Welcome Guest, Not a member yet? Register   Sign In
File Upload Validation Broke
#11

(This post was last modified: 04-24-2020, 03:44 PM by Gary.)

Thanks Leo, I'll have a careful look though all of it... I'm sure there'll be bits that are helpful that I want/need.

Talking about csrf... going that extra mile on that bloody csrf stuff you got me started on wasted a day or two... though, the good thing is now it's all done using the (standard) before and a simple (custom) after filter that injects it into JavaScript responses... so the whole thing is now completely transparent and I don't have to think about it.
Reply
#12

(This post was last modified: 04-24-2020, 03:58 PM by Leo.)

(04-24-2020, 03:40 PM)Gary Wrote: Thanks Leo, I'll have a careful look though all of it... I'm sure there'll be bits I want.

Talking about csrf... going that extra mile on that bloody csrf stuff you got me started on wasted a day or two... though, the good thing is now it's all done using the (standard) before and a simple (custom) after filter that injects it into JavaScript responses... so the whole thing is now completely transparent and I don't have to think about it.
 
Err..care to share the "simple" after filter?  Wink Is it loaded with every response (which is could be potentially unsafe somehow) or can it be called only on needed methods?

Is it something along the lines of checking if a request has been made with ajax, and then if it is it calls an update_all_fileds type js func I wrote earlier?
You can see things I made with codeigniter here: itart.pro its not overly impressive as I have very little time to learn.
Reply
#13

(This post was last modified: 04-24-2020, 04:18 PM by Gary.)

Of course, one needs to get the Javascript to intercept it client-side too.

This is the after filter:
Code:
    public function after(RequestInterface $request, ResponseInterface $response) {
        $response->populateHeaders();
        $format = $response->getHeaderLine('content-type');
        if (strpos($format, 'html') === FALSE) {
            $body = $response->getBody();
            $body = sendCSRF().$body;
            $response->setBody($body);
        }
        return;
    }

And sendCSRF() is a simple custom helper function that produces the token with a termination marker the Javascript slices the (in my case) leading token off after:
Code:
function sendCSRF(string $string='') {
        return (csrf_hash().'XX-YOUR-CUSTOM-TOKEN-END-DEMARCATION-CHARS-XX'.$string);
    }

Currently it gets sent with all JavaScript responses, but it would be easy enough to customise, for example by which headers were on the outgoing response.

I use sendCSRF() elsewhere (which is why it has a string paramerter passed in, it can obviously be omitted).
Reply
#14

(This post was last modified: 04-25-2020, 01:20 AM by Leo.)

Confusing right now, but very interesting  Smile I, err, never bothered with headers much.
You can see things I made with codeigniter here: itart.pro its not overly impressive as I have very little time to learn.
Reply
#15

(This post was last modified: 04-25-2020, 09:19 AM by Leo.)

I confirm uploading with AJAX using CI's getFile() does not work. Either it is bugged or it's not meant to be used with AJAX (or I have an error in my code) - and we should use something else. Here is a quick test.
Simple tests:
PHP Code:
public function upload_with_ajax_not_working()
{
    if ($this->request->isAJAX()) {

        $test $this->request->getFile('file');
        $response['status'] = json_encode($test);

        return $this->response->setJSON($response);
    }
    return '{"error":"Invalid Request"}';
}

public function 
upload_with_ajax_working()
{
    if ($this->request->isAJAX()) {

        $test $_FILES['file'];
        $response['status'] = json_encode($test);

        return $this->response->setJSON($response);
    }
    return '{"error":"Invalid Request"}';

You can see things I made with codeigniter here: itart.pro its not overly impressive as I have very little time to learn.
Reply
#16

Thanks for confirming the problem Leo.

Hopefully one of the experts will have something to add... at some point (?)
Reply




Theme © iAndrew 2016 - Forum software by © MyBB