Commit ea9b53f9 authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner

(mvc) csrf protection, not very likely to hit in normal situations, but when...

(mvc) csrf protection, not very likely to hit in normal situations, but when using legacy free applications, there might not be a csrf token leading to a denial of all requests.

(cherry picked from commit 29e3bb3e)
parent 8ec53e30
...@@ -197,6 +197,11 @@ class ControllerBase extends ControllerRoot ...@@ -197,6 +197,11 @@ class ControllerBase extends ControllerRoot
// include csrf for volt view rendering. // include csrf for volt view rendering.
$csrf_token = $this->session->get('$PHALCON/CSRF$'); $csrf_token = $this->session->get('$PHALCON/CSRF$');
$csrf_tokenKey = $this->session->get('$PHALCON/CSRF/KEY$'); $csrf_tokenKey = $this->session->get('$PHALCON/CSRF/KEY$');
if (empty($csrf_token) || empty($csrf_tokenKey)) {
// when there's no token in our session, request a new one
$csrf_token = $this->security->getToken();
$csrf_tokenKey = $this->security->getTokenKey();
}
$this->view->setVars(['csrf_tokenKey' => $csrf_tokenKey,'csrf_token' => $csrf_token]); $this->view->setVars(['csrf_tokenKey' => $csrf_tokenKey,'csrf_token' => $csrf_token]);
// link menu system to view, append /ui in uri because of rewrite // link menu system to view, append /ui in uri because of rewrite
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment