File tree Expand file tree Collapse file tree 2 files changed +14
-3
lines changed Expand file tree Collapse file tree 2 files changed +14
-3
lines changed Original file line number Diff line number Diff line change @@ -52,3 +52,5 @@ query_path=query
52
52
csrf_header =X-CSRF
53
53
; csrf_ignore_path=/test-csrf-ignore,/test/*/wildcard/,/another-test-ignore
54
54
csrf_ignore_path =
55
+ csrf_max_tokens =100
56
+ csrf_token_length =10
Original file line number Diff line number Diff line change @@ -197,13 +197,14 @@ public function handle(
197
197
$ serviceContainer ->set ($ session );
198
198
199
199
$ session = $ serviceContainer ->get (Session::class);
200
- $ csrfTokenStore = new SessionTokenStore (
201
- $ session ->getStore ("webengine.csrf " , true )
202
- );
203
200
204
201
$ shouldVerifyCsrf = true ;
205
202
$ ignoredPathArray = explode (", " , $ this ->config ->getString ("security.csrf_ignore_path " ) ?? "" );
206
203
foreach ($ ignoredPathArray as $ ignoredPath ) {
204
+ if (empty ($ ignoredPath )) {
205
+ continue ;
206
+ }
207
+
207
208
if (str_contains ($ ignoredPath , "* " )) {
208
209
$ pattern = strtr (rtrim ($ ignoredPath , "/ " ), [
209
210
"* " => ".* " ,
@@ -220,6 +221,14 @@ public function handle(
220
221
}
221
222
222
223
if ($ shouldVerifyCsrf ) {
224
+ $ csrfTokenStore = new SessionTokenStore (
225
+ $ session ->getStore ("webengine.csrf " , true ),
226
+ $ this ->config ->getInt ("security.csrf_max_tokens " )
227
+ );
228
+ $ csrfTokenStore ->setTokenLength (
229
+ $ this ->config ->getInt ("security.csrf_token_length " )
230
+ );
231
+
223
232
if ($ request ->getMethod () === "POST " ) {
224
233
$ csrfTokenStore ->verify ($ _POST );
225
234
}
You can’t perform that action at this time.
0 commit comments