wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added JSON methods for CSRF prevention. Make request token accessible from template and add js var.

Browse source
This commit is contained in:
Thomas Tanghus 2012-06-13 17:33:19 +02:00
parent 9e9c40eabd
commit 89464721c7
5 changed files with 54 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
core/templates/layout.user.php
View file

@ -30,6 +30,16 @@
echo '/>';
?>
<?php endforeach; ?>
<script type="text/javascript">
$(function() {
var requesttoken = '<?php echo $_['requesttoken']; ?>';
$(document).bind('ajaxSend', function(elm, xhr, s){
if(requesttoken) {
xhr.setRequestHeader('requesttoken', requesttoken);
}
});
});
</script>
</head>
<body id="<?php echo $_['bodyid'];?>">

12
lib/json.php
View file

@ -41,6 +41,18 @@ class OC_JSON{
}
}
/**
* @brief Check an ajax get/post call if the request token is valid.
* @return json Error msg if not valid.
*/
public static function callCheck(){
if( !OC_Util::isCallRegistered()){
$l = OC_L10N::get('core');
self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') )));
exit();
}
}
/**
* Check if the user is a admin, send json error msg if not
*/

7
lib/public/json.php
View file

@ -53,6 +53,13 @@ class JSON {
return(\OC_JSON::checkLoggedIn());
}
/**
* @brief Check an ajax get/post call if the request token is valid.
* @return json Error msg if not valid.
*/
public static function callCheck(){
return(\OC_JSON::callCheck());
}
/**
* @brief Send json success msg

4
lib/template.php
View file

@ -155,6 +155,9 @@ class OC_Template{
$this->renderas = $renderas;
$this->application = $app;
$this->vars = array();
if($renderas == 'user') {
$this->vars['requesttoken'] = OC_Util::callRegister();
}
$this->l10n = OC_L10N::get($app);
header('X-Frame-Options: Sameorigin');
header('X-XSS-Protection: 1; mode=block');
@ -355,6 +358,7 @@ class OC_Template{
if( $this->renderas == "user" ){
$page = new OC_Template( "core", "layout.user" );
$page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' ));
$page->assign('requesttoken', $this->vars['requesttoken']);
if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){
$page->assign('bodyid','body-settings');
}else{

43
lib/util.php
View file

@ -355,8 +355,9 @@ class OC_Util {
}
/**
* Register an get/post call. This is important to prevent CSRF attacks
* @brief Register an get/post call. This is important to prevent CSRF attacks
* Todo: Write howto
* @return $token Generated token.
*/
public static function callRegister(){
//mamimum time before token exires
@ -381,50 +382,48 @@ class OC_Util {
}
}
}
// return the token
return($token);
}
/**
* Check an ajax get/post call if the request token is valid. exit if not.
* Todo: Write howto
* @brief Check an ajax get/post call if the request token is valid.
* @return boolean False if request token is not set or is invalid.
*/
public static function callCheck(){
public static function isCallRegistered(){
//mamimum time before token exires
$maxtime=(60*60); // 1 hour
// searches in the get and post arrays for the token.
if(isset($_GET['requesttoken'])) {
$token=$_GET['requesttoken'];
}elseif(isset($_POST['requesttoken'])){
$token=$_POST['requesttoken'];
}elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){
$token=$_SERVER['HTTP_REQUESTTOKEN'];
}else{
//no token found. exiting
exit;
//no token found.
return false;
}
// check if the token is in the user session and if the timestamp is from the last hour.
if(isset($_SESSION['requesttoken-'.$token])) {
$timestamp=$_SESSION['requesttoken-'.$token];
if($timestamp+$maxtime<time()){
//token exired. exiting
exit;
return false;
}else{
//token valid
return;
return true;
}
}else{
//no token found. exiting
exit;
return false;
}
}
/**
* @brief Check an ajax get/post call if the request token is valid. exit if not.
* Todo: Write howto
*/
public static function callCheck(){
if(!OC_Util::isCallRegistered()) {
exit;
}
}
}