Главная Обзор Помощь
Вход
Apq
/
maccms10
зеркало из https://github.com/magicblack/maccms10.git
1
0
Ответвить 0
Файлы Задачи 0 Вики
Ветка: master
Ветки Метки
maccms10
/
application
/
common
/
util
/
UeditorAiCsrf.php

UeditorAiCsrf.php 2.2 KB
Постоянная ссылка История Исходник

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 
  1. <?php
    2. 

  2. namespace app\common\util;
    3. 

  3. 

  4. /**
    5. 

  5.  * Session CSRF for UEditor AI proxy (same idea as addons\aicontent\Aicontent::generateCsrfToken).
    6. 

  6.  */
    7. 

  7. class UeditorAiCsrf
    8. 

  8. {
    9. 

  9.     private const SESSION_KEY = 'ueditor_ai_csrf_token';
    10. 

  10. 

  11.     public static function token(): string
    12. 

  12.     {
    13. 

  13.         $t = session(self::SESSION_KEY);
    14. 

  14.         if ($t === null || $t === '') {
    15. 

  15.             $t = bin2hex(random_bytes(16));
    16. 

  16.             session(self::SESSION_KEY, $t);
    17. 

  17.         }
    18. 

  18. 

  19.         $t = (string) $t;
    20. 

  20.         /* 对话框与内容页不同 window 时 Cookie + 服务端比对;HTTPS 下需 Secure 否则部分浏览器不发送 */
    21. 

  21.         if (!headers_sent()) {
    22. 

  22.             $secure = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
    23. 

  23.                 || (isset($_SERVER['SERVER_PORT']) && (int) $_SERVER['SERVER_PORT'] === 443);
    24. 

  24.             if (\PHP_VERSION_ID >= 70300) {
    25. 

  25.                 setcookie('ueditor_ai_csrf', $t, [
    26. 

  26.                     'expires'  => time() + 7200,
    27. 

  27.                     'path'     => '/',
    28. 

  28.                     'secure'   => $secure,
    29. 

  29.                     'httponly' => false,
    30. 

  30.                     'samesite' => 'Lax',
    31. 

  31.                 ]);
    32. 

  32.             } else {
    33. 

  33.                 setcookie('ueditor_ai_csrf', $t, time() + 7200, '/', '', $secure, false);
    34. 

  34.             }
    35. 

  35.         }
    36. 

  36. 

  37.         return $t;
    38. 

  38.     }
    39. 

  39. 

  40.     /**
    41. 

  41.      * 同时接受 JSON 内 _csrf_token 与 Cookie ueditor_ai_csrf(任一与 session 一致即通过),避免 body 陈旧而 Cookie 已刷新。
    42. 

  42.      */
    43. 

  43.     public static function validate($submitted): bool
    44. 

  44.     {
    45. 

  45.         $expected = session(self::SESSION_KEY);
    46. 

  46.         if ($expected === null || $expected === '') {
    47. 

  47.             return false;
    48. 

  48.         }
    49. 

  49.         $expected = (string) $expected;
    50. 

  50.         $fromBody = is_string($submitted) ? $submitted : '';
    51. 

  51.         $fromCookie = (!empty($_COOKIE['ueditor_ai_csrf']) && is_string($_COOKIE['ueditor_ai_csrf']))
    52. 

  52.             ? (string) $_COOKIE['ueditor_ai_csrf']
    53. 

  53.             : '';
    54. 

  54.         foreach ([$fromBody, $fromCookie] as $cand) {
    55. 

  55.             if ($cand === '') {
    56. 

  56.                 continue;
    57. 

  57.             }
    58. 

  58.             if (strlen($expected) === strlen($cand) && hash_equals($expected, $cand)) {
    59. 

  59.                 return true;
    60. 

  60.             }
    61. 

  61.         }
    62. 

  62. 

  63.         return false;
    64. 

  64.     }
    65. 

  65. }
    66.