| 12345678910111213141516171819202122232425262728293031323334 |
- <?php
- require_once "../env.inc.php";
- require_once "../conf.inc.php";
- require_once DIR_PHP_LAYOUTS . "header.php";
- secureSession::start();
- require_once "../access.inc.php";
- require_once DIR_PHP_LAYOUTS . "events.session.php";
- // Validation CSRF pour les requêtes JSON POST
- if ($_SERVER['REQUEST_METHOD'] === 'POST' && core::ifGet("jsonData")) {
- $jsonData = core::getGet("jsonData");
- // Actions nécessitant une protection CSRF (login exclu car action publique pré-authentification)
- $csrfProtectedActions = ['logout', 'inscription', 'validation'];
- if (in_array($jsonData, $csrfProtectedActions)) {
- if (!csrf::validateHeader('events-ajax', 'X-CSRF-Token')) {
- error_log("CSRF validation failed for JSON action: $jsonData from IP: " . ($_SERVER['REMOTE_ADDR'] ?? 'unknown'));
- http_response_code(403);
- header('Content-Type: application/json');
- echo json_encode([
- 'success' => false,
- 'error' => 'csrf_failed',
- 'message' => 'Token de sécurité invalide. Veuillez recharger la page.'
- ]);
- exit();
- }
- }
- }
- get::json();
- get::jsonData();
|
