Cacti vendors ezyang/csrf-magic under include/vendor/csrf/. The upstream project has not had a meaningful update in years and is effectively abandoned.
Current state
- csrf-magic auto-injects
__csrf_magic tokens into every <form method="post"> via output-buffer rewrite
- AJAX forms include the token manually
- Token format:
sid:HMAC(session_id, time)
- SameSite=Strict on the session cookie is the primary CSRF defense; csrf-magic is the fallback layer
Concerns
- No upstream security updates — any future vuln in the library stays unpatched
- Fallback cookie (
setcookie with 4-arg form) lacks Secure, HttpOnly, SameSite flags
- Token comparison uses
=== instead of hash_equals()
- No
X-CSRF-Token header support for modern SPA-style AJAX
Options
- Fork
ezyang/csrf-magic into Cacti/csrf-magic and maintain locally
- Replace with Symfony CsrfTokenManager (more deps but actively maintained)
- Write a minimal in-tree implementation (~200 lines, covers the form-rewrite + AJAX-header pattern)
- Keep vendored copy but apply local patches for items 2-4
Related
- GET-state-change deny-list expansion (separate PR)
- Session fixation gaps in guest/cookie-auth transitions (GHSA-rx6j)
Cacti vendors
ezyang/csrf-magicunderinclude/vendor/csrf/. The upstream project has not had a meaningful update in years and is effectively abandoned.Current state
__csrf_magictokens into every<form method="post">via output-buffer rewritesid:HMAC(session_id, time)Concerns
setcookiewith 4-arg form) lacksSecure,HttpOnly,SameSiteflags===instead ofhash_equals()X-CSRF-Tokenheader support for modern SPA-style AJAXOptions
ezyang/csrf-magicintoCacti/csrf-magicand maintain locallyRelated