nanasess/csrfchecker-ajax.diff

## csrfchecker-ajax.diff
diff --git a/src/Eccube/Controller/AbstractController.php b/src/Eccube/Controller/AbstractController.php
index 0f1c17500..b4caae677 100644
--- a/src/Eccube/Controller/AbstractController.php
+++ b/src/Eccube/Controller/AbstractController.php
@@ -32,6 +32,7 @@ use Eccube\Common\EccubeConfig;
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\Form\FormFactoryInterface;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
@@ -202,9 +203,11 @@ class AbstractController extends Controller
      */
     protected function isTokenValid()
     {
+        /** @var Request $request */
         $request = $this->container->get('request_stack')->getCurrentRequest();
+        $token = $request->get(Constant::TOKEN_NAME) ? $request->get(Constant::TOKEN_NAME) : $request->headers->get('x-csrf-token');

-        if (!$this->isCsrfTokenValid(Constant::TOKEN_NAME, $request->get(Constant::TOKEN_NAME))) {
+        if (!$this->isCsrfTokenValid(Constant::TOKEN_NAME, $token)) {
             throw new AccessDeniedHttpException('CSRF token is invalid.');
         }

diff --git a/src/Eccube/Controller/Admin/Product/TagController.php b/src/Eccube/Controller/Admin/Product/TagController.php
index 2335e2027..659699480 100644
--- a/src/Eccube/Controller/Admin/Product/TagController.php
+++ b/src/Eccube/Controller/Admin/Product/TagController.php
@@ -111,6 +111,7 @@ class TagController extends AbstractController
     public function moveSortNo(Request $request)
     {
         if ($request->isXmlHttpRequest()) {
+            $this->isTokenValid();
             $sortNos = $request->request->all();
             foreach ($sortNos as $tagId => $sortNo) {
                 /* @var $Tag \Eccube\Entity\Tag */
diff --git a/src/Eccube/Resource/template/admin/Product/tag.twig b/src/Eccube/Resource/template/admin/Product/tag.twig
index 66ccd660e..395c3baea 100644
--- a/src/Eccube/Resource/template/admin/Product/tag.twig
+++ b/src/Eccube/Resource/template/admin/Product/tag.twig
@@ -66,6 +66,9 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
                     url: '{{ url('admin_product_tag_sort_no_move') }}',
                     type: 'POST',
                     data: newSortNos,
+                    headers: {
+                        'x-csrf-token': $('meta[name="x-csrf-token"]').attr('content')
+                    }
                 }).done(function (data) {
                     doDisableArrow();
                 }).fail(function () {
diff --git a/src/Eccube/Resource/template/admin/styleguide_frame.twig b/src/Eccube/Resource/template/admin/styleguide_frame.twig
index 74516e52a..3d9831bb9 100644
--- a/src/Eccube/Resource/template/admin/styleguide_frame.twig
+++ b/src/Eccube/Resource/template/admin/styleguide_frame.twig
@@ -3,6 +3,7 @@
 <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, minimum-scale=1, initial-scale=1, user-scalable=no">
+    <meta name="x-csrf-token" content="{{ csrf_token() }}">
     <title>{{ BaseInfo.shop_name }} - 管理画面</title>
     <link rel="stylesheet" href="{{ asset('assets/css/bootstrap.css', 'admin') }}">
     <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous">
diff --git a/src/Eccube/Twig/Extension/CsrfExtension.php b/src/Eccube/Twig/Extension/CsrfExtension.php
index 3068bf1bd..79cc3be87 100644
--- a/src/Eccube/Twig/Extension/CsrfExtension.php
+++ b/src/Eccube/Twig/Extension/CsrfExtension.php
@@ -32,9 +32,18 @@ class CsrfExtension extends AbstractExtension
     {
         return [
             new TwigFunction('csrf_token_for_anchor', [$this, 'getCsrfTokenForAnchor'], ['is_safe' => ['all']]),
+            new TwigFunction('csrf_token', [$this, 'getCsrfToken'], ['is_safe' => ['all']])
         ];
     }

+    /**
+     * @return string
+     */
+    public function getCsrfToken()
+    {
+        return $this->tokenManager->getToken(Constant::TOKEN_NAME)->getValue();
+    }
+
     /**
      * @return string
      */
	diff --git a/src/Eccube/Controller/AbstractController.php b/src/Eccube/Controller/AbstractController.php
	index 0f1c17500..b4caae677 100644
	--- a/src/Eccube/Controller/AbstractController.php
	+++ b/src/Eccube/Controller/AbstractController.php
	@@ -32,6 +32,7 @@ use Eccube\Common\EccubeConfig;
	use Symfony\Bundle\FrameworkBundle\Controller\Controller;
	use Symfony\Component\EventDispatcher\EventDispatcherInterface;
	use Symfony\Component\Form\FormFactoryInterface;
	+use Symfony\Component\HttpFoundation\Request;
	use Symfony\Component\HttpFoundation\Session\Session;
	use Symfony\Component\HttpFoundation\Session\SessionInterface;
	use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
	@@ -202,9 +203,11 @@ class AbstractController extends Controller
	*/
	protected function isTokenValid()
	{
	+ /** @var Request $request */
	$request = $this->container->get('request_stack')->getCurrentRequest();
	+ $token = $request->get(Constant::TOKEN_NAME) ? $request->get(Constant::TOKEN_NAME) : $request->headers->get('x-csrf-token');

	- if (!$this->isCsrfTokenValid(Constant::TOKEN_NAME, $request->get(Constant::TOKEN_NAME))) {
	+ if (!$this->isCsrfTokenValid(Constant::TOKEN_NAME, $token)) {
	throw new AccessDeniedHttpException('CSRF token is invalid.');
	}

	diff --git a/src/Eccube/Controller/Admin/Product/TagController.php b/src/Eccube/Controller/Admin/Product/TagController.php
	index 2335e2027..659699480 100644
	--- a/src/Eccube/Controller/Admin/Product/TagController.php
	+++ b/src/Eccube/Controller/Admin/Product/TagController.php
	@@ -111,6 +111,7 @@ class TagController extends AbstractController
	public function moveSortNo(Request $request)
	{
	if ($request->isXmlHttpRequest()) {
	+ $this->isTokenValid();
	$sortNos = $request->request->all();
	foreach ($sortNos as $tagId => $sortNo) {
	/* @var $Tag \Eccube\Entity\Tag */
	diff --git a/src/Eccube/Resource/template/admin/Product/tag.twig b/src/Eccube/Resource/template/admin/Product/tag.twig
	index 66ccd660e..395c3baea 100644
	--- a/src/Eccube/Resource/template/admin/Product/tag.twig
	+++ b/src/Eccube/Resource/template/admin/Product/tag.twig
	@@ -66,6 +66,9 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	url: '{{ url('admin_product_tag_sort_no_move') }}',
	type: 'POST',
	data: newSortNos,
	+ headers: {
	+ 'x-csrf-token': $('meta[name="x-csrf-token"]').attr('content')
	+ }
	}).done(function (data) {
	doDisableArrow();
	}).fail(function () {
	diff --git a/src/Eccube/Resource/template/admin/styleguide_frame.twig b/src/Eccube/Resource/template/admin/styleguide_frame.twig
	index 74516e52a..3d9831bb9 100644
	--- a/src/Eccube/Resource/template/admin/styleguide_frame.twig
	+++ b/src/Eccube/Resource/template/admin/styleguide_frame.twig
	@@ -3,6 +3,7 @@
	<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, minimum-scale=1, initial-scale=1, user-scalable=no">
	+ <meta name="x-csrf-token" content="{{ csrf_token() }}">
	<title>{{ BaseInfo.shop_name }} - 管理画面</title>
	<link rel="stylesheet" href="{{ asset('assets/css/bootstrap.css', 'admin') }}">
	<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous">
	diff --git a/src/Eccube/Twig/Extension/CsrfExtension.php b/src/Eccube/Twig/Extension/CsrfExtension.php
	index 3068bf1bd..79cc3be87 100644
	--- a/src/Eccube/Twig/Extension/CsrfExtension.php
	+++ b/src/Eccube/Twig/Extension/CsrfExtension.php
	@@ -32,9 +32,18 @@ class CsrfExtension extends AbstractExtension
	{
	return [
	new TwigFunction('csrf_token_for_anchor', [$this, 'getCsrfTokenForAnchor'], ['is_safe' => ['all']]),
	+ new TwigFunction('csrf_token', [$this, 'getCsrfToken'], ['is_safe' => ['all']])
	];
	}

	+ /**
	+ * @return string
	+ */
	+ public function getCsrfToken()
	+ {
	+ return $this->tokenManager->getToken(Constant::TOKEN_NAME)->getValue();
	+ }
	+
	/**
	* @return string
	*/