CSRF ibasa rakashata rinoitwa neanorwisa, anoita zviito achimiririra mushandisi ane chokwadi, zvinokanganisa kuchengetedzeka kwewebhu. Neraki, Laravel inopa maturusi ekudzivirira rudzi urwu rwekusagadzikana.
CSRF inorwisa kubira masesheni evashandisi. Ivo vanoita izvi nekunyengedza mushandisi kuendesa chikumbiro kuburikidza neakavanzika fomu tag kana hutsinye maURL (mifananidzo kana malink) pasina ruzivo rwemushandisi.
Kurwiswa uku kunotungamira kushanduko yechikamu chemushandisi mamiriro, kuburitswa kwedata, uye dzimwe nguva matsotsi anogona kushandura data rekupedzisira-mushandisi mune application.
Mufananidzo uri pamusoro unoratidza mamiriro apo kuchengetedzwa kwewebhu kunotyorwa. Iye akabatwa anotumira chikumbiro nekudzvanya pane chinongedzo (chagamuchirwa), kutumira chikumbiro kune webhusaiti server iyo inoburitsa mhedzisiro inodiwa neanobira, uyo anouya aine ruzivo runobatsira pakuwana uye kubata webhusaiti server.
Kuvandudza chibatiso Webhu yemashandisirwo ako, muchikamu chega chega chemushandisi, Laravel inogadzira tokeni dzakachengeteka dzaanoshandisa kuve nechokwadi chekuti mushandisi ane chokwadi ndiye ari kukumbira application.
Nekuti ichi chiratidzo chinochinja pese pese nguva yemushandisi inogadzirwa patsva, anorwisa haakwanise kuiwana.
Pese paine chikumbiro chekushandura ruzivo rwemushandisi pane server side (backend) senge POST
, PUT
, PATCH
e DELETE
, unofanira kusanganisira rairo @csrf
mufomu rekukumbira blade
HTML. The @csrf
naizvozvo murairo Blade
inoshandiswa kugadzira chiratidzo chakavanzika chakasimbiswa nechishandiso.
The directive Blade
ndiyo syntax inoshandiswa mukati meLaravel template injini inonzi chisvo . Kugadzira faira blade
iwe unofanirwa kuipa zita - mune yedu fomu fomu - inoteverwa nekuwedzera kweblade. Izvi zvinoreva kuti faira rine zita form.blade.php
.
Iyo faira inoshandiswa blade
kupa maonero evashandisi pawebhu peji.Pane mapre-directive akati wandeidefinite kana blade shorthand syntax yaunogona kushandisa. Semuyenzaniso, @if
tarisa kana mamiriro agutsikana, @empty
tarisa kana marekodhi asina chinhu, @auth
tarisa kana mushandisi akatendeseka uye zvichingodaro.
Asi ngatidzokere kune rairo @csrf
. Heano mashandisiro aunoita:
<form method="POST" action="{{route('pay')}}">
@csrf
</form>
Yakapfuura vhezheni yeLaravel yaive neimwe setup: vese vanoshanda uye vanoita chinhu chimwe chete.
<form method="POST" action="{{route('pay')}}">
<input type="hidden" name="_token" value="{{ csrf_token() }}" />
</form>
Kana chiratidzo cheCSRF chisipo pachikumbiro chefomu chiri kuendeswa kana chichiita sechisina basa, Laravel anokanda meseji ye "Peji Yakapera" ine 419 mamiriro kodhi.
The middleware VerifyCsrfToken
inobata CSRF verification mukati meLaravel application. The middleware
inonyoreswa mukati Kernel.php
uye inowanikwa mudhairekitori app/Http/Middleware
. Izvi zvinoreva kuti middleware
inokonzeresa zvikumbiro mukati mewebhu, isina hukama nemaAPI.
protected $middlewareGroups = [
'web' => [
.
.
.
.
.
\App\Http\Middleware\VerifyCsrfToken::class,
],
];
Iyo VerifyCsrfToken middleware inowedzera kirasi Illuminate\Foundation\Http\Middleware\VerifyCsrfToken
, kureva CSRF verification ndiyo defindite mukati mekirasi.
Ngatichembei zvakadzama kuti tione kuti Laravel inobata sei CSRF verification.
Mukati mekirasi, tine basa tokensMatch
.
protected function tokensMatch($request)
{
$token = $this->getTokenFromRequest($request);
return is_string($request->session()->token()) &&
is_string($token) &&
hash_equals($request->session()->token(), $token);
}
mukodhi inosarudza kana chikamu uye yekuisa CSRF tokens inowirirana.
Basa racho rinoita zvinhu zviviri:
$this->getTokenFromRequest
chiratidzo kubva kuchikumbiro chinouya chakabatanidzwa kuburikidza nemunda wakavanzika kana musoro wekukumbira. Chiratidzo chinodzimwa uye chobva chadzoserwa kune chinja chechiratidzo.protected function getTokenFromRequest($request)
{
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
try {
$token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
} catch (DecryptException $e) {
$token = '';
}
}
return $token;
}
Mune kodhi inowana chiratidzo kubva kumusoro
2. Kanda zvose chiratidzo chekukumbira uye chikamu kune tambo uye wozoshandisa hash_equals
yakavakwa muPHP kuenzanisa kana tambo dzose dzakaenzana. Chigumisiro chekushanda uku chinogara chiripo bool (chokwadi) kana (nhema) .
Ercole Palmeri
Coveware neVeeam icharamba ichipa cyber kubira chiitiko mhinduro masevhisi. Coveware ichapa forensics uye kugadzirisa kugona…
Kufanofungidzira kugadzirisa kuri kushandura chikamu cheoiri & gasi, nemaitiro matsva uye akasimba ekutarisira zvidyarwa.…
Iyo UK CMA yakapa yambiro nezvemaitiro eBig Tech mumusika wehungwaru hwekugadzira. Ikoko…
Chirevo che "Case Green", chakagadzirwa neEuropean Union kuti chiwedzere kushanda nesimba kwezvivakwa, chapedza hurongwa hwayo hwemutemo ne…