Merge branch 'development'

webpwnized · Dec 17, 2023 · 4d06aac · 4d06aac
2 parents e6717fb + 1e8029c
commit 4d06aac
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 72 deletions.
diff --git a/classes/CSRFTokenHandler.php b/classes/CSRFTokenHandler.php
@@ -1,20 +1,22 @@
-<?php
+	<?php
 
 /* Determine the root of the entire project.
- * Recall this file is in the "includes" folder so its "2 levels deep". */
-if (!defined('__SITE_ROOT__')){if (!defined('__SITE_ROOT__')){define('__SITE_ROOT__', dirname(dirname(__FILE__)));}}
+ * This file is in the "classes" folder so its "2 levels deep". */
+if (!defined('__SITE_ROOT__')){
+	define('__SITE_ROOT__', dirname(dirname(__FILE__)));
+}
+
+class CSRFTokenHandler{
 
-class CSRFTokenHandler{
-
 	/* objects */
 	protected $mEncoder = null;
 
 	/* flag properties */
-	protected $mEncodeOutput = FALSE;
-	protected $mSecurityLevel = 0;
+	protected $mEncodeOutput = FALSE;
+	protected $mSecurityLevel = 0;
 	protected $mCSRFTokenStrength = "NONE";
-	protected $mProtectAgainstCSRF = FALSE;
-
+	protected $mProtectAgainstCSRF = FALSE;
+
 	protected $mExpectedCSRFTokenForThisRequest = "";
 	protected $mNewCSRFTokenForNextRequest = "";
 	protected $mPageBeingProtected = "";
@@ -24,78 +26,78 @@ class CSRFTokenHandler{
 	protected $mRandomTokenBytes = 64;
 
 	private function doSetSecurityLevel($pSecurityLevel){
-
-		$this->mSecurityLevel = $pSecurityLevel;
-
-		switch ($this->mSecurityLevel){
+
+		$this->mSecurityLevel = $pSecurityLevel;
+
+		switch ($this->mSecurityLevel){
 			case "0": // This code is insecure, we are not encoding output
 				$this->mEncodeOutput = FALSE;
 				$this->mCSRFTokenStrength = "NONE";
 				$this->mProtectAgainstCSRF = FALSE;
-				break;
-			case "1": // This code is insecure, we are not encoding output
-				$this->mEncodeOutput = FALSE;
+				break;
+			case "1": // This code is insecure, we are not encoding output
+				$this->mEncodeOutput = FALSE;
 				$this->mCSRFTokenStrength = "LOW";
 				$this->mProtectAgainstCSRF = TRUE;
-			break;
-
-			case "2":
-			case "3":
-			case "4":
-			case "5": // This code is fairly secure
-				// If we are secure, then we encode all output.
-				$this->mEncodeOutput = TRUE;
+			break;
+
+			case "2":
+			case "3":
+			case "4":
+			case "5": // This code is fairly secure
+				// If we are secure, then we encode all output.
+				$this->mEncodeOutput = TRUE;
 				$this->mCSRFTokenStrength = "HIGH";
 				$this->mProtectAgainstCSRF = TRUE;
-			break;
+			break;
 		}// end switch
-
-	}// end function
-
-	public function __construct($pSecurityLevel, $pPageBeingProtected){
-
-		$this->doSetSecurityLevel($pSecurityLevel);
-
-		//initialize encoder
+
+	}// end function
+
+	public function __construct($pSecurityLevel, $pPageBeingProtected){
+
+		$this->doSetSecurityLevel($pSecurityLevel);
+
+		//initialize encoder
 		require_once (__SITE_ROOT__.'/classes/EncodingHandler.php');
 		$this->mEncoder = new EncodingHandler();
 		$this->mPageBeingProtected = $pPageBeingProtected;
 
-		if (isset($_SESSION['register-user']['csrf-token'])){
-			$this->mExpectedCSRFTokenForThisRequest = $_SESSION[$this->mPageBeingProtected]['csrf-token'];
-		}//end if
-
-	}// end function
-
-	public function setSecurityLevel($pSecurityLevel){
-		$this->doSetSecurityLevel($pSecurityLevel);
-	}// end function setSecurityLevel
+		if (isset($_SESSION[$this->mPageBeingProtected]['csrf-token'])){
+			$this->mExpectedCSRFTokenForThisRequest = $_SESSION[$this->mPageBeingProtected]['csrf-token'];
+		}//end if
+
+	}// end function
+
+	public function setSecurityLevel($pSecurityLevel){
+		$this->doSetSecurityLevel($pSecurityLevel);
+	}// end function setSecurityLevel
 
-	private function doGenerateCSRFToken(){
+	private function doGenerateCSRFToken(){
 
 		$lCurrentCSRFToken = 0;
-		switch ($this->mCSRFTokenStrength){
-			case "HIGH":
+		switch ($this->mCSRFTokenStrength){
+			case "HIGH":
 			    $lCSRFToken = base64_encode(random_bytes($this->mRandomTokenBytes));
-			break;
-			case "MEDIUM":
-				$lCSRFToken = mt_rand();
-			break;
+			break;
+			case "MEDIUM":
+				$lCSRFToken = mt_rand();
+			break;
 			case "LOW":
 				if (isset($_SESSION[$this->mPageBeingProtected]['csrf-token'])) {
 					$lCurrentCSRFToken = $_SESSION[$this->mPageBeingProtected]['csrf-token'];
 				}// end if
-				$lBase = 77;
-				$lCSRFToken = ((int)$lBase + (int)$lCurrentCSRFToken);
+				$lBase = 77;
+				$lCSRFToken = ((int)$lBase + (int)$lCurrentCSRFToken);
 			break;
 			case "NONE":
 				$lCSRFToken = "";
-			break;
-			default:break;
+			break;
+			default:break;
 		}//end switch on $lCSRFTokenStrength
 
 		return $lCSRFToken;
-
+
 	}// end private function doGenerateCSRFToken()
 
 	public function generateCSRFToken(){
@@ -124,9 +126,9 @@ public function validateCSRFToken($pPostedCSRFToken){
 	public function generateCSRFHTMLReport(){
 
 		if($this->mEncodeOutput){
-			$lPostedCSRFToken = $this->mEncoder->encodeForHTML($this->mPostedCSRFToken);
-			$lExpectedCSRFTokenForThisRequest = $this->mEncoder->encodeForHTML($this->mExpectedCSRFTokenForThisRequest);
-			$lNewCSRFTokenForNextRequest = $this->mEncoder->encodeForHTML($this->mNewCSRFTokenForNextRequest);
+			$lPostedCSRFToken = $this->mEncoder->encodeForHTML($this->mPostedCSRFToken);
+			$lExpectedCSRFTokenForThisRequest = $this->mEncoder->encodeForHTML($this->mExpectedCSRFTokenForThisRequest);
+			$lNewCSRFTokenForNextRequest = $this->mEncoder->encodeForHTML($this->mNewCSRFTokenForNextRequest);
 			$lTokenStoredInSession = $this->mEncoder->encodeForHTML($_SESSION[$this->mPageBeingProtected]['csrf-token']);
 		}else{
 			$lPostedCSRFToken = $this->mPostedCSRFToken;
@@ -136,20 +138,20 @@ public function generateCSRFHTMLReport(){
 		}// end if
 
 		return
-			'<div>&nbsp;</div>'.PHP_EOL.
-			'<div>&nbsp;</div>'.PHP_EOL.
-			'<fieldset>'.PHP_EOL.
-			'<legend>CSRF Protection Information</legend>'.PHP_EOL.
-			'<table>'.PHP_EOL.
-			'<tr><td></td></tr>'.PHP_EOL.
-			'<tr><td class="report-header">Posted Token: '.$lPostedCSRFToken.'<br/>('.$this->mTokenValid.')</td></tr>'.PHP_EOL.
-			'<tr><td>Expected Token For This Request: '.$lExpectedCSRFTokenForThisRequest.'</td></tr>'.PHP_EOL.
-			'<tr><td>Token Passed By User For This Request: '.$lPostedCSRFToken.'</td></tr>'.PHP_EOL.
-			'<tr><td>&nbsp;</td></tr>'.PHP_EOL.
-			'<tr><td>New Token For Next Request: '.$lNewCSRFTokenForNextRequest.'</td></tr>'.PHP_EOL.
-			'<tr><td>Token Stored in Session: '.$lTokenStoredInSession.'</td></tr>'.PHP_EOL.
-			'<tr><td></td></tr>'.PHP_EOL.
-			'</table>'.PHP_EOL.
+			'<div>&nbsp;</div>'.PHP_EOL.
+			'<div>&nbsp;</div>'.PHP_EOL.
+			'<fieldset>'.PHP_EOL.
+			'<legend>CSRF Protection Information</legend>'.PHP_EOL.
+			'<table>'.PHP_EOL.
+			'<tr><td></td></tr>'.PHP_EOL.
+			'<tr><td class="report-header">Posted Token: '.$lPostedCSRFToken.'<br/>('.$this->mTokenValid.')</td></tr>'.PHP_EOL.
+			'<tr><td>Expected Token For This Request: '.$lExpectedCSRFTokenForThisRequest.'</td></tr>'.PHP_EOL.
+			'<tr><td>Token Passed By User For This Request: '.$lPostedCSRFToken.'</td></tr>'.PHP_EOL.
+			'<tr><td>&nbsp;</td></tr>'.PHP_EOL.
+			'<tr><td>New Token For Next Request: '.$lNewCSRFTokenForNextRequest.'</td></tr>'.PHP_EOL.
+			'<tr><td>Token Stored in Session: '.$lTokenStoredInSession.'</td></tr>'.PHP_EOL.
+			'<tr><td></td></tr>'.PHP_EOL.
+			'</table>'.PHP_EOL.
 			'</fieldset>'.PHP_EOL;
 	}// end public function generateCSRFHTMLReport()
 

diff --git a/includes/constants.php b/includes/constants.php
@@ -2,7 +2,7 @@
 	/* ------------------------------------------
 	 * @VERSION
 	 * ------------------------------------------*/
-	$C_VERSION = "2.11.8";
+	$C_VERSION = "2.11.9";
 	$C_VERSION_STRING = "Version: " . $C_VERSION;
 	$C_MAX_HINT_LEVEL = 1;