vendor/pimcore/pimcore/bundles/AdminBundle/Security/CsrfProtectionHandler.php line 78

Open in your IDE?
  1. <?php
  3. /**
  4. * Pimcore
  5. *
  6. * This source file is available under two different licenses:
  7. * - GNU General Public License version 3 (GPLv3)
  8. * - Pimcore Commercial License (PCL)
  9. * Full copyright and license information is available in
  10. * LICENSE.md which is distributed with this source code.
  11. *
  12. * @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  13. * @license http://www.pimcore.org/license GPLv3 and PCL
  14. */
  16. namespace Pimcore\Bundle\AdminBundle\Security;
  18. use Pimcore\Tool\Session;
  19. use Psr\Log\LoggerAwareInterface;
  20. use Psr\Log\LoggerAwareTrait;
  21. use Symfony\Component\HttpFoundation\Request;
  22. use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
  23. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  24. use Twig\Environment;
  26. /**
  27. * @internal
  28. */
  29. class CsrfProtectionHandler implements LoggerAwareInterface
  30. {
  31. use LoggerAwareTrait;
  33. protected $excludedRoutes = [];
  35. protected $csrfToken = null;
  37. /**
  38. * @var Environment
  39. */
  40. protected $twig;
  42. /**
  43. * @param array $excludedRoutes
  44. * @param Environment $twig
  45. */
  46. public function __construct($excludedRoutes, Environment $twig)
  47. {
  48. $this->excludedRoutes = $excludedRoutes;
  49. $this->twig = $twig;
  50. }
  52. /**
  53. * @param Request $request
  54. */
  55. public function checkCsrfToken(Request $request)
  56. {
  57. $csrfToken = $this->getCsrfToken();
  58. $requestCsrfToken = $request->headers->get('x_pimcore_csrf_token');
  59. if (!$requestCsrfToken) {
  60. $requestCsrfToken = $request->get('csrfToken');
  61. }
  63. if (!$csrfToken || $csrfToken !== $requestCsrfToken) {
  64. $this->logger->error('Detected CSRF attack on {request}', [
  65. 'request' => $request->getPathInfo(),
  66. ]);
  68. throw new AccessDeniedHttpException('Detected CSRF Attack! Do not do evil things with pimcore ... ;-)');
  69. }
  70. }
  72. /**
  73. * @return string
  74. */
  75. public function getCsrfToken()
  76. {
  77. if (!$this->csrfToken) {
  78. $this->csrfToken = Session::getReadOnly()->get('csrfToken');
  79. if (!$this->csrfToken) {
  80. $this->regenerateCsrfToken(false);
  81. }
  82. }
  84. return $this->csrfToken;
  85. }
  87. public function regenerateCsrfToken(bool $force = true)
  88. {
  89. $this->csrfToken = Session::useSession(function (AttributeBagInterface $adminSession) use ($force) {
  90. if ($force || !$adminSession->get('csrfToken')) {
  91. $adminSession->set('csrfToken', sha1(generateRandomSymfonySecret()));
  92. }
  94. return $adminSession->get('csrfToken');
  95. });
  97. $this->twig->addGlobal('csrfToken', $this->csrfToken);
  98. }
  100. public function generateCsrfToken()
  101. {
  102. $this->twig->addGlobal('csrfToken', $this->getCsrfToken());
  103. }
  105. /**
  106. * @return array
  107. */
  108. public function getExcludedRoutes(): array
  109. {
  110. return $this->excludedRoutes;
  111. }
  112. }