From: Morris Jobke Date: Fri, 18 Dec 2015 14:43:13 +0000 (+0100) Subject: Refactor OC_Util::callCheck X-Git-Tag: v9.0beta1~424^2 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=6f00729124053a8348f95a53d318317eb6d583fc;p=nextcloud-server.git Refactor OC_Util::callCheck --- diff --git a/apps/files/admin.php b/apps/files/admin.php index f23f9b52698..a2092c600a7 100644 --- a/apps/files/admin.php +++ b/apps/files/admin.php @@ -33,7 +33,7 @@ $htaccessWorking=(getenv('htaccessWorking')=='true'); $upload_max_filesize = OC::$server->getIniWrapper()->getBytes('upload_max_filesize'); $post_max_size = OC::$server->getIniWrapper()->getBytes('post_max_size'); $maxUploadFilesize = OCP\Util::humanFileSize(min($upload_max_filesize, $post_max_size)); -if($_POST && OC_Util::isCallRegistered()) { +if($_POST && \OC::$server->getRequest()->passesCSRFCheck()) { if(isset($_POST['maxUploadSize'])) { if(($setMaxSize = OC_Files::setUploadLimit(OCP\Util::computerFileSize($_POST['maxUploadSize']))) !== false) { $maxUploadFilesize = OCP\Util::humanFileSize($setMaxSize); diff --git a/lib/base.php b/lib/base.php index ce4546e8fa3..34cbfe3066c 100644 --- a/lib/base.php +++ b/lib/base.php @@ -1060,7 +1060,7 @@ class OC { return false; } - if(!OC_Util::isCallRegistered()) { + if(!(\OC::$server->getRequest()->passesCSRFCheck())) { return false; } OC_App::loadApps(); diff --git a/lib/private/eventsource.php b/lib/private/eventsource.php index c076b87ddd9..0e98bdc2628 100644 --- a/lib/private/eventsource.php +++ b/lib/private/eventsource.php @@ -76,7 +76,7 @@ class OC_EventSource implements \OCP\IEventSource { } else { header("Content-Type: text/event-stream"); } - if (!OC_Util::isCallRegistered()) { + if (!(\OC::$server->getRequest()->passesCSRFCheck())) { $this->send('error', 'Possible CSRF attack. Connection will be closed.'); $this->close(); exit(); diff --git a/lib/private/json.php b/lib/private/json.php index eba374f4da2..0bf4e8bcd01 100644 --- a/lib/private/json.php +++ b/lib/private/json.php @@ -76,7 +76,7 @@ class OC_JSON{ * @deprecated Use annotation based CSRF checks from the AppFramework instead */ public static function callCheck() { - if( !OC_Util::isCallRegistered()) { + if( !(\OC::$server->getRequest()->passesCSRFCheck())) { $l = \OC::$server->getL10N('lib'); self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.'), 'error' => 'token_expired' ))); exit(); diff --git a/lib/private/util.php b/lib/private/util.php index 12146f6980b..c9738b29ca1 100644 --- a/lib/private/util.php +++ b/lib/private/util.php @@ -1127,7 +1127,6 @@ class OC_Util { * Creates a 'request token' (random) and stores it inside the session. * Ever subsequent (ajax) request must use such a valid token to succeed, * otherwise the request will be denied as a protection against CSRF. - * @see OC_Util::isCallRegistered() */ public static function callRegister() { // Use existing token if function has already been called @@ -1154,27 +1153,6 @@ class OC_Util { return self::$obfuscatedToken; } - /** - * Check an ajax get/post call if the request token is valid. - * - * @return boolean False if request token is not set or is invalid. - * @see OC_Util::callRegister() - */ - public static function isCallRegistered() { - return \OC::$server->getRequest()->passesCSRFCheck(); - } - - /** - * Check an ajax get/post call if the request token is valid. Exit if not. - * - * @return void - */ - public static function callCheck() { - if (!OC_Util::isCallRegistered()) { - exit(); - } - } - /** * Public function to sanitize HTML * diff --git a/lib/public/util.php b/lib/public/util.php index a9fe0e47de6..493aa0000a5 100644 --- a/lib/public/util.php +++ b/lib/public/util.php @@ -494,7 +494,9 @@ class Util { * @since 4.5.0 */ public static function callCheck() { - \OC_Util::callCheck(); + if (!(\OC::$server->getRequest()->passesCSRFCheck())) { + exit(); + } } /**