passesCSRFCheck added to OCP\IRequest

diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php
index f152956c8cf950f80cf37563009683e9cfe362bb..3e1f4ff87ed815f59d2c4d87234242f616075e8d 100644 (file)
--- a/lib/private/appframework/http/request.php
+++ b/lib/private/appframework/http/request.php
@@ -43,7 +43,8 @@ class Request implements \ArrayAccess, \Countable, IRequest {
                'cookies',
                'urlParams',
                'parameters',
-               'method'
+               'method',
+               'requesttoken',
        );
 
        /**
@@ -54,9 +55,9 @@ class Request implements \ArrayAccess, \Countable, IRequest {
         * @param array 'files' the $_FILES array
         * @param array 'server' the $_SERVER array
         * @param array 'env' the $_ENV array
-        * @param array 'session' the $_SESSION array
         * @param array 'cookies' the $_COOKIE array
         * @param string 'method' the request method (GET, POST etc)
+        * @param string|false 'requesttoken' the requesttoken or false when not available
         * @see http://www.php.net/manual/en/reserved.variables.php
         */
        public function __construct(array $vars=array()) {
@@ -354,4 +355,35 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 
                return $this->content;
        }
-}
+
+       /**
+        * Checks if the CSRF check was correct
+        * @return bool true if CSRF check passed
+        * @see OC_Util::$callLifespan
+        * @see OC_Util::callRegister()
+        */
+       public function passesCSRFCheck() {
+               if($this->items['requesttoken'] === false) {
+                       return false;
+               }
+
+               if (isset($this->items['get']['requesttoken'])) {
+                       $token = $this->items['get']['requesttoken'];
+               } elseif (isset($this->items['post']['requesttoken'])) {
+                       $token = $this->items['post']['requesttoken'];
+               } elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
+                       $token = $this->items['server']['HTTP_REQUESTTOKEN'];
+               } else {
+                       //no token found.
+                       return false;
+               }
+
+               // Check if the token is valid
+               if($token !== $this->items['requesttoken']) {
+                       // Not valid
+                       return false;
+               } else {
+                       // Valid token
+                       return true;
+               }
+       }}

diff --git a/lib/private/server.php b/lib/private/server.php
index 4000f546a3b4b541f82ab6b7ca3ca2c24beedde5..73a0cbd6ce606c99fa5b9ea02544408616449c91 100644 (file)
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -22,6 +22,19 @@ class Server extends SimpleContainer implements IServerContainer {
                        return new ContactsManager();
                });
                $this->registerService('Request', function($c) {
+                       if (isset($c['urlParams'])) {
+                               $urlParams = $c['urlParams'];
+                       } else {
+                               $urlParams = array();
+                       }
+
+                       if (\OC::$session->exists('requesttoken')) {
+                               $requesttoken = \OC::$session->get('requesttoken');
+                       } else {
+                               $requesttoken = false;
+                       }
+
+
                        return new Request(
                                array(
                                        'get' => $_GET,
@@ -33,7 +46,9 @@ class Server extends SimpleContainer implements IServerContainer {
                                        'method' => (isset($_SERVER) && isset($_SERVER['REQUEST_METHOD']))
                                                ? $_SERVER['REQUEST_METHOD']
                                                : null,
-                                       'urlParams' => $c['urlParams']
+                                       'params' => $params,
+                                       'urlParams' => $urlParams,
+                                       'requesttoken' => $requesttoken,
                                )
                        );
                });

diff --git a/lib/private/util.php b/lib/private/util.php
index 04a020ff006a3375770baa699e6517359d5a41f4..c5b4d2ae93e4b169ecebc92db6bfe725ae3049e8 100755 (executable)
--- a/lib/private/util.php
+++ b/lib/private/util.php
@@ -695,29 +695,7 @@ class OC_Util {
         * @see OC_Util::callRegister()
         */
        public static function isCallRegistered() {
-               if(!\OC::$session->exists('requesttoken')) {
-                       return false;
-               }
-
-               if(isset($_GET['requesttoken'])) {
-                       $token = $_GET['requesttoken'];
-               } elseif(isset($_POST['requesttoken'])) {
-                       $token = $_POST['requesttoken'];
-               } elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])) {
-                       $token = $_SERVER['HTTP_REQUESTTOKEN'];
-               } else {
-                       //no token found.
-                       return false;
-               }
-
-               // Check if the token is valid
-               if($token !== \OC::$session->get('requesttoken')) {
-                       // Not valid
-                       return false;
-               } else {
-                       // Valid token
-                       return true;
-               }
+               return \OC::$server->getRequest()->passesCSRFCheck();
        }
 
        /**

diff --git a/lib/public/irequest.php b/lib/public/irequest.php
index 054f15d9eb2f01f35530eaacdb51a4c7fc97c299..45b27868d707f8252e59ee7b2b278d82000a3408 100644 (file)
--- a/lib/public/irequest.php
+++ b/lib/public/irequest.php
@@ -107,4 +107,9 @@ interface IRequest {
        function getCookie($key);
 
 
+       /**
+        * Checks if the CSRF check was correct
+        * @return bool true if CSRF check passed
+        */
+       public function passesCSRFCheck();
 }