diff options
| author | fwenzel@mozilla.com <fwenzel@mozilla.com@4eb1ac78-321c-0410-a911-ec516a8615a5> | 2008-05-24 10:05:14 (GMT) |
|---|---|---|
| committer | fwenzel@mozilla.com <fwenzel@mozilla.com@4eb1ac78-321c-0410-a911-ec516a8615a5> | 2008-05-24 10:05:14 (GMT) |
| commit | 2029aaa764b89d293ab9e99992af87476b2ee010 (patch) | |
| tree | 31d6df57a814b26161a5dcc738401ea09462e2fe /site/app/app_controller.php | |
| parent | af41469323bba642b6b2ef6be138e14daf691e7b (diff) | |
code cosmetics: removing tab characters, indenting and line-breaking correctly, etc, etc
git-svn-id: http://svn.mozilla.org/addons/trunk@13643 4eb1ac78-321c-0410-a911-ec516a8615a5
Diffstat (limited to 'site/app/app_controller.php')
| -rw-r--r-- | site/app/app_controller.php | 61 |
1 files changed, 32 insertions, 29 deletions
diff --git a/site/app/app_controller.php b/site/app/app_controller.php index 8680e9e..5ab8531 100644 --- a/site/app/app_controller.php +++ b/site/app/app_controller.php @@ -204,45 +204,48 @@ class AppController extends Controller } /** - * checks to make sure POSTed data has a hidden field sessionCheck as defined in: + * checks to make sure POSTed data has a hidden field sessionCheck as + * defined in: * - * @see AddonsHtmlHelper::hiddenSession + * @see AddonsHtmlHelper::hiddenSession * - * this is used to guard against cross-site request forgeries. We don't rely on cake stuff as - * this had been causing session issues. - * - * This method should be added to any new controller whose $beforeFilter overrides the default one above to ensure - * CSRF detection is done. + * this is used to guard against cross-site request forgeries. We don't + * rely on cake stuff as this had been causing session issues. + * + * This method should be added to any new controller whose $beforeFilter + * overrides the default one above to ensure CSRF detection is done. * - * For posted data where a session is not yet established use the array $exceptionCSRF to explicitly create an array of allowed - * URLs which you do not want checkCSRF to apply to. + * For posted data where a session is not yet established use the + * array $exceptionCSRF to explicitly create an array of allowed + * URLs which you do not want checkCSRF to apply to. */ function checkCSRF() { - $noexception = true; - if(isset($this->exceptionCSRF)) { + if ($_SERVER['REQUEST_METHOD'] != 'POST') return; + + if (isset($this->exceptionCSRF)) { foreach ($this->exceptionCSRF as $exception) { - if(stristr($_SERVER['REQUEST_URI'], $exception)) { - $noexception = false; - } + if (stristr($_SERVER['REQUEST_URI'], $exception)) + return; } } - if($_SERVER['REQUEST_METHOD'] == 'POST' && $noexception) { - $sessionuser = $this->Session->read('User'); - $id = htmlentities($sessionuser['id']); - - $current_epoch = (int)(time()/CAKE_SESSION_TIMEOUT); - $previous_epoch = $current_epoch - 1; // this is to mitigate against where a session starts at an epoch boundary - - $currentMd5 = md5(session_id().$id.$current_epoch); - $previousMd5 = md5(session_id().$id.$previous_epoch); - - if(!isset($_POST['sessionCheck']) || ($_POST['sessionCheck'] != $currentMd5 && $_POST['sessionCheck'] != $previousMd5)) { - $this->flash( _('error_formerrors'), '/' , 3); //error string is a little non-informative - exit(); - } + $sessionuser = $this->Session->read('User'); + $id = htmlentities($sessionuser['id']); + + $current_epoch = (int)(time()/CAKE_SESSION_TIMEOUT); + // this is to mitigate against where a session starts at an epoch boundary: + $previous_epoch = $current_epoch - 1; + + $currentMd5 = md5(session_id().$id.$current_epoch); + $previousMd5 = md5(session_id().$id.$previous_epoch); + + if (!isset($_POST['sessionCheck']) || + ($_POST['sessionCheck'] != $currentMd5 && $_POST['sessionCheck'] != $previousMd5)) { + + $this->flash( _('error_formerrors'), '/' , 3); //error string is a little non-informative + exit(); } } - + /** * get $this->base with locale included */ |