Skip to content

Commit

Permalink
Fixed registration form CSRF protection for PHP 7.2 compatibility
Browse files Browse the repository at this point in the history
  • Loading branch information
@tkrebs
tkrebs committed Feb 8, 2018
1 parent e4b240a commit 90b9a78
Showing 1 changed file with 15 additions and 9 deletions.
24 changes: 15 additions & 9 deletions module/User/src/User/Form/RegistrationForm.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
use Base\Manager\OptionManager;
use User\Entity\User;
use User\Manager\UserManager;
use Zend\Crypt\BlockCipher;
use Zend\Crypt\Password\Bcrypt;
use Zend\Form\Form;
use Zend\InputFilter\Factory;

Expand Down Expand Up @@ -246,16 +246,19 @@ public function init()
),
));

/* Add AES encrypted timestamp for security */
/* Add weak CSRF protection */

$blockCipher = BlockCipher::factory('mcrypt', array('algo' => 'aes'));
$blockCipher->setKey('A balrog, a demon of the ancient world. Its foe is beyond any of you, RUN!');
$time = time();

$bcrypt = new Bcrypt();
$bcrypt->setCost(6);
$bcrypt->setSalt(php_uname());

$this->add(array(
'name' => 'rf-csrf',
'type' => 'Hidden',
'attributes' => array(
'value' => $blockCipher->encrypt(time()),
'value' => $time . $bcrypt->create($time),
),
));

Expand Down Expand Up @@ -650,15 +653,18 @@ public function init()
array(
'name' => 'Callback',
'options' => array(
'callback' => function($value) use ($blockCipher) {
$time = $blockCipher->decrypt($value);
'callback' => function($value) use ($bcrypt) {
$time = time();

$formTime = substr($value, 0, strlen($time));
$formTimeHash = substr($value, strlen($time));

if (! is_numeric($time)) {
if ($formTimeHash != $bcrypt->create($formTime)) {
return false;
}

// Allow form submission after five seconds and until one hour
if (time() - $time < 5 || time() - $time > 60 * 60) {
if (time() - $formTime < 5 || time() - $formTime > 60 * 60) {
return false;
} else {
return true;
Expand Down

0 comments on commit 90b9a78

Please sign in to comment.