Skip to content

Commit ab6f522

Browse files
zhuchunshuzhuchunshu
committedDec 24, 2022
更新:优化csrf规则
·
v2.7.7v2.1.7
1 parent 2aa11c1 commit ab6f522

File tree

2 files changed

+55
-37
lines changed

2 files changed

+55
-37
lines changed
 

‎app/Middleware/CsrfMiddleware.php

Lines changed: 21 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,20 @@
11
<?php
22

33
declare(strict_types=1);
4-
4+
/**
5+
* This file is part of zhuchunshu.
6+
* @link https://github.com/zhuchunshu
7+
* @document https://github.com/zhuchunshu/super-forum
8+
* @contact laravel@88.com
9+
* @license https://github.com/zhuchunshu/super-forum/blob/master/LICENSE
10+
*/
511
namespace App\Middleware;
612

713
use Hyperf\Utils\Str;
814
use Psr\Container\ContainerInterface;
915
use Psr\Http\Message\ResponseInterface;
10-
use Psr\Http\Server\MiddlewareInterface;
1116
use Psr\Http\Message\ServerRequestInterface;
17+
use Psr\Http\Server\MiddlewareInterface;
1218
use Psr\Http\Server\RequestHandlerInterface;
1319

1420
class CsrfMiddleware implements MiddlewareInterface
@@ -25,22 +31,27 @@ public function __construct(ContainerInterface $container)
2531

2632
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
2733
{
28-
if(!config("codefec.app.csrf")){
34+
if (! config('codefec.app.csrf')) {
2935
return $handler->handle($request);
3036
}
31-
foreach(Itf()->get("csrf") as $value){
32-
if(Str::is($this->clean_str($value),$this->clean_str(request()->path()))){
37+
foreach (Itf()->get('csrf') as $value) {
38+
if (Str::is($this->clean_str($value), $this->clean_str(request()->path()))) {
3339
return $handler->handle($request);
3440
}
3541
}
36-
if(request()->isMethod("post") && csrf_token() !== request()->input("_token")) {
37-
return admin_abort(["msg" => "会话超时,请刷新后重新提交"],419);
42+
$sha1 = sha1(json_encode([
43+
request()->getHeader('host')[0],
44+
get_client_ip(),
45+
get_user_agent(),
46+
], JSON_THROW_ON_ERROR));
47+
if (request()->isMethod('post') && $sha1 !== request()->input('_token')) {
48+
return admin_abort(['msg' => '会话超时,请刷新后重新提交', 'CSRF_TOKEN_CREATE' => is_string(recsrf_token()) ], 419);
3849
}
3950
return $handler->handle($request);
4051
}
4152

42-
public function clean_str($str): array|string
53+
public function clean_str($str): array | string
4354
{
44-
return str_replace("/","_",$str);
55+
return str_replace('/', '_', $str);
4556
}
46-
}
57+
}

‎app/helpers.php

Lines changed: 34 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -8,20 +8,30 @@
88
* @contact laravel@88.com
99
* @license https://github.com/zhuchunshu/super-forum/blob/master/LICENSE
1010
*/
11-
use App\CodeFec\{Admin\Admin,Itf\Setting\SettingInterface,Menu\MenuInterface,Plugins,View\Beautify_Html};
11+
use App\CodeFec\Admin\Admin;
12+
use App\CodeFec\Itf\Setting\SettingInterface;
13+
use App\CodeFec\Menu\MenuInterface;
14+
use App\CodeFec\Plugins;
15+
use App\CodeFec\View\Beautify_Html;
1216
use App\Model\AdminOption;
1317
use Hyperf\Context\Context;
14-
use Hyperf\Contract\{SessionInterface,StdoutLoggerInterface};
18+
use Hyperf\Contract\SessionInterface;
19+
use Hyperf\Contract\StdoutLoggerInterface;
1520
use Hyperf\HttpMessage\Stream\SwooleStream;
16-
use Hyperf\HttpServer\{Contract\ResponseInterface,Response};
21+
use Hyperf\HttpServer\Contract\ResponseInterface;
22+
use Hyperf\HttpServer\Response;
1723
use Hyperf\Logger\LoggerFactory;
1824
use Hyperf\Paginator\UrlWindow;
1925
use Hyperf\Server\ServerFactory;
2026
use Hyperf\Utils\{ApplicationContext};
2127
use Hyperf\View\RenderInterface;
22-
use Illuminate\Support\{Arr,Facades\File,Str};
28+
use Illuminate\Support\Arr;
29+
use Illuminate\Support\Facades\File;
30+
use Illuminate\Support\Str;
2331
use Overtrue\Http\Client;
24-
use Psr\{Container\ContainerInterface,EventDispatcher\EventDispatcherInterface,Http\Message\ServerRequestInterface};
32+
use Psr\Container\ContainerInterface;
33+
use Psr\EventDispatcher\EventDispatcherInterface;
34+
use Psr\Http\Message\ServerRequestInterface;
2535

2636
function public_path($path = ''): string
2737
{
@@ -488,37 +498,34 @@ function de_stringify(string $stringify): array
488498
if (! function_exists('csrf_token')) {
489499
function csrf_token()
490500
{
491-
if (! session()->has('csrf_token')) {
492-
session()->set('csrf_token', Str::random());
501+
if (! session()->has('CSRF_TOKEN')) {
502+
session()->set('CSRF_TOKEN', Str::random());
493503
}
494-
if (! cache()->has('csrf_token' . session()->get('csrf_token'))) {
495-
cache()->set('csrf_token' . session()->get('csrf_token'), Str::random());
504+
if (! cache()->has('CSRF_TOKEN' . session()->get('CSRF_TOKEN'))) {
505+
$k = sha1(json_encode([
506+
request()->getHeader('host')[0],
507+
get_client_ip(),
508+
get_user_agent(),
509+
], JSON_THROW_ON_ERROR));
510+
cache()->set('CSRF_TOKEN' . session()->get('CSRF_TOKEN'), $k);
496511
}
497-
return cache()->get('csrf_token' . session()->get('csrf_token'));
498-
}
499-
}
500-
501-
if (! function_exists('csrf_token')) {
502-
function csrf_token()
503-
{
504-
if (! session()->has('csrf_token')) {
505-
session()->set('csrf_token', Str::random());
506-
}
507-
if (! cache()->has('csrf_token.' . session()->get('csrf_token'))) {
508-
cache()->set('csrf_token.' . session()->get('csrf_token'), Str::random());
509-
}
510-
return cache()->get('csrf_token.' . session()->get('csrf_token'));
512+
return cache()->get('CSRF_TOKEN' . session()->get('CSRF_TOKEN'));
511513
}
512514
}
513515

514516
if (! function_exists('recsrf_token')) {
515517
function recsrf_token()
516518
{
517-
if (! session()->has('csrf_token')) {
518-
session()->set('csrf_token', Str::random());
519+
if (! session()->has('CSRF_TOKEN')) {
520+
session()->set('CSRF_TOKEN', Str::random());
519521
}
520-
cache()->set('csrf_token.' . session()->get('csrf_token'), Str::random());
521-
return cache()->get('csrf_token.' . session()->get('csrf_token'));
522+
$k = sha1(json_encode([
523+
request()->getHeader('host')[0],
524+
get_client_ip(),
525+
get_user_agent(),
526+
], JSON_THROW_ON_ERROR));
527+
cache()->set('CSRF_TOKEN' . session()->get('CSRF_TOKEN'), $k);
528+
return cache()->get('CSRF_TOKEN' . session()->get('CSRF_TOKEN'));
522529
}
523530
}
524531

0 commit comments

Comments
 (0)
Please sign in to comment.