Changeset View
Changeset View
Standalone View
Standalone View
src/aphront/AphrontRequest.php
Show First 20 Lines • Show All 250 Lines • ▼ Show 20 Lines | public function validateCSRF() { | ||||
// No token in the request, check the HTTP header which is added for Ajax | // No token in the request, check the HTTP header which is added for Ajax | ||||
// requests. | // requests. | ||||
if (empty($token)) { | if (empty($token)) { | ||||
$token = self::getHTTPHeader(self::getCSRFHeaderName()); | $token = self::getHTTPHeader(self::getCSRFHeaderName()); | ||||
} | } | ||||
$valid = $this->getUser()->validateCSRFToken($token); | $valid = $this->getUser()->validateCSRFToken($token); | ||||
// The CSRF check may not be valid if "security.require-https" is set but | |||||
// the connection is plain HTTP. In this case, we don't send cookies to the | |||||
// client, so they won't have an anonymous session cookie and won't be able | |||||
// to pass the CSRF check. | |||||
// Note that this normally only happens for requests from inside | |||||
// "cluster.addresses" (usually test installs on localhost). Other | |||||
// connections will be redirected to HTTPS automatically. See T12547. | |||||
if (!$valid) { | if (!$valid) { | ||||
$cookie_domain = $this->getCookieDomainURI(); | |||||
if (!$cookie_domain) { | |||||
$message = pht( | |||||
'You are trying to issue a write request which requires a CSRF '. | |||||
'check, but this connection is HTTP and "security.require-https" '. | |||||
'is enabled, so CSRF cookies can not be set and writes can not be '. | |||||
'verfied. To continue, use HTTPS or disable the HTTPS requirement.'); | |||||
throw new AphrontMalformedRequestException( | |||||
pht('No Cookie Support (CSRF)'), | |||||
$message); | |||||
} | |||||
} | |||||
if (!$valid) { | |||||
// Add some diagnostic details so we can figure out if some CSRF issues | // Add some diagnostic details so we can figure out if some CSRF issues | ||||
// are JS problems or people accessing Ajax URIs directly with their | // are JS problems or people accessing Ajax URIs directly with their | ||||
// browsers. | // browsers. | ||||
$info = array(); | $info = array(); | ||||
$info[] = pht( | $info[] = pht( | ||||
'You are trying to save some data to Phabricator, but the request '. | 'You are trying to save some data to Phabricator, but the request '. | ||||
'your browser made included an incorrect token. Reload the page '. | 'your browser made included an incorrect token. Reload the page '. | ||||
▲ Show 20 Lines • Show All 585 Lines • Show Last 20 Lines |