}
+ /**
+ * Register an get/post call. This is important to prevent CSRF attacks
+ * TODO: write example
+ */
+ public static function callRegister(){
+ return(\OC_Util::callRegister());
+ }
+
+
+ /**
+ * Check an ajax get/post call if the request token is valid. exit if not.
+ * Todo: Write howto
+ */
+ public static function callCheck(){
+ return(\OC_Util::callCheck());
+ }
+
+
+
+
}
?>
}
return $id;
}
+
+ /**
+ * Register an get/post call. This is important to prevent CSRF attacks
+ * Todo: Write howto
+ */
+ public static function callRegister(){
+ // generate a random token.
+ $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
+
+ // store the token together with a timestamp in the session.
+ $_SESSION['requesttoken-'.$token]=time();
+
+ // return the token
+ return($token);
+ }
+
+
+ /**
+ * Check an ajax get/post call if the request token is valid. exit if not.
+ * Todo: Write howto
+ */
+ public static function callCheck(){
+ //mamimum time before token exires
+ $maxtime=(60*60); // 1 hour
+
+ // searches in the get and post arrays for the token.
+ if(isset($_GET['requesttoken'])) {
+ $token=$_GET['requesttoken'];
+ }elseif(isset($_POST['requesttoken'])){
+ $token=$_POST['requesttoken'];
+ }else{
+ //no token found. exiting
+ exit;
+ }
+
+ // check if the token is in the user session and if the timestamp is from the last hour.
+ if(isset($_SESSION['requesttoken-'.$token])) {
+ $timestamp=$_SESSION['requesttoken-'.$token];
+ if($timestamp+$maxtime<time){
+ //token exired. exiting
+ exit;
+
+ }else{
+ //token valid
+ return;
+ }
+ }else{
+ //no token found. exiting
+ exit;
+ }
+ }
+
+
+
+
+
}
projects / nextcloud-server.git / commitdiff