echo '/>';
?>
<?php endforeach; ?>
+ <script type="text/javascript">
+ $(function() {
+ var requesttoken = '<?php echo $_['requesttoken']; ?>';
+ $(document).bind('ajaxSend', function(elm, xhr, s){
+ if(requesttoken) {
+ xhr.setRequestHeader('requesttoken', requesttoken);
+ }
+ });
+ });
+ </script>
</head>
<body id="<?php echo $_['bodyid'];?>">
}
}
+ /**
+ * @brief Check an ajax get/post call if the request token is valid.
+ * @return json Error msg if not valid.
+ */
+ public static function callCheck(){
+ if( !OC_Util::isCallRegistered()){
+ $l = OC_L10N::get('core');
+ self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') )));
+ exit();
+ }
+ }
+
/**
* Check if the user is a admin, send json error msg if not
*/
return(\OC_JSON::checkLoggedIn());
}
+ /**
+ * @brief Check an ajax get/post call if the request token is valid.
+ * @return json Error msg if not valid.
+ */
+ public static function callCheck(){
+ return(\OC_JSON::callCheck());
+ }
/**
* @brief Send json success msg
$this->renderas = $renderas;
$this->application = $app;
$this->vars = array();
+ if($renderas == 'user') {
+ $this->vars['requesttoken'] = OC_Util::callRegister();
+ }
$this->l10n = OC_L10N::get($app);
header('X-Frame-Options: Sameorigin');
header('X-XSS-Protection: 1; mode=block');
if( $this->renderas == "user" ){
$page = new OC_Template( "core", "layout.user" );
$page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' ));
+ $page->assign('requesttoken', $this->vars['requesttoken']);
if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){
$page->assign('bodyid','body-settings');
}else{
}
/**
- * Register an get/post call. This is important to prevent CSRF attacks
+ * @brief Register an get/post call. This is important to prevent CSRF attacks
* Todo: Write howto
+ * @return $token Generated token.
*/
public static function callRegister(){
//mamimum time before token exires
}
}
}
-
-
// return the token
return($token);
}
/**
- * Check an ajax get/post call if the request token is valid. exit if not.
- * Todo: Write howto
+ * @brief Check an ajax get/post call if the request token is valid.
+ * @return boolean False if request token is not set or is invalid.
*/
- public static function callCheck(){
+ public static function isCallRegistered(){
//mamimum time before token exires
$maxtime=(60*60); // 1 hour
-
- // searches in the get and post arrays for the token.
if(isset($_GET['requesttoken'])) {
$token=$_GET['requesttoken'];
}elseif(isset($_POST['requesttoken'])){
$token=$_POST['requesttoken'];
+ }elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){
+ $token=$_SERVER['HTTP_REQUESTTOKEN'];
}else{
- //no token found. exiting
- exit;
+ //no token found.
+ return false;
}
-
- // check if the token is in the user session and if the timestamp is from the last hour.
if(isset($_SESSION['requesttoken-'.$token])) {
$timestamp=$_SESSION['requesttoken-'.$token];
if($timestamp+$maxtime<time()){
- //token exired. exiting
- exit;
-
+ return false;
}else{
//token valid
- return;
+ return true;
}
}else{
- //no token found. exiting
- exit;
+ return false;
}
}
-
-
-
-
+ /**
+ * @brief Check an ajax get/post call if the request token is valid. exit if not.
+ * Todo: Write howto
+ */
+ public static function callCheck(){
+ if(!OC_Util::isCallRegistered()) {
+ exit;
+ }
+ }
}
projects / nextcloud-server.git / commitdiff