From 3f6a261b1e6a3804370eb1e2a046ea6c666dbedd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Wed, 14 Oct 2020 15:55:46 +0200 Subject: [PATCH] Add CsrfTokenCompilerTemplatePlugin --- .../install/files/lib/system/WCF.class.php | 2 +- .../CsrfTokenFunctionTemplatePlugin.class.php | 37 +++++++++++++++++++ ...CsrfTokenPrefilterTemplatePlugin.class.php | 26 +++++++++++++ 3 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 wcfsetup/install/files/lib/system/template/plugin/CsrfTokenFunctionTemplatePlugin.class.php create mode 100644 wcfsetup/install/files/lib/system/template/plugin/CsrfTokenPrefilterTemplatePlugin.class.php diff --git a/wcfsetup/install/files/lib/system/WCF.class.php b/wcfsetup/install/files/lib/system/WCF.class.php index 5e57fc40ed..7a37670a6e 100644 --- a/wcfsetup/install/files/lib/system/WCF.class.php +++ b/wcfsetup/install/files/lib/system/WCF.class.php @@ -754,7 +754,7 @@ class WCF { $wcf = new TemplateScriptingCore($wcf); } - self::getTPL()->registerPrefilter(['event', 'hascontent', 'lang', 'jslang']); + self::getTPL()->registerPrefilter(['event', 'hascontent', 'lang', 'jslang', 'csrfToken']); self::getTPL()->assign([ '__wcf' => $wcf, '__wcfVersion' => LAST_UPDATE_TIME // @deprecated 2.1, use LAST_UPDATE_TIME directly diff --git a/wcfsetup/install/files/lib/system/template/plugin/CsrfTokenFunctionTemplatePlugin.class.php b/wcfsetup/install/files/lib/system/template/plugin/CsrfTokenFunctionTemplatePlugin.class.php new file mode 100644 index 0000000000..6dd1aa02de --- /dev/null +++ b/wcfsetup/install/files/lib/system/template/plugin/CsrfTokenFunctionTemplatePlugin.class.php @@ -0,0 +1,37 @@ + + * @package WoltLabSuite\Core\System\Template\Plugin + */ +class CsrfTokenFunctionTemplatePlugin implements IFunctionTemplatePlugin { + /** + * @inheritDoc + */ + public function execute($tagArgs, TemplateEngine $tplObj) { + if (isset($tagArgs['type']) && $tagArgs['type'] === 'raw') { + return \wcf\system\WCF::getSession()->getSecurityToken(); + } + else if (isset($tagArgs['type']) && $tagArgs['type'] === 'url') { + return \rawurlencode(\wcf\system\WCF::getSession()->getSecurityToken()); + } + else if (!isset($tagArgs['type']) || $tagArgs['type'] === 'form') { + return sprintf('', \wcf\system\WCF::getSession()->getSecurityToken()); + } + else { + throw new SystemException("Invalid type '".$tagArgs['type']."' given."); + } + } +} diff --git a/wcfsetup/install/files/lib/system/template/plugin/CsrfTokenPrefilterTemplatePlugin.class.php b/wcfsetup/install/files/lib/system/template/plugin/CsrfTokenPrefilterTemplatePlugin.class.php new file mode 100644 index 0000000000..3a9ca84209 --- /dev/null +++ b/wcfsetup/install/files/lib/system/template/plugin/CsrfTokenPrefilterTemplatePlugin.class.php @@ -0,0 +1,26 @@ + + * @package WoltLabSuite\Core\System\Template\Plugin + */ +class CsrfTokenPrefilterTemplatePlugin implements IPrefilterTemplatePlugin { + /** + * @inheritDoc + */ + public function execute($templateName, $sourceContent, TemplateScriptingCompiler $compiler) { + $getToken = '$__wcf->session->getSecurityToken()'; + + return strtr($sourceContent, [ + '{csrfToken type=raw}' => sprintf('{@%s}', $getToken), + '{csrfToken type=url}' => sprintf('{@%s|rawurlencode}', $getToken), + '{csrfToken}' => sprintf('', $getToken), + ]); + } +} -- 2.20.1