symfony
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎CsrfTokenGenerator.php‎
Lines changed: 105 additions & 0 deletions b/‎CsrfTokenGenerator.php‎
Lines changed: 105 additions & 0 deletions
diff --git a/‎CsrfTokenGeneratorInterface.php‎
Lines changed: 50 additions & 0 deletions b/‎CsrfTokenGeneratorInterface.php‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎LICENSE‎
Lines changed: 19 additions & 0 deletions b/‎LICENSE‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 21 additions & 0 deletions b/‎README.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎Tests/CsrfTokenGeneratorTest.php‎
Lines changed: 148 additions & 0 deletions b/‎Tests/CsrfTokenGeneratorTest.php‎
Lines changed: 148 additions & 0 deletions
@@ -0,0 +1,3 @@
+vendor/
+composer.lock
+phpunit.xml
@@ -0,0 +1,105 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Csrf;
+
+use Symfony\Component\Security\Core\Util\SecureRandomInterface;
+use Symfony\Component\Security\Core\Util\SecureRandom;
+use Symfony\Component\Security\Core\Util\StringUtils;
+use Symfony\Component\Security\Csrf\TokenStorage\NativeSessionTokenStorage;
+use Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface;
+
+/**
+ * Generates and validates CSRF tokens.
+ *
+ * @since  2.4
+ * @author Bernhard Schussek <[email protected]>
+ */
+class CsrfTokenGenerator implements CsrfTokenGeneratorInterface
+{
+    /**
+     * The entropy of the token in bits.
+     * @var integer
+     */
+    const TOKEN_ENTROPY = 256;
+
+    /**
+     * @var TokenStorageInterface
+     */
+    private $storage;
+
+    /**
+     * The generator for random values.
+     * @var SecureRandomInterface
+     */
+    private $random;
+
+    /**
+     * Creates a new CSRF provider using PHP's native session storage.
+     *
+     * @param TokenStorageInterface $storage The storage for storing generated
+     *                                       CSRF tokens
+     * @param SecureRandomInterface $random  The used random value generator
+     * @param integer               $entropy The amount of entropy collected for
+     *                                       newly generated tokens (in bits)
+     *
+     */
+    public function __construct(TokenStorageInterface $storage = null, SecureRandomInterface $random = null, $entropy = self::TOKEN_ENTROPY)
+    {
+        if (null === $storage) {
+            $storage = new NativeSessionTokenStorage();
+        }
+
+        if (null === $random) {
+            $random = new SecureRandom();
+        }
+
+        $this->storage = $storage;
+        $this->random = $random;
+        $this->entropy = $entropy;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function generateCsrfToken($tokenId)
+    {
+        $currentToken = $this->storage->getToken($tokenId, false);
+
+        // Token exists and is still valid
+        if (false !== $currentToken) {
+            return $currentToken;
+        }
+
+        // Token needs to be (re)generated
+        // Generate an URI safe base64 encoded string that does not contain "+",
+        // "/" or "=" which need to be URL encoded and make URLs unnecessarily
+        // longer.
+        $bytes = $this->random->nextBytes($this->entropy / 8);
+        $token = rtrim(strtr(base64_encode($bytes), '+/', '-_'), '=');
+
+        $this->storage->setToken($tokenId, $token);
+
+        return $token;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function isCsrfTokenValid($tokenId, $token)
+    {
+        if (!$this->storage->hasToken($tokenId)) {
+            return false;
+        }
+
+        return StringUtils::equals((string) $this->storage->getToken($tokenId), $token);
+    }
+}
@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Csrf;
+
+/**
+ * Generates and validates CSRF tokens.
+ *
+ * You can generate a CSRF token by using the method {@link generateCsrfToken()}.
+ * This method expects a unique token ID as argument. The token ID can later be
+ * used to validate a token provided by the user.
+ *
+ * Token IDs do not necessarily have to be secret, but they should NEVER be
+ * created from data provided by the client. A good practice is to hard-code the
+ * token IDs for the various CSRF tokens used by your application.
+ *
+ * You should use the method {@link isCsrfTokenValid()} to check a CSRF token
+ * submitted by the client. This method will return true if the CSRF token is
+ * valid.
+ *
+ * @since  2.4
+ * @author Bernhard Schussek <[email protected]>
+ */
+interface CsrfTokenGeneratorInterface
+{
+    /**
+     * Generates a CSRF token with the given token ID.
+     *
+     * @param string $tokenId An ID that identifies the token
+     */
+    public function generateCsrfToken($tokenId);
+
+    /**
+     * Validates a CSRF token.
+     *
+     * @param string $tokenId The token ID used when generating the token
+     * @param string $token   The token supplied by the client
+     *
+     * @return Boolean Whether the token supplied by the client is correct
+     */
+    public function isCsrfTokenValid($tokenId, $token);
+}
@@ -0,0 +1,19 @@
+Copyright (c) 2004-2013 Fabien Potencier
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
@@ -0,0 +1,21 @@
+Security Component - CSRF
+=========================
+
+The Security CSRF (cross-site request forgery) component provides a class
+`CsrfTokenGenerator` for generating and validating CSRF tokens.
+
+Resources
+---------
+
+Documentation:
+
+http://symfony.com/doc/2.4/book/security.html
+
+Tests
+-----
+
+You can run the unit tests with the following command:
+
+    $ cd path/to/Symfony/Component/Security/Csrf/
+    $ composer.phar install --dev
+    $ phpunit
@@ -0,0 +1,148 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\Tests\Extension\Csrf\CsrfProvider;
+
+use Symfony\Component\Security\Csrf\CsrfTokenGenerator;
+
+/**
+ * @author Bernhard Schussek <[email protected]>
+ */
+class CsrfTokenGeneratorTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * A non alpha-numeric byte string
+     * @var string
+     */
+    private static $bytes;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    private $random;
+
+    /**
+     * @var \PHPUnit_Framework_MockObject_MockObject
+     */
+    private $storage;
+
+    /**
+     * @var CsrfTokenGenerator
+     */
+    private $generator;
+
+    public static function setUpBeforeClass()
+    {
+        self::$bytes = base64_decode('aMf+Tct/RLn2WQ==');
+    }
+
+    protected function setUp()
+    {
+        $this->random = $this->getMock('Symfony\Component\Security\Core\Util\SecureRandomInterface');
+        $this->storage = $this->getMock('Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface');
+        $this->generator = new CsrfTokenGenerator($this->storage, $this->random);
+    }
+
+    protected function tearDown()
+    {
+        $this->random = null;
+        $this->storage = null;
+        $this->generator = null;
+    }
+
+    public function testGenerateNewToken()
+    {
+        $this->storage->expects($this->once())
+            ->method('getToken')
+            ->with('token_id', false)
+            ->will($this->returnValue(false));
+
+        $this->storage->expects($this->once())
+            ->method('setToken')
+            ->with('token_id', $this->anything())
+            ->will($this->returnCallback(function ($tokenId, $token) use (&$storedToken) {
+                $storedToken = $token;
+            }));
+
+        $this->random->expects($this->once())
+            ->method('nextBytes')
+            ->will($this->returnValue(self::$bytes));
+
+        $token = $this->generator->generateCsrfToken('token_id');
+
+        $this->assertSame($token, $storedToken);
+        $this->assertTrue(ctype_print($token), 'is printable');
+        $this->assertStringNotMatchesFormat('%S+%S', $token, 'is URI safe');
+        $this->assertStringNotMatchesFormat('%S/%S', $token, 'is URI safe');
+        $this->assertStringNotMatchesFormat('%S=%S', $token, 'is URI safe');
+    }
+
+    public function testUseExistingTokenIfAvailable()
+    {
+        $this->storage->expects($this->once())
+            ->method('getToken')
+            ->with('token_id', false)
+            ->will($this->returnValue('TOKEN'));
+
+        $this->storage->expects($this->never())
+            ->method('setToken');
+
+        $this->random->expects($this->never())
+            ->method('nextBytes');
+
+        $token = $this->generator->generateCsrfToken('token_id');
+
+        $this->assertEquals('TOKEN', $token);
+    }
+
+    public function testMatchingTokenIsValid()
+    {
+        $this->storage->expects($this->once())
+            ->method('hasToken')
+            ->with('token_id')
+            ->will($this->returnValue(true));
+
+        $this->storage->expects($this->once())
+            ->method('getToken')
+            ->with('token_id')
+            ->will($this->returnValue('TOKEN'));
+
+        $this->assertTrue($this->generator->isCsrfTokenValid('token_id', 'TOKEN'));
+    }
+
+    public function testNonMatchingTokenIsNotValid()
+    {
+        $this->storage->expects($this->once())
+            ->method('hasToken')
+            ->with('token_id')
+            ->will($this->returnValue(true));
+
+        $this->storage->expects($this->once())
+            ->method('getToken')
+            ->with('token_id')
+            ->will($this->returnValue('TOKEN'));
+
+        $this->assertFalse($this->generator->isCsrfTokenValid('token_id', 'FOOBAR'));
+    }
+
+    public function testNonExistingTokenIsNotValid()
+    {
+        $this->storage->expects($this->once())
+            ->method('hasToken')
+            ->with('token_id')
+            ->will($this->returnValue(false));
+
+        $this->storage->expects($this->never())
+            ->method('getToken');
+
+        $this->assertFalse($this->generator->isCsrfTokenValid('token_id', 'FOOBAR'));
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+vendor/`
	`2`	`+composer.lock`
	`3`	`+phpunit.xml`