Fatal编程技术网
  • php/
  • Php Yii dropzone扩展(无法验证CSRF令牌)

Php Yii dropzone扩展(无法验证CSRF令牌)

php ajax file-upload yii

Php Yii dropzone扩展(无法验证CSRF令牌),php,ajax,file-upload,yii,Php,Ajax,File Upload,Yii,我想发布带有dropzone请求的Yii csrftoken这里是我的代码 $this->widget('ext.dropzone.EDropzone', array( 'model' => $model, 'attribute' => 'file', 'url' => $this->createUrl('//media/file'), 'mimeTypes' =&

我想发布带有dropzone请求的Yii csrftoken这里是我的代码

   $this->widget('ext.dropzone.EDropzone', array(
            'model' => $model,
            'attribute' => 'file',
            'url' => $this->createUrl('//media/file'),
            'mimeTypes' => array('image/jpeg', 'image/png'),
            'options' => array('sending' => 'function(file, xhr, formData) {
     formData.append("YII_CSRF_TOKEN", "' . Yii::app()->request->csrfToken . '");
                  }',),
        ));
//控制器>介质(不访问控制器)

这就是我在搜索CSRF令牌以使用xupload/blueimpjquery文件上传程序时发现的。将其放入components目录中的文件“EHttpRequest.php”(或创建它)

资料来源:
警告:这样做可能会有一些安全风险,如果有人认为此安全性有任何问题,请告诉我。

这是如何停止某些操作的CsrfValidation

//main/config
在“组件”下添加以下行

       'request' => array(
        'class' => 'HttpRequest',
        'noCsrfValidationRoutes' => array(
            '^site/upload.*$',
        ),
        'enableCookieValidation' => true,
        'enableCsrfValidation' => true,
    ),
然后在组件文件夹中

class HttpRequest extends CHttpRequest
{
public $prev_url;

public $noCsrfValidationRoutes = array();


protected function normalizeRequest()
{
    parent::normalizeRequest();

    if(!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] != 'POST')
    {
        return;
    }

    $route = Yii::app()->getUrlManager()->parseUrl($this);
    if($this->enableCsrfValidation)
    {
        foreach($this->noCsrfValidationRoutes as $cr)
        {
            if(preg_match('#'.$cr.'#', $route))
            {
                Yii::app()->detachEventHandler('onBeginRequest', array($this,'validateCsrfToken'));
                Yii::trace('Route "'.$route.' passed without CSRF validation');
                break; // found first route and break
            }
        }
    }
}

public function getCurrentUri()
{
    // Get HTTP/HTTPS (the possible values for this vary from server to server)
    $myUrl = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] && !in_array(strtolower($_SERVER['HTTPS']),array('off','no'))) ? 'https' : 'http';
    // Get domain portion
    $myUrl .= '://'.$_SERVER['HTTP_HOST'];
    // Get path to script
    $myUrl .= $_SERVER['REQUEST_URI'];
    // Add path info, if any

    $get = $_GET; // Create a copy of $_GET
    if (count($get)) { // Only add a query string if there's anything left
      $myUrl .= '?'.http_build_query($get);
    }

    return $myUrl;
}
}
您可以通过url将其作为url参数$this->createUrl('//media/file',array('YII_CSRF_TOKEN'=>YII::app()->request->csrfToken')发送。它不起作用。您在url中获得了什么内容供您尝试?然后您在url中获得了令牌。是不是错了?我试过了,但没有效果,我在组件文件夹的旁边创建了这个类,并从配置'request'=>array('class'=>'EHttpRequest')调用它,嗯,这绝对是正确的步骤。我将进一步研究它,可能还有另一个我忘记的代码编辑。 
       'request' => array(
        'class' => 'HttpRequest',
        'noCsrfValidationRoutes' => array(
            '^site/upload.*$',
        ),
        'enableCookieValidation' => true,
        'enableCsrfValidation' => true,
    ),

class HttpRequest extends CHttpRequest
{
public $prev_url;

public $noCsrfValidationRoutes = array();


protected function normalizeRequest()
{
    parent::normalizeRequest();

    if(!isset($_SERVER['REQUEST_METHOD']) || $_SERVER['REQUEST_METHOD'] != 'POST')
    {
        return;
    }

    $route = Yii::app()->getUrlManager()->parseUrl($this);
    if($this->enableCsrfValidation)
    {
        foreach($this->noCsrfValidationRoutes as $cr)
        {
            if(preg_match('#'.$cr.'#', $route))
            {
                Yii::app()->detachEventHandler('onBeginRequest', array($this,'validateCsrfToken'));
                Yii::trace('Route "'.$route.' passed without CSRF validation');
                break; // found first route and break
            }
        }
    }
}

public function getCurrentUri()
{
    // Get HTTP/HTTPS (the possible values for this vary from server to server)
    $myUrl = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] && !in_array(strtolower($_SERVER['HTTPS']),array('off','no'))) ? 'https' : 'http';
    // Get domain portion
    $myUrl .= '://'.$_SERVER['HTTP_HOST'];
    // Get path to script
    $myUrl .= $_SERVER['REQUEST_URI'];
    // Add path info, if any

    $get = $_GET; // Create a copy of $_GET
    if (count($get)) { // Only add a query string if there's anything left
      $myUrl .= '?'.http_build_query($get);
    }

    return $myUrl;
}
}