HOR-3921

Fix CSRF security issue.
2017-10-13 07:57:22 -04:00
parent 592ab76c01
commit 086cc31982
12 changed files with 112 additions and 68 deletions
--- a/workflow/engine/skinEngine/skinEngine.php
+++ b/workflow/engine/skinEngine/skinEngine.php
@@ -261,9 +261,11 @@ class SkinEngine

        $template = new TemplatePower($templateFile);
        $template->prepare();
+        $header = '<meta name="csrf-token" content="'. csrfToken().'" />' . "\n" . $header;
        $template->assign('header', $header);
        $template->assign('styles', $styles);
        $template->assign('bodyTemplate', $body);
+        $template->assign('csrf_token', csrfToken());

        $doctype = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">";
        $meta = null;
@@ -569,6 +571,7 @@ class SkinEngine
        $smarty->cache_dir = PATH_SMARTY_CACHE;
        $smarty->config_dir = PATH_THIRDPARTY . 'smarty/configs';
        $smarty->register_function('translate', 'translate');
+        $smarty->register_function('csrf_token', 'csrfToken');

        $viewVars = $oHeadPublisher->getVars();