Merge pull request #21291 from owncloud/refactor-call-check
Refactor OC_Util::callCheck
This commit is contained in:
Thomas Müller
commit
edd051dc02
6 changed files with 7 additions and 27 deletions
|
|
@ -33,7 +33,7 @@ $htaccessWorking=(getenv('htaccessWorking')=='true');
|
|||
$upload_max_filesize = OC::$server->getIniWrapper()->getBytes('upload_max_filesize');
|
||||
$post_max_size = OC::$server->getIniWrapper()->getBytes('post_max_size');
|
||||
$maxUploadFilesize = OCP\Util::humanFileSize(min($upload_max_filesize, $post_max_size));
|
||||
if($_POST && OC_Util::isCallRegistered()) {
|
||||
if($_POST && \OC::$server->getRequest()->passesCSRFCheck()) {
|
||||
if(isset($_POST['maxUploadSize'])) {
|
||||
if(($setMaxSize = OC_Files::setUploadLimit(OCP\Util::computerFileSize($_POST['maxUploadSize']))) !== false) {
|
||||
$maxUploadFilesize = OCP\Util::humanFileSize($setMaxSize);
|
||||
|
|
|
|||
|
|
@ -1060,7 +1060,7 @@ class OC {
|
|||
return false;
|
||||
}
|
||||
|
||||
if(!OC_Util::isCallRegistered()) {
|
||||
if(!(\OC::$server->getRequest()->passesCSRFCheck())) {
|
||||
return false;
|
||||
}
|
||||
OC_App::loadApps();
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ class OC_EventSource implements \OCP\IEventSource {
|
|||
} else {
|
||||
header("Content-Type: text/event-stream");
|
||||
}
|
||||
if (!OC_Util::isCallRegistered()) {
|
||||
if (!(\OC::$server->getRequest()->passesCSRFCheck())) {
|
||||
$this->send('error', 'Possible CSRF attack. Connection will be closed.');
|
||||
$this->close();
|
||||
exit();
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ class OC_JSON{
|
|||
* @deprecated Use annotation based CSRF checks from the AppFramework instead
|
||||
*/
|
||||
public static function callCheck() {
|
||||
if( !OC_Util::isCallRegistered()) {
|
||||
if( !(\OC::$server->getRequest()->passesCSRFCheck())) {
|
||||
$l = \OC::$server->getL10N('lib');
|
||||
self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.'), 'error' => 'token_expired' )));
|
||||
exit();
|
||||
|
|
|
|||
|
|
@ -1127,7 +1127,6 @@ class OC_Util {
|
|||
* Creates a 'request token' (random) and stores it inside the session.
|
||||
* Ever subsequent (ajax) request must use such a valid token to succeed,
|
||||
* otherwise the request will be denied as a protection against CSRF.
|
||||
* @see OC_Util::isCallRegistered()
|
||||
*/
|
||||
public static function callRegister() {
|
||||
// Use existing token if function has already been called
|
||||
|
|
@ -1154,27 +1153,6 @@ class OC_Util {
|
|||
return self::$obfuscatedToken;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check an ajax get/post call if the request token is valid.
|
||||
*
|
||||
* @return boolean False if request token is not set or is invalid.
|
||||
* @see OC_Util::callRegister()
|
||||
*/
|
||||
public static function isCallRegistered() {
|
||||
return \OC::$server->getRequest()->passesCSRFCheck();
|
||||
}
|
||||
|
||||
/**
|
||||
* Check an ajax get/post call if the request token is valid. Exit if not.
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public static function callCheck() {
|
||||
if (!OC_Util::isCallRegistered()) {
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Public function to sanitize HTML
|
||||
*
|
||||
|
|
|
|||
|
|
@ -494,7 +494,9 @@ class Util {
|
|||
* @since 4.5.0
|
||||
*/
|
||||
public static function callCheck() {
|
||||
\OC_Util::callCheck();
|
||||
if (!(\OC::$server->getRequest()->passesCSRFCheck())) {
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in a new issue