Skip to content

Commit f3840f2

Browse files
author
Greg Bowler
committed
feature: configure whitelisted global variables
1 parent 944a9a5 commit f3840f2

File tree

2 files changed

+15
-6
lines changed

2 files changed

+15
-6
lines changed

config.default.ini

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,12 @@ service_loader=ServiceLoader
55
slow_delta=0.25
66
very_slow_delta=0.50
77
render_buffer_size=1024
8+
globals_whitelist_env=
9+
globals_whitelist_server=
10+
globals_whitelist_get=xdebug
11+
globals_whitelist_post=
12+
globals_whitelist_files=
13+
globals_whitelist_cookies=
814

915
[router]
1016
router_file=router.php
@@ -43,3 +49,4 @@ query_path=query
4349

4450
[security]
4551
;default_headers="X-Content-Type-Options: nosniff; X-Frame-Options: deny; Content-Security-Policy: default-src 'none'"
52+
csrf_header=X-CSRF

src/Middleware/RequestHandler.php

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -149,8 +149,6 @@ public function handle(
149149
$serviceContainer->set($viewModel);
150150
}
151151

152-
// TODO: Set a Session loader here, so the CSRF handler can use it.
153-
154152
if($viewModel instanceof HTMLDocument) {
155153
try {
156154
$partial = new PartialContent(implode(DIRECTORY_SEPARATOR, [
@@ -200,7 +198,7 @@ public function handle(
200198

201199
$session = $serviceContainer->get(Session::class);
202200
$csrfTokenStore = new SessionTokenStore(
203-
$session->getStore("csrf", true)
201+
$session->getStore("webengine.csrf", true)
204202
);
205203

206204
if($request->getMethod() === "POST") {
@@ -209,16 +207,20 @@ public function handle(
209207

210208
$protector = new HTMLDocumentProtector($viewModel, $csrfTokenStore);
211209
$tokens = $protector->protect(HTMLDocumentProtector::ONE_TOKEN_PER_FORM);
212-
$response = $response->withHeader("x-csrf", $tokens);
210+
$response = $response->withHeader($this->config->getString("security.csrf_header"), $tokens);
213211
}
214212

215213
$input = new Input($_GET, $_POST, $_FILES);
216214
$serviceContainer->set($input);
217215

218216
Protection::overrideInternals(
219217
Protection::removeGlobals($GLOBALS, [
220-
// TODO: Configure the whitelisted globals.
221-
"_GET" => ["xdebug"],
218+
"_ENV" => explode(",", $this->config->getString("app.globals_whitelist_env") ?? ""),
219+
"_SERVER" => explode(",", $this->config->getString("app.globals_whitelist_server") ?? ""),
220+
"_GET" => explode(",", $this->config->getString("app.globals_whitelist_get") ?? ""),
221+
"_POST" => explode(",", $this->config->getString("app.globals_whitelist_post") ?? ""),
222+
"_FILES" => explode(",", $this->config->getString("app.globals_whitelist_files") ?? ""),
223+
"_COOKIES" => explode(",", $this->config->getString("app.globals_whitelist_cookies") ?? ""),
222224
]
223225
));
224226

0 commit comments

Comments
 (0)