passesCSRFCheck added to OCP\IRequest

lib/private/appframework/http/request.php

@@ -43,7 +43,8 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 		'cookies',
 		'urlParams',
 		'parameters',
-		'method'
+		'method',
+		'requesttoken',
 	);
 
 	/**
@@ -54,9 +55,9 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 	 * @param array 'files' the $_FILES array
 	 * @param array 'server' the $_SERVER array
 	 * @param array 'env' the $_ENV array
-	 * @param array 'session' the $_SESSION array
 	 * @param array 'cookies' the $_COOKIE array
 	 * @param string 'method' the request method (GET, POST etc)
+	 * @param string|false 'requesttoken' the requesttoken or false when not available
 	 * @see http://www.php.net/manual/en/reserved.variables.php
 	 */
 	public function __construct(array $vars=array()) {
@@ -354,4 +355,35 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 
 		return $this->content;
 	}
-}
+
+	/**
+	 * Checks if the CSRF check was correct
+	 * @return bool true if CSRF check passed
+	 * @see OC_Util::$callLifespan
+	 * @see OC_Util::callRegister()
+	 */
+	public function passesCSRFCheck() {
+		if($this->items['requesttoken'] === false) {
+			return false;
+		}
+
+		if (isset($this->items['get']['requesttoken'])) {
+			$token = $this->items['get']['requesttoken'];
+		} elseif (isset($this->items['post']['requesttoken'])) {
+			$token = $this->items['post']['requesttoken'];
+		} elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
+			$token = $this->items['server']['HTTP_REQUESTTOKEN'];
+		} else {
+			//no token found.
+			return false;
+		}
+
+		// Check if the token is valid
+		if($token !== $this->items['requesttoken']) {
+			// Not valid
+			return false;
+		} else {
+			// Valid token
+			return true;
+		}
+	}}

lib/private/server.php

@@ -22,6 +22,19 @@ class Server extends SimpleContainer implements IServerContainer {
 			return new ContactsManager();
 		});
 		$this->registerService('Request', function($c) {
+			if (isset($c['urlParams'])) {
+				$urlParams = $c['urlParams'];
+			} else {
+				$urlParams = array();
+			}
+
+			if (\OC::$session->exists('requesttoken')) {
+				$requesttoken = \OC::$session->get('requesttoken');
+			} else {
+				$requesttoken = false;
+			}
+
+
 			return new Request(
 				array(
 					'get' => $_GET,
@@ -33,7 +46,9 @@ class Server extends SimpleContainer implements IServerContainer {
 					'method' => (isset($_SERVER) && isset($_SERVER['REQUEST_METHOD']))
 						? $_SERVER['REQUEST_METHOD']
 						: null,
-					'urlParams' => $c['urlParams']
+					'params' => $params,
+					'urlParams' => $urlParams,
+					'requesttoken' => $requesttoken,
 				)
 			);
 		});

lib/private/util.php

@@ -695,29 +695,7 @@ class OC_Util {
 	 * @see OC_Util::callRegister()
 	 */
 	public static function isCallRegistered() {
-		if(!\OC::$session->exists('requesttoken')) {
-			return false;
-		}
-
-		if(isset($_GET['requesttoken'])) {
-			$token = $_GET['requesttoken'];
-		} elseif(isset($_POST['requesttoken'])) {
-			$token = $_POST['requesttoken'];
-		} elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])) {
-			$token = $_SERVER['HTTP_REQUESTTOKEN'];
-		} else {
-			//no token found.
-			return false;
-		}
-
-		// Check if the token is valid
-		if($token !== \OC::$session->get('requesttoken')) {
-			// Not valid
-			return false;
-		} else {
-			// Valid token
-			return true;
-		}
+		return \OC::$server->getRequest()->passesCSRFCheck();
 	}
 
 	/**

lib/public/irequest.php

@@ -107,4 +107,9 @@ interface IRequest {
 	function getCookie($key);
 
 
+	/**
+	 * Checks if the CSRF check was correct
+	 * @return bool true if CSRF check passed
+	 */
+	public function passesCSRFCheck();
 }