diff --git a/csrf-magic.js b/csrf-magic.js index cb88b2a..7cacd6d 100644 --- a/csrf-magic.js +++ b/csrf-magic.js @@ -42,11 +42,11 @@ CsrfMagic.prototype = { prepend = csrfMagicName + '=' + csrfMagicToken + '&'; delete this.csrf_isPost; - if (typeof data == object) { + if (typeof data == 'object') { prepend = data; prepend[csrfMagicName] = csrfMagicToken; } else { - prepend = csrfMagicName + '=' + csrfMagictoken; + prepend = csrfMagicName + '=' + csrfMagicToken; if (data) prepend = prepend + '&' + data; } return this.csrf_send(prepend); diff --git a/csrf-magic.php b/csrf-magic.php index 3df5d3f..84d6db9 100644 --- a/csrf-magic.php +++ b/csrf-magic.php @@ -60,7 +60,8 @@ function csrf_ob_handler($buffer, $flags) { } } - csrf_log(__FUNCTION__,'returns: ' . var_export($buffer, true)); + csrf_log(__FUNCTION__, 'returns: ' . var_export($buffer, true)); + return $buffer; } @@ -80,12 +81,17 @@ function csrf_check($fatal = true) { $tokens = ''; csrf_log(__FUNCTION__, "csrf magic $name was $result"); + if ($result) { // we don't regenerate a token and check it because some token creation // schemes are volatile. $tokens = $_POST[$name]; $result = csrf_check_tokens($tokens); - csrf_log(__FUNCTION__,"check_tokens($name, $tokens) returned $result"); + if (is_array($tokens)) { + $tokens = implode(';', $tokens); + } + + csrf_log(__FUNCTION__, "check_tokens($name, $tokens) returned $result"); } if ($fatal && !$result) { @@ -101,7 +107,8 @@ function csrf_check($fatal = true) { } } - csrf_log(__FUNCTION__,'returns: ' . var_export($result, true)); + csrf_log(__FUNCTION__, 'returns: ' . var_export($result, true)); + return $result; } @@ -147,7 +154,8 @@ function csrf_get_tokens() { $token = 'invalid'; } - csrf_log(__FUNCTION__,'returns: ' . var_export($token, true)); + csrf_log(__FUNCTION__, 'returns: ' . var_export($token, true)); + return $token; } @@ -156,7 +164,9 @@ function csrf_flattenpost($data) { foreach($data as $n => $v) { $ret = array_merge($ret, csrf_flattenpost2(1, $n, $v)); } - csrf_log(__FUNCTION__,'returns: ' . var_export($ret, true)); + + csrf_log(__FUNCTION__, 'returns: ' . var_export($ret, true)); + return $ret; } @@ -170,7 +180,9 @@ function csrf_flattenpost2($level, $key, $data) { $ret = array_merge($ret, csrf_flattenpost2($level+1, $nk, $v)); } } - csrf_log(__FUNCTION__,'returns: ' . var_export($ret, true)); + + csrf_log(__FUNCTION__, 'returns: ' . var_export($ret, true)); + return $ret; } @@ -220,7 +232,8 @@ function csrf_check_tokens($tokens) { } } - csrf_log(__FUNCTION__,'returns: ' . var_export($valid_token, true)); + csrf_log(__FUNCTION__, 'returns: ' . var_export($valid_token, true)); + return $valid_token; } @@ -240,7 +253,8 @@ function csrf_check_token($token) { $expiry_time = time(); $expiry_csrf = $time + $GLOBALS['csrf']['expires']; $check_token = ($expiry_time < $expiry_csrf); - csrf_log(__FUNCTION__,"expiry $check_token = $expiry_time < $expiry_csrf"); + + csrf_log(__FUNCTION__, "expiry $check_token = $expiry_time < $expiry_csrf"); } if ($check_token) { @@ -289,7 +303,8 @@ function csrf_check_token($token) { } } - csrf_log(__FUNCTION__,'returns: ' . var_export($valid_token, true)); + csrf_log(__FUNCTION__, 'returns: ' . var_export($valid_token, true)); + return $valid_token; } @@ -311,6 +326,8 @@ function csrf_conf($key, $val) { * Starts a session if we're allowed to. */ function csrf_start() { + global $config; + if ($GLOBALS['csrf']['auto-session'] && !session_id()) { session_start(); } @@ -357,7 +374,9 @@ function csrf_get_secret() { } $GLOBALS['csrf']['secret'] = $secret; - csrf_log(__FUNCTION__,'returns: ' . var_export($secret, true)); + + csrf_log(__FUNCTION__, 'returns: ' . var_export($secret, true)); + return $secret; } @@ -372,7 +391,9 @@ function csrf_generate_secret($len = 32) { $r .= time() . microtime(); $secret = csrf_internal_hash('',$r); - csrf_log(__FUNCTION__,'returns: ' . var_export($secret, true)); + + csrf_log(__FUNCTION__, 'returns: ' . var_export($secret, true)); + return $secret; } @@ -402,7 +423,8 @@ function csrf_hash($value, $time = null) { $secret = csrf_get_secret(); $result = csrf_internal_hash($secret, csrf_internal_hash($secret, $time . ':' . $value)) . ',' . $time; - csrf_log(__FUNCTION__,'returns: ' . var_export($result, true)); + csrf_log(__FUNCTION__, 'returns: ' . var_export($result, true)); + return $result; } @@ -430,10 +452,10 @@ function csrf_get_client_addr() { foreach ($header_ips as $header_ip) { if (!empty($header_ip)) { if (!filter_var($header_ip, FILTER_VALIDATE_IP)) { - csrf_log(__FUNCTIOJN__,'ERROR: Invalid remote client IP Address found in header (' . $header . ').'); + csrf_log(__FUNCTION__, 'ERROR: Invalid remote client IP Address found in header (' . $header . ').'); } else { $client_addr = $header_ip; - csrf_log(__FUNCTION__,'DEBUG: Using remote client IP Address found in header (' . $header . '): ' . $client_addr . ' (' . $_SERVER[$header] . ')'); + csrf_log(__FUNCTION__, 'DEBUG: Using remote client IP Address found in header (' . $header . '): ' . $client_addr . ' (' . $_SERVER[$header] . ')'); break; } } @@ -441,7 +463,8 @@ function csrf_get_client_addr() { } } - csrf_log(__FUNCTION__,'returns: ' . var_export($client_addr, true)); + csrf_log(__FUNCTION__, 'returns: ' . var_export($client_addr, true)); + return $client_addr; } @@ -492,6 +515,7 @@ function csrf_log($name, $text) { } } } + function csrf_caller() { static $caller = ''; @@ -502,6 +526,7 @@ function csrf_caller() { $caller = $_SERVER['SCRIPT_NAME']; } } + return $caller; } diff --git a/test.php b/test.php index 3e5f461..168b488 100644 --- a/test.php +++ b/test.php @@ -1,4 +1,4 @@ -