From a919a392ccdc888324e054f810780b855a99bb01 Mon Sep 17 00:00:00 2001 From: "Claw (KI-Assistent)" Date: Thu, 21 May 2026 23:05:51 +0000 Subject: [PATCH] fix(security): add CSRF protection to contact form (#42) - Generate CSRF token (32 bytes) on GET requests - Add hidden csrf_token field to contact form - Validate token with hash_equals() (timing-safe) on POST - Reject invalid/missing tokens with user-friendly error Fix #42 --- app/controllers/HomeController.php | 13 +++++++++++++ app/views/home/index.php | 1 + 2 files changed, 14 insertions(+) diff --git a/app/controllers/HomeController.php b/app/controllers/HomeController.php index 0d7b51a..f1a7b8f 100644 --- a/app/controllers/HomeController.php +++ b/app/controllers/HomeController.php @@ -41,7 +41,20 @@ class HomeController extends Controller $formData = ['fname' => '', 'lname' => '', 'email' => '', 'phone' => '', 'interest' => 'Besichtigung anfragen', 'message' => '']; } + // CSRF-Token generieren (nach Session-Start) + if (empty($_SESSION['csrf_token'])) { + $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); + } + if ($_SERVER['REQUEST_METHOD'] === 'POST') { + // CSRF-Token validieren + $csrfToken = $_POST['csrf_token'] ?? ''; + if (!hash_equals($_SESSION['csrf_token'] ?? '', $csrfToken)) { + header('Location: /#form-result'); + $_SESSION['form_errors'] = ['Sicherheitsüberprüfung fehlgeschlagen. Bitte versuchen Sie es erneut.']; + exit; + } + $formData['fname'] = $normalizeContactValue((string) ($_POST['fname'] ?? '')); $formData['lname'] = $normalizeContactValue((string) ($_POST['lname'] ?? '')); $formData['email'] = $normalizeContactValue((string) ($_POST['email'] ?? '')); diff --git a/app/views/home/index.php b/app/views/home/index.php index 6358e9f..75ddf93 100644 --- a/app/views/home/index.php +++ b/app/views/home/index.php @@ -434,6 +434,7 @@
+
-- 2.49.1