I-CSRF yinto ekhohlakeleyo eyenziwa ngumhlaseli, owenza izenzo egameni lomsebenzisi oqinisekisiweyo, onobungozi kukhuseleko lwewebhu. Ngethamsanqa, iLaravel ibonelela ngezixhobo zokuthintela olu hlobo lokuba sesichengeni.
I-CSRF ihlasela iiseshoni zabasebenzisi. Benza oku ngokukhohlisa umsebenzisi ukuba angenise isicelo ngokusebenzisa iithegi zefom efihliweyo okanye ii-URL ezinobungozi (imifanekiso okanye amakhonkco) ngaphandle kolwazi lomsebenzisi.
Olu hlaselo lukhokelela ekutshintsheni kwimeko yeseshoni yomsebenzisi, ukuvuza kwedatha, kwaye ngamanye amaxesha abahlaseli banokulawula idatha yomsebenzisi wokugqibela kwisicelo.
Lo mfanekiso ungasentla ubonisa imeko apho ukhuseleko lwewebhu lwaphulwa khona. Ixhoba lithumela isicelo ngokunqakraza kwikhonkco (efunyenweyo), ukuthumela isicelo kumncedisi wewebhusayithi oya kuvelisa iziphumo ezifunwa yi-hacker, oza kubamba ulwazi oluluncedo lokufikelela kunye nokuxhaphaza iseva yewebhusayithi.
Ukuphucula i yokhuseleko kwiwebhu yezicelo zakho, kwiseshoni nganye yomsebenzisi, iLaravel ivelisa iithokheni ezikhuselekileyo ezisebenzisayo ukuqinisekisa ukuba umsebenzisi oqinisekisiweyo nguye ocela isicelo.
Ngenxa yokuba lo mqondiso utshintsha rhoqo xa iseshoni yomsebenzisi ihlaziywa, umhlaseli akakwazi ukufikelela kuyo.
Nanini na kukho isicelo sokutshintsha ulwazi lomsebenzisi kwicala lomncedisi (umva) njenge POST
, PUT
, PATCH
e DELETE
, kufuneka ubandakanye umyalelo @csrf
kwifomu yesicelo blade
HTML. I @csrf
ke ngoko ngumyalelo Blade
isetyenziselwa ukwenza umqondiso ofihliweyo oqinisekisiweyo sisicelo.
Umyalelo Blade
sisivakalisi esisetyenziswa ngaphakathi kwenjini yetemplate yeLaravel ebizwa Blade . Ukwenza ifayile blade
kufuneka unike igama - kwifom yethu yecala - ilandelwa kukwandiswa kwe-blade. Oku kuthetha ukuba ifayile iya kuba negama form.blade.php
.
Ifayile isetyenzisiwe blade
ukunikezela iimbono zabasebenzisi kwiphepha lewebhu.Kukho izikhokelo ezimbalwa zangaphambilidefinite okanye iblade shorthand syntax ongayisebenzisa. Umzekelo, @if
jonga ukuba imeko yanelisiwe, @empty
khangela ukuba iirekhodi azinanto, @auth
khangela ukuba umsebenzisi uqinisekisiwe njalo njalo.
Kodwa masibuyele kumyalelo @csrf
. Nantsi indlela oyisebenzisa ngayo:
<form method="POST" action="{{route('pay')}}">
@csrf
</form>
Iinguqulelo zangaphambili zeLaravel zineendlela ezahlukeneyo zokuseta: zisebenza zombini kwaye zenza into enye.
<form method="POST" action="{{route('pay')}}">
<input type="hidden" name="_token" value="{{ csrf_token() }}" />
</form>
Xa ithokheni ye-CSRF ingekho kwisicelo sefom esingeniswayo okanye ukuba ibonakala ingasebenzi, iLaravel iphosa umyalezo wephutha othi "Iphepha Liphelelwe" ngekhowudi yesimo se-419.
Isixhobo esiphakathi VerifyCsrfToken
iphatha ukuqinisekiswa kwe-CSRF ngaphakathi kwesicelo seLaravel. I middleware
ibhalisiwe kwi Kernel.php
kwaye ibekwe kulawulo app/Http/Middleware
. Oku kuthetha ukuba i middleware
iqalwa ngenxa yezicelo ngaphakathi kwiwebhu, ayinxulumananga ne-APIs.
protected $middlewareGroups = [
'web' => [
.
.
.
.
.
\App\Http\Middleware\VerifyCsrfToken::class,
],
];
I-Middleware ye-VerifyCsrfToken yandisa iklasi Illuminate\Foundation\Http\Middleware\VerifyCsrfToken
, o.k. uqinisekiso lweCSRF lu defizifakwe eklasini.
Masimbe nzulu ukuze sifumanise ukuba iLaravel iluphatha njani uqinisekiso lweCSRF.
Ngaphakathi eklasini, sinomsebenzi tokensMatch
.
protected function tokensMatch($request)
{
$token = $this->getTokenFromRequest($request);
return is_string($request->session()->token()) &&
is_string($token) &&
hash_equals($request->session()->token(), $token);
}
kwikhowudi imisela ukuba iseshoni kunye negalelo iithokheni zeCSRF ziyahambelana.
Umsebenzi wenza izinto ezimbini:
$this->getTokenFromRequest
uphawu olusuka kwisicelo esingenayo esincanyathiselwe ngentsimi efihlakeleyo okanye isihloko sesicelo. Ithokheni ikhutshiwe kwaye emva koko ibuyiselwe kuguquguquko lophawu.protected function getTokenFromRequest($request)
{
$token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');
if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
try {
$token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
} catch (DecryptException $e) {
$token = '';
}
}
return $token;
}
Kwikhowudi fumana uphawu ukusuka kwisihloko
2. Phosa zombini ithokheni yesicelo kunye neseshoni kumtya uze usebenzise hash_equals
eyakhelwe kwi-PHP ukuthelekisa ukuba zombini iintambo ziyalingana. Isiphumo salo msebenzi sihlala sihlala bool (yinyani) okanye (bubuxoki) .
Ercole Palmeri
Ukuphuhlisa izakhono zemoto ngokufaka imibala kulungiselela abantwana izakhono ezinzima ezifana nokubhala. Ukufaka umbala...
Icandelo lomkhosi wasemanzini ligunya lokwenyani loqoqosho lwehlabathi, elithe lajonga kwimarike ye-150 yeebhiliyoni...
NgoMvulo ophelileyo, i-Financial Times ibhengeze isivumelwano kunye ne-OpenAI. I-FT ikhupha iilayisensi kubuntatheli bayo obukumgangatho wehlabathi…
Izigidi zabantu zihlawula iinkonzo zokusasaza, zihlawula umrhumo wenyanga. Luluvo oluqhelekileyo ukuba…