Add header support for security token check

2018-04-11 23:28:51 -04:00 · 2018-04-11 23:28:51 -04:00 · 54b75026fc
parent cc40dcf83c
commit 54b75026fc
1 changed files with 13 additions and 4 deletions
--- a/include/security.php
+++ b/include/security.php
@ -405,12 +405,21 @@ function get_form_security_token($typename = '')

 function check_form_security_token($typename = '', $formname = 'form_security_token')
 {
-	if (!x($_REQUEST, $formname)) {
-		return false;
+	$hash = null;
+
+	if (!empty($_REQUEST[$formname])) {
+		/// @TODO Careful, not secured!
+		$hash = $_REQUEST[$formname];
 	}

-	/// @TODO Careful, not secured!
-	$hash = $_REQUEST[$formname];
+	if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) {
+		/// @TODO Careful, not secured!
+		$hash = $_SERVER['HTTP_X_CSRF_TOKEN'];
+	}
+
+	if (empty($hash)) {
+		return false;
+	}

 	$max_livetime = 10800; // 3 hours