConfig | secure, the user will be redirected to a secure version of the page | and the HTTP Strict Transport Security header will be set. */ - public $forceGlobalSecureRequests = false; + public $forceGlobalSecureRequests = true; /* |-------------------------------------------------------------------------- @@ -182,7 +182,7 @@ class App extends BaseConfig | */ public $sessionDriver = 'CodeIgniter\Session\Handlers\FileHandler'; - public $sessionCookieName = 'ci_session'; + public $sessionCookieName = 'sc'; public $sessionExpiration = 7200; public $sessionSavePath = WRITEPATH . 'session'; public $sessionMatchIP = false; @@ -204,7 +204,7 @@ class App extends BaseConfig | 'cookie_httponly') will also affect sessions. | */ - public $cookiePrefix = ''; + public $cookiePrefix = 'nodcms_'; public $cookieDomain = ''; public $cookiePath = '/'; public $cookieSecure = false; @@ -243,11 +243,11 @@ class App extends BaseConfig | CSRFRegenerate = Regenerate token on every submission | CSRFRedirect = Redirect to previous page with error on failure */ - public $CSRFTokenName = 'csrf_test_name'; + public $CSRFTokenName = 'securekey'; public $CSRFHeaderName = 'X-CSRF-TOKEN'; - public $CSRFCookieName = 'csrf_cookie_name'; + public $CSRFCookieName = 'securetoken'; public $CSRFExpire = 7200; - public $CSRFRegenerate = true; + public $CSRFRegenerate = false; public $CSRFRedirect = true; /* diff --git a/nodcms-core/Config/Filters.php b/nodcms-core/Config/Filters.php index 52ce3d4e..997a331a 100644 --- a/nodcms-core/Config/Filters.php +++ b/nodcms-core/Config/Filters.php @@ -20,7 +20,7 @@ class Filters extends BaseConfig 'before' => [ 'installedVerification', //'honeypot' - // 'csrf', + 'csrf', ], 'after' => [ 'toolbar', diff --git a/nodcms-core/Libraries/Form.php b/nodcms-core/Libraries/Form.php index d1102267..91ffd4ab 100644 --- a/nodcms-core/Libraries/Form.php +++ b/nodcms-core/Libraries/Form.php @@ -129,6 +129,15 @@ function __construct($CI) function config($inputs, $action = '', $method = 'post', $type = 'ajax', $notes = array()) { + // Add CSRF token on SSL Protocol requests + if(SSL_PROTOCOL) { + $inputs[] = [ + 'field'=>csrf_token(), + 'type'=>"hidden", + 'default'=>csrf_hash(), + 'rules'=>"", + ]; + } $this->data['inputs'] = $inputs; $this->data['action'] = $action; $this->data['back_url'] = $action; @@ -303,6 +312,12 @@ function getPost($url = null) if($url != null) $this->data['back_url'] = $url; + if(boolval(SSL_PROTOCOL) != Services::request()->isSecure()) { + $response = Services::quickResponse(); + $this->errorResponse = $response->getError("Data post was not secure!", $this->data['back_url']); + return false; + } + // Check form validation $validation->setRules(array_combine(array_column($config, 'field'), $config));