Initial Commit

1 files changed, 67 insertions, 0 deletions

diff --git a/CSRF b/CSRF
new file mode 100644
index 0000000..ae6b8e8
--- /dev/null
+++ b/CSRF
@@ -0,0 +1,67 @@
+// This code is brought to you by Sean Coates (seancoates.com):
+
+<?php
+
+namespace app\extensions\helper;
+use \app\extensions\storage\Session;
+use \lithium\util\String;
+
+class Form extends \lithium\template\helper\Form
+{
+	protected function _render($method, $string, $params, array $options = array()) {
+		if ($docsrf = isset($params['options']['docsrf'])) {
+			unset($params['options']['docsrf']);
+		}
+ 
+		// get default
+		$ret = parent::_render($method, $string, $params, $options);
+ 
+		// if we're not already in a create chain, and if we're docsrf...
+		if (((get_parent_class($this) . '::create') == $method
+			|| (get_class($this) . '::create') == $method)
+			&& $docsrf) {
+			// append a hidden field with the token
+			$ret .= $this->hidden(
+				\app\extensions\action\Request::CSRF_TOKEN_FIELD_NAME,
+				array('value' => Session::get_csrf_token())
+			);
+		}
+ 
+		return $ret;
+	}
+}
+
+?>
+
+<?php
+
+namespace app\extensions\storage;
+
+class Session extends \lithium\storage\Session
+{
+	public static function get_csrf_token($replace = false)
+	{
+		$token = null;
+		if (!$replace) {
+			$token = self::read('csrf_token');
+		}
+		if ($token) {
+			return $token;
+		}
+ 
+		// not found (or replacing); generate a new token
+		$token = md5(uniqid(microtime(true)));
+ 
+		self::write('csrf_token', $token);
+ 
+		return $token;
+	}
+ 
+	public static function check_csrf_token($token)
+	{
+		return $token === self::read('csrf_token');
+	}
+ 
+}
+
+?>
\ No newline at end of file