Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix(csrfmagic) fix bypass csrf multiple end point
  • Loading branch information
Shibe2017 committed Aug 12, 2022
1 parent daca0ac commit d0bf454
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion include/csrfmagic/csrf-magic.php
Expand Up @@ -201,9 +201,15 @@ function csrf_ob_handler($buffer, $flags) {
* @return boolean true if check passes or is not necessary, false if failure.
*/
function csrf_check($fatal = true) {
if (empty($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] !== 'POST') {
global $site_URL;
if (empty($_SERVER['HTTP_REFERER']) && ((empty($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] !== 'POST'))) {
return true;
}

if (!empty($_SERVER['HTTP_REFERER']) && (strpos($_SERVER['HTTP_REFERER'], $site_URL) !== false) && (empty($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] !== 'POST')) {
return true;
}

$valid_ips = explode(',', GlobalVariable::getVariable('Application_CSRF_Valid_IP', '', '', Users::getActiveAdminId()));
if (array_key_exists('HTTP_REFERER', $_SERVER)) {
$rem_ip = gethostbyname(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST));
Expand Down

0 comments on commit d0bf454

Please sign in to comment.