Skip to content

Commit

Permalink
更新:优化csrf规则
Browse files Browse the repository at this point in the history
  • Loading branch information
@zhuchunshu
zhuchunshu committed Dec 24, 2022
1 parent 2aa11c1 commit ab6f522
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 37 deletions.
31 changes: 21 additions & 10 deletions app/Middleware/CsrfMiddleware.php
View file
@@ -1,14 +1,20 @@
<?php

declare(strict_types=1);

/**
* This file is part of zhuchunshu.
* @link https://github.com/zhuchunshu
* @document https://github.com/zhuchunshu/super-forum
* @contact laravel@88.com
* @license https://github.com/zhuchunshu/super-forum/blob/master/LICENSE
*/
namespace App\Middleware;

use Hyperf\Utils\Str;
use Psr\Container\ContainerInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;

class CsrfMiddleware implements MiddlewareInterface
Expand All @@ -25,22 +31,27 @@ public function __construct(ContainerInterface $container)

public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
if(!config("codefec.app.csrf")){
if (! config('codefec.app.csrf')) {
return $handler->handle($request);
}
foreach(Itf()->get("csrf") as $value){
if(Str::is($this->clean_str($value),$this->clean_str(request()->path()))){
foreach (Itf()->get('csrf') as $value) {
if (Str::is($this->clean_str($value), $this->clean_str(request()->path()))) {
return $handler->handle($request);
}
}
if(request()->isMethod("post") && csrf_token() !== request()->input("_token")) {
return admin_abort(["msg" => "会话超时,请刷新后重新提交"],419);
$sha1 = sha1(json_encode([
request()->getHeader('host')[0],
get_client_ip(),
get_user_agent(),
], JSON_THROW_ON_ERROR));
if (request()->isMethod('post') && $sha1 !== request()->input('_token')) {
return admin_abort(['msg' => '会话超时,请刷新后重新提交', 'CSRF_TOKEN_CREATE' => is_string(recsrf_token()) ], 419);
}
return $handler->handle($request);
}

public function clean_str($str): array|string
public function clean_str($str): array | string
{
return str_replace("/","_",$str);
return str_replace('/', '_', $str);
}
}
}
61 changes: 34 additions & 27 deletions app/helpers.php
View file
Expand Up @@ -8,20 +8,30 @@
* @contact laravel@88.com
* @license https://github.com/zhuchunshu/super-forum/blob/master/LICENSE
*/
use App\CodeFec\{Admin\Admin,Itf\Setting\SettingInterface,Menu\MenuInterface,Plugins,View\Beautify_Html};
use App\CodeFec\Admin\Admin;
use App\CodeFec\Itf\Setting\SettingInterface;
use App\CodeFec\Menu\MenuInterface;
use App\CodeFec\Plugins;
use App\CodeFec\View\Beautify_Html;
use App\Model\AdminOption;
use Hyperf\Context\Context;
use Hyperf\Contract\{SessionInterface,StdoutLoggerInterface};
use Hyperf\Contract\SessionInterface;
use Hyperf\Contract\StdoutLoggerInterface;
use Hyperf\HttpMessage\Stream\SwooleStream;
use Hyperf\HttpServer\{Contract\ResponseInterface,Response};
use Hyperf\HttpServer\Contract\ResponseInterface;
use Hyperf\HttpServer\Response;
use Hyperf\Logger\LoggerFactory;
use Hyperf\Paginator\UrlWindow;
use Hyperf\Server\ServerFactory;
use Hyperf\Utils\{ApplicationContext};
use Hyperf\View\RenderInterface;
use Illuminate\Support\{Arr,Facades\File,Str};
use Illuminate\Support\Arr;
use Illuminate\Support\Facades\File;
use Illuminate\Support\Str;
use Overtrue\Http\Client;
use Psr\{Container\ContainerInterface,EventDispatcher\EventDispatcherInterface,Http\Message\ServerRequestInterface};
use Psr\Container\ContainerInterface;
use Psr\EventDispatcher\EventDispatcherInterface;
use Psr\Http\Message\ServerRequestInterface;

function public_path($path = ''): string
{
Expand Down Expand Up @@ -488,37 +498,34 @@ function de_stringify(string $stringify): array
if (! function_exists('csrf_token')) {
function csrf_token()
{
if (! session()->has('csrf_token')) {
session()->set('csrf_token', Str::random());
if (! session()->has('CSRF_TOKEN')) {
session()->set('CSRF_TOKEN', Str::random());
}
if (! cache()->has('csrf_token' . session()->get('csrf_token'))) {
cache()->set('csrf_token' . session()->get('csrf_token'), Str::random());
if (! cache()->has('CSRF_TOKEN' . session()->get('CSRF_TOKEN'))) {
$k = sha1(json_encode([
request()->getHeader('host')[0],
get_client_ip(),
get_user_agent(),
], JSON_THROW_ON_ERROR));
cache()->set('CSRF_TOKEN' . session()->get('CSRF_TOKEN'), $k);
}
return cache()->get('csrf_token' . session()->get('csrf_token'));
}
}

if (! function_exists('csrf_token')) {
function csrf_token()
{
if (! session()->has('csrf_token')) {
session()->set('csrf_token', Str::random());
}
if (! cache()->has('csrf_token.' . session()->get('csrf_token'))) {
cache()->set('csrf_token.' . session()->get('csrf_token'), Str::random());
}
return cache()->get('csrf_token.' . session()->get('csrf_token'));
return cache()->get('CSRF_TOKEN' . session()->get('CSRF_TOKEN'));
}
}

if (! function_exists('recsrf_token')) {
function recsrf_token()
{
if (! session()->has('csrf_token')) {
session()->set('csrf_token', Str::random());
if (! session()->has('CSRF_TOKEN')) {
session()->set('CSRF_TOKEN', Str::random());
}
cache()->set('csrf_token.' . session()->get('csrf_token'), Str::random());
return cache()->get('csrf_token.' . session()->get('csrf_token'));
$k = sha1(json_encode([
request()->getHeader('host')[0],
get_client_ip(),
get_user_agent(),
], JSON_THROW_ON_ERROR));
cache()->set('CSRF_TOKEN' . session()->get('CSRF_TOKEN'), $k);
return cache()->get('CSRF_TOKEN' . session()->get('CSRF_TOKEN'));
}
}

Expand Down

0 comments on commit ab6f522

Please sign in to comment.