堆栈内存溢出
  简体   繁体   English

zf2 csrf无法正常工作

[英]zf2 csrf not working

 原文  2016-01-20 13:25:49       php/ zend-framework2/ csrf/ csrf-protection/ zend-validate

问题描述

We can easily break CSRF of ZF2. 我们可以轻松地破坏ZF2的CSRF。 If we remove the string after the hyphen( - ) the CsrfValidator does not give any error and the token is successfully submitted. 如果我们删除连字符( - )之后的字符串,则CsrfValidator不会给出任何错误,并且令牌已成功提交。

For example CSRF token = 245454547kck-kjhjh2454dh after editing the token token = 245454547kck- ZF2 successfully submits the form, but it must give an error. 例如,在编辑令牌token = 245454547kck- token = 245454547kck-kjhjh2454dh后,CSRF token = 245454547kck-kjhjh2454dh成功提交了表单,但必须给出错误。

Can anyone check this and let me know if there is a solution for this issue. 谁能检查一下并让我知道是否有解决此问题的方法。

For above scenario we use: 对于上述情况,我们使用: 

$csrfValidator = new CsrfValidator(array(
    'name'=> 'token_name',//(here i used 'csrf' also)
    'salt'=> 'test_salt',
));
$csrf = new CsrfElement('token_name');
$csrf->setCsrfValidator($csrfValidator);
$this->add($csrf);
$this->csrf = $csrf;

validator : 验证器 : 

$inputFilter->add(
    $factory->createInput(array(
        'name'     => 'token_name',
        'required' => true,
        'validators' => array(
            $this->csrf->getCsrfValidator()
        )
    ))
);

Please provide a solution. 请提供解决方案。

1 个解决方案

解决方案1
 0 已采纳  2016-01-22 20:10:06

As far as I can tell from the code, this is expected behavior in order to maintain backwards compatibility. 据我从代码中可以看出,这是为了保持向后兼容性的预期行为。

The second part of the string is a token ID (not an actual anti-CSRF token) used to keep track of multiple anti-CSRF tokens in the same session. 字符串的第二部分是令牌ID(不是实际的反CSRF令牌),用于跟踪同一会话中的多个反CSRF令牌。 If no ID is set during validation (like in your example) the code merely checks for the hash in the session store. 如果在验证期间未设置ID(如您的示例),则代码仅检查会话存储中的哈希。 The source code indicates that this was put in avoid a BC break ( see source code ) 源代码表明已将其放入以避免BC中断( 请参阅源代码

If you really wanted to enforce the token ID, you could extend Zend\\Validator\\Csrf and override getValidationToken() (ie removing the BC code): 如果您确实想强制执行令牌ID,则可以扩展Zend\\Validator\\Csrf并覆盖getValidationToken() (即删除BC代码): 

class MyCustomCsrf extends \Zend\Validator\Csrf
{
    /**
     * Get validation token
     *
     * Retrieve token from session, if it exists.
     *
     * @override
     * @param string $tokenId
     * @return null|string
     */
    protected function getValidationToken($tokenId = null)
    {
        $session = $this->getSession();
        if ($tokenId && isset($session->tokenList[$tokenId])) {
            return $this->formatHash($session->tokenList[$tokenId], $tokenId);
        }
        return;
    }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 zf2路由不起作用 - zf2 routing is not working ZF2 setCookie 不起作用 - ZF2 setCookie not working ZF2无法使用翻译 - Translation is not working with ZF2 ZF2 deleteAction不起作用 - ZF2 deleteAction not working ZF2中的翻译无效 - Translations not working in ZF2 使用CSRF进行ZF2单元测试的问题 - Problems with unit testing ZF2 form with CSRF 无法正常运作:使用ZF2进行FileUpload验证 - Not working: FileUpload validation with ZF2 ZF2子路线无效 - ZF2 Child routes not working ZF2应用程序无法在localhost中运行 - Zf2 application not working in localhost 会话容器在zf2中不起作用? - Session container not working in zf2?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM