Changeset View
Changeset View
Standalone View
Standalone View
src/aphront/AphrontRequest.php
| Show First 20 Lines • Show All 250 Lines • ▼ Show 20 Lines | public function validateCSRF() { | ||||
| // No token in the request, check the HTTP header which is added for Ajax | // No token in the request, check the HTTP header which is added for Ajax | ||||
| // requests. | // requests. | ||||
| if (empty($token)) { | if (empty($token)) { | ||||
| $token = self::getHTTPHeader(self::getCSRFHeaderName()); | $token = self::getHTTPHeader(self::getCSRFHeaderName()); | ||||
| } | } | ||||
| $valid = $this->getUser()->validateCSRFToken($token); | $valid = $this->getUser()->validateCSRFToken($token); | ||||
| // The CSRF check may not be valid if "security.require-https" is set but | |||||
| // the connection is plain HTTP. In this case, we don't send cookies to the | |||||
| // client, so they won't have an anonymous session cookie and won't be able | |||||
| // to pass the CSRF check. | |||||
| // Note that this normally only happens for requests from inside | |||||
| // "cluster.addresses" (usually test installs on localhost). Other | |||||
| // connections will be redirected to HTTPS automatically. See T12547. | |||||
| if (!$valid) { | if (!$valid) { | ||||
| $cookie_domain = $this->getCookieDomainURI(); | |||||
| if (!$cookie_domain) { | |||||
| $message = pht( | |||||
| 'You are trying to issue a write request which requires a CSRF '. | |||||
| 'check, but this connection is HTTP and "security.require-https" '. | |||||
| 'is enabled, so CSRF cookies can not be set and writes can not be '. | |||||
| 'verfied. To continue, use HTTPS or disable the HTTPS requirement.'); | |||||
| throw new AphrontMalformedRequestException( | |||||
| pht('No Cookie Support (CSRF)'), | |||||
| $message); | |||||
| } | |||||
| } | |||||
| if (!$valid) { | |||||
| // Add some diagnostic details so we can figure out if some CSRF issues | // Add some diagnostic details so we can figure out if some CSRF issues | ||||
| // are JS problems or people accessing Ajax URIs directly with their | // are JS problems or people accessing Ajax URIs directly with their | ||||
| // browsers. | // browsers. | ||||
| $info = array(); | $info = array(); | ||||
| $info[] = pht( | $info[] = pht( | ||||
| 'You are trying to save some data to Phabricator, but the request '. | 'You are trying to save some data to Phabricator, but the request '. | ||||
| 'your browser made included an incorrect token. Reload the page '. | 'your browser made included an incorrect token. Reload the page '. | ||||
| ▲ Show 20 Lines • Show All 585 Lines • Show Last 20 Lines | |||||