Search code examples
csrfpearquickform

PEAR QuickForm2 CSRF Protection


I was looking for a way to ensure CSRF-Protection in my Quickform2.

I found this link but it's for QuickForm1.

Any ideas how I can adapt this to QF2?


Solution

  • After some fiddling around I came up with this solution.

    Maybe it helps someone else as well:

    <?php
    
    /**
     * @uses HTML_QuickForm
     * @desc Add automatic CSRF mitigation to all forms by incorporating a token that must be matched in the session and forcing the use of POST method
     * Based on: http://www.zapoyok.info/2010/07/17/csrf-et-quickform-de-pear/
     */
    require_once "QuickForm2.php";
    
    class HTML_QuickForm2s extends HTML_QuickForm2
    {
        /**
         * @property string $_sessionTokenKey The name of the session variable containing the token
         */
        private $_sessionTokenKey;
    
        /**
         * @method __construct
         * @desc Override the method to always use post and pass it on to the parent constructor. Create a session key for the token based on the form name.
         * @param $id
         * @param string $method
         * @param mixed $attributes
         * @param boolean $trackSubmit
         */
        public function __construct($id, $method = 'post', $attributes = null, $trackSubmit = true)
        {
            $this->_sessionTokenKey = "QuickForm2s_" . md5($id);
    
            parent::__construct($id, $method, $attributes, $trackSubmit);
    
            //A token hasn't been created so do so
            if (!isset($_SESSION[$this->_sessionTokenKey])) {
                $_SESSION[$this->_sessionTokenKey] = md5(uniqid(rand(), true) . session_id()); //requires the session id to be known in order to add extra difficulty to compromising
            }
    
            //Hide the token at the end of the form
            $this->addElement("hidden", "qfS_csrf");
    
            $qfsCsrf= $this->getElementsByName('qfS_csrf');
            $qfsCsrf[0]->setValue($_SESSION[$this->_sessionTokenKey]);
        }
    
        /**
         * @method validate
         * @desc Check if the passed token matches the session before allowing validation
         * @return boolean
         */
        public function validate()
        {
            $submitValues = $this->getValue();
    
            //The token was not passed or does not match
            if (!isset($submitValues['qfS_csrf']) || $submitValues['qfS_csrf'] != $_SESSION[$this->_sessionTokenKey]) {
                $this->setError("Anti-CSRF token does not match");
            }
    
            return parent::validate();
        }
    
    }