Throw exception if init() is called multiple times

added check for mutiple call, added a test case for this,
Corrected a test case, and logic to temporarily create a config file
during test config file from test file.

Author: mebjas

.travis.yml

@@ -8,26 +8,14 @@ php:
   - "7.1"
   - hhvm
   - nightly
-  - hhvm-3.3
-  - hhvm-3.6
-  - hhvm-3.9
-  - hhvm-3.12
-  - hhvm-nightly
 
 matrix:
     allow_failures:
-    - os: osx
     - php: nightly
     - php: hhvm
-    - php: hhvm-3.3
-    - php: hhvm-3.6
-    - php: hhvm-3.9
-    - php: hhvm-3.12
-    - php: hhvm-nightly
 
 os:
   - linux
-  - osx
 
 before_script:
  - wget http://getcomposer.org/composer.phar

libs/csrf/csrfprotector.php

@@ -21,6 +21,7 @@ class jsFileNotFoundException extends \exception {};
 	class logFileWriteError extends \exception {};
 	class baseJSFileNotFoundExceptio extends \exception {};
 	class incompleteConfigurationException extends \exception {};
+	class alreadyInitializedException extends \exception {};
 
 	class csrfProtector
 	{
@@ -93,6 +94,13 @@ class csrfProtector
 		 */
 		public static function init($length = null, $action = null)
 		{
+			/*
+			 * Check if init has already been called.
+			 */
+			 if (count(self::$config) > 0) {
+				 throw new alreadyInitializedException("OWASP CSRFProtector: library was already initialized.");
+			 }
+
 			/*
 			 * if mod_csrfp already enabled, no verification, no filtering
 			 * Already done by mod_csrfp
@@ -150,7 +158,8 @@ public static function init($length = null, $action = null)
 			self::authorizePost();
 
 			// Initialize output buffering handler
-			ob_start('csrfProtector::ob_handler');
+			if (!defined('__TESTING_CSRFP__'))
+				ob_start('csrfProtector::ob_handler');
 
 			if (!isset($_COOKIE[self::$config['CSRFP_TOKEN']])
 				|| !isset($_SESSION[self::$config['CSRFP_TOKEN']])

test/config.test.php

@@ -0,0 +1,27 @@
+<?php
+/**
+ * Configuration file for CSRF Protector
+ * Necessary configurations are (library would throw exception otherwise)
+ * ---- logDirectory
+ * ---- failedAuthAction
+ * ---- jsPath
+ * ---- jsUrl
+ * ---- tokenLength
+ */
+return array(
+	"CSRFP_TOKEN" => "csrfp_token",
+	"logDirectory" => "../log",
+	"failedAuthAction" => array(
+		"GET" => 0,
+		"POST" => 0),
+	"errorRedirectionPage" => "",
+	"customErrorMessage" => "",
+	"jsPath" => "../js/csrfprotector.js",
+	"jsUrl" => "http://localhost/csrfp/js/csrfprotector.js",
+	"tokenLength" => 10,
+	"secureCookie" => false,
+	"disabledJavascriptMessage" => "This site attempts to protect users against <a href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\">
+	Cross-Site Request Forgeries </a> attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you.
+	 See details of your web browser for how to enable JavaScript.",
+	 "verifyGetFor" => array()
+);

test/csrfprotector_test.php

@@ -71,8 +71,6 @@ public function setUp()
         csrfprotector::$config['CSRFP_TOKEN'] = 'csrfp_token';
         csrfprotector::$config['secureCookie'] = false;
 
-
-
         $_SERVER['REQUEST_URI'] = 'temp';       // For logging
         $_SERVER['REQUEST_SCHEME'] = 'http';    // For authorizePost
         $_SERVER['HTTP_HOST'] = 'test';         // For isUrlAllowed
@@ -85,10 +83,10 @@ public function setUp()
         $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
         $_SERVER['HTTPS'] = null;
 
-        $this->config = include(__DIR__ .'/../libs/config.sample.php');
+        $this->config = include(__DIR__ .'/config.test.php');
 
         // Create an instance of config file -- for testing
-        $data = file_get_contents(__DIR__ .'/../libs/config.sample.php');
+        $data = file_get_contents(__DIR__ .'/config.test.php');
         file_put_contents(__DIR__ .'/../libs/config.php', $data);
 
         if (!defined('__TESTING_CSRFP__')) define('__TESTING_CSRFP__', true);
@@ -439,10 +437,37 @@ public function testModCSRFPEnabledException()
         putenv('mod_csrfp_enabled=true');
         $temp = $_COOKIE[csrfprotector::$config['CSRFP_TOKEN']] = 'abc';
         $_SESSION[csrfprotector::$config['CSRFP_TOKEN']] = array('abc');
+
+        csrfProtector::$config = array();
         csrfProtector::init();
 
-        // Assuming no cookie change
-        $this->assertTrue($temp == $_SESSION[csrfprotector::$config['CSRFP_TOKEN']][0]);
-        $this->assertTrue($temp == $_COOKIE[csrfprotector::$config['CSRFP_TOKEN']]);
+        // Assuming no config was added
+        $this->assertTrue(count(csrfProtector::$config) == 0);
+        
+        // unset the env variable
+        putenv('mod_csrfp_enabled');
+    }
+
+    /**
+     * Test for exception thrown when init() method is called multiple times
+     */
+    public function testMultipleInitializeException()
+    {
+        csrfProtector::$config = array();
+        $this->assertTrue(count(csrfProtector::$config) == 0);
+
+        $_SERVER['REQUEST_METHOD'] = 'GET';
+        csrfProtector::init();
+
+        $this->assertTrue(count(csrfProtector::$config) == 11);
+        try {
+            csrfProtector::init();
+            $this->fail("alreadyInitializedException not raised");
+        }  catch (alreadyInitializedException $ex) {
+            // pass
+            $this->assertTrue(true);
+        } catch (Exception $ex) {
+            $this->fail("exception other than alreadyInitializedException failed");            
+        }
     }
 }