From 54b75026fce057829f65eb194fb1ff231b2fbf78 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 11 Apr 2018 23:28:51 -0400 Subject: [PATCH] Add header support for security token check --- include/security.php | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/include/security.php b/include/security.php index af424df26c..b13a507cf4 100644 --- a/include/security.php +++ b/include/security.php @@ -405,12 +405,21 @@ function get_form_security_token($typename = '') function check_form_security_token($typename = '', $formname = 'form_security_token') { - if (!x($_REQUEST, $formname)) { - return false; + $hash = null; + + if (!empty($_REQUEST[$formname])) { + /// @TODO Careful, not secured! + $hash = $_REQUEST[$formname]; + } + + if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) { + /// @TODO Careful, not secured! + $hash = $_SERVER['HTTP_X_CSRF_TOKEN']; } - /// @TODO Careful, not secured! - $hash = $_REQUEST[$formname]; + if (empty($hash)) { + return false; + } $max_livetime = 10800; // 3 hours -- 2.39.5