Context Navigation

data

Timestamp:

2007/06/28 16:46:22 (17 years ago)

Author:

adati

Message:

CSRF対策：sfIsValidTransition()の追加、画面遷移の正当性をチェックする

File:

-                      r14950
+                      r14990
 /* Ç§¾Ú¤Î²ÄÈÝÈ½Äê */
 function sfIsSuccess($objSess, $disp_error = true) {
+function sfIsSuccess($objSess, $disp_error = true) {
     $ret = $objSess->IsSuccess();
     if($ret != SUCCESS) {
 …
     // $_SERVER['HTTPS'] != 'off' ¤ÏIISÍÑ
     if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
+        return true;
+    } else {
+        return false;
+    }
+}
+/**
+ *  Àµµ¬¤ÎÁ«°Ü¤¬¤µ¤ì¤Æ¤¤¤ë¤«¤òÈ½Äê
+ *  Á°²èÌÌ¤Çuniqid¤òËä¤á¹þ¤ó¤Ç¤ª¤¯É¬Í×¤¬¤¢¤ë
+ *  @param  obj  SC_Session, SC_SiteSession
+ *  @return bool
+ */
+function sfIsValidTransition($objSess) {
+    // Á°²èÌÌ¤«¤éPOST¤µ¤ì¤ëuniqid¤¬Àµ¤·¤¤¤â¤Î¤«¤É¤¦¤«¤ò¥Á¥§¥Ã¥¯
+    $uniqid = $objSess->getUniqId();
+    if ( !empty($_POST['uniqid']) && ($_POST['uniqid'] === $uniqid) ) {
         return true;
     } else {

Note: See TracChangeset for help on using the changeset viewer.