feat #58 : wizard multi-étapes création/édition article #59
@@ -3,6 +3,10 @@ DirectoryIndex index.php
|
||||
|
||||
RewriteEngine On
|
||||
|
||||
# Paramètres DokuWiki (?do=media, ?do=export_pdf, etc.) — 410 Gone, jamais de contenu ici
|
||||
RewriteCond %{QUERY_STRING} (^|&)do= [NC]
|
||||
RewriteRule ^ - [R=410,L]
|
||||
|
||||
# Fichiers et répertoires réels servis directement
|
||||
RewriteCond %{REQUEST_FILENAME} -f [OR]
|
||||
RewriteCond %{REQUEST_FILENAME} -d
|
||||
|
||||
+10
-5
@@ -4,11 +4,16 @@ declare(strict_types=1);
|
||||
|
||||
define('BASE_PATH', realpath(__DIR__ . '/../'));
|
||||
|
||||
if (session_status() === PHP_SESSION_NONE) {
|
||||
$_sessionName = getenv('SESSION_NAME') ?: 'PHPSESSID';
|
||||
if (session_status() === PHP_SESSION_NONE
|
||||
&& (isset($_COOKIE[$_sessionName]) || $_SERVER['REQUEST_METHOD'] === 'POST')
|
||||
) {
|
||||
$isHttps = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
|
||||
session_name($_sessionName);
|
||||
session_set_cookie_params(['lifetime' => 0, 'path' => '/', 'secure' => $isHttps, 'httponly' => true, 'samesite' => 'Lax']);
|
||||
session_start();
|
||||
}
|
||||
unset($_sessionName);
|
||||
|
||||
require_once BASE_PATH . '/src/helpers.php';
|
||||
require_once BASE_PATH . '/src/auth.php';
|
||||
@@ -1888,10 +1893,10 @@ switch ($action) {
|
||||
exit;
|
||||
}
|
||||
|
||||
// CSRF
|
||||
$csrfOk = isset($_POST['_token'], $_SESSION['comment_csrf'])
|
||||
&& hash_equals($_SESSION['comment_csrf'], $_POST['_token']);
|
||||
unset($_SESSION['comment_csrf']);
|
||||
// CSRF (double-submit cookie — pas de session requise pour les visiteurs)
|
||||
$csrfOk = isset($_POST['_token'], $_COOKIE['_csrf_c'])
|
||||
&& hash_equals($_COOKIE['_csrf_c'], $_POST['_token']);
|
||||
setcookie('_csrf_c', '', ['expires' => time() - 3600, 'path' => '/', 'samesite' => 'Strict', 'httponly' => true]);
|
||||
if (!$csrfOk) {
|
||||
header('Location: /');
|
||||
exit;
|
||||
|
||||
@@ -2,6 +2,9 @@
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
if (!defined('BASE_PATH')) {
|
||||
define('BASE_PATH', dirname(__DIR__, 2));
|
||||
}
|
||||
require_once dirname(__DIR__, 2) . '/vendor/autoload.php';
|
||||
require_once dirname(__DIR__, 2) . '/config/config.php';
|
||||
require_once dirname(__DIR__, 2) . '/bootstrap.php';
|
||||
|
||||
@@ -4,6 +4,9 @@
|
||||
// version : 20251005
|
||||
declare(strict_types=1);
|
||||
|
||||
if (!defined('BASE_PATH')) {
|
||||
define('BASE_PATH', dirname(__DIR__, 2));
|
||||
}
|
||||
require_once dirname(__DIR__, 2) . '/vendor/autoload.php';
|
||||
require_once dirname(__DIR__, 2) . '/config/config.php';
|
||||
require_once dirname(__DIR__, 2) . '/bootstrap.php';
|
||||
|
||||
@@ -2,6 +2,9 @@
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
if (!defined('BASE_PATH')) {
|
||||
define('BASE_PATH', dirname(__DIR__, 2));
|
||||
}
|
||||
require_once dirname(__DIR__, 2) . '/vendor/autoload.php';
|
||||
require_once dirname(__DIR__, 2) . '/config/config.php';
|
||||
require_once dirname(__DIR__, 2) . '/bootstrap.php';
|
||||
|
||||
@@ -15,7 +15,13 @@ $_reactionDefs = [
|
||||
];
|
||||
|
||||
$_csrfToken = bin2hex(random_bytes(16));
|
||||
$_SESSION['comment_csrf'] = $_csrfToken;
|
||||
setcookie('_csrf_c', $_csrfToken, [
|
||||
'expires' => 0,
|
||||
'path' => '/',
|
||||
'secure' => !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off',
|
||||
'httponly' => true,
|
||||
'samesite' => 'Strict',
|
||||
]);
|
||||
?>
|
||||
|
||||
<?php if (!empty($alsoReadArticles ?? [])): ?>
|
||||
|
||||
Reference in New Issue
Block a user