From: Thomas Tanghus Date: Wed, 13 Jun 2012 15:33:19 +0000 (+0200) Subject: Added JSON methods for CSRF prevention. Make request token accessible from template... X-Git-Tag: v4.5.0beta1~74^2~420^2~50 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=89464721c7aa4464419cbcbedc658843f6c4696d;p=nextcloud-server.git Added JSON methods for CSRF prevention. Make request token accessible from template and add js var. --- diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php index e04fcabf137..6f9b02237c9 100644 --- a/core/templates/layout.user.php +++ b/core/templates/layout.user.php @@ -30,6 +30,16 @@ echo '/>'; ?> + diff --git a/lib/json.php b/lib/json.php index f3bbe9ac899..dfc0a7b894e 100644 --- a/lib/json.php +++ b/lib/json.php @@ -41,6 +41,18 @@ class OC_JSON{ } } + /** + * @brief Check an ajax get/post call if the request token is valid. + * @return json Error msg if not valid. + */ + public static function callCheck(){ + if( !OC_Util::isCallRegistered()){ + $l = OC_L10N::get('core'); + self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') ))); + exit(); + } + } + /** * Check if the user is a admin, send json error msg if not */ diff --git a/lib/public/json.php b/lib/public/json.php index a8554671d10..b6edbd65bd5 100644 --- a/lib/public/json.php +++ b/lib/public/json.php @@ -53,6 +53,13 @@ class JSON { return(\OC_JSON::checkLoggedIn()); } + /** + * @brief Check an ajax get/post call if the request token is valid. + * @return json Error msg if not valid. + */ + public static function callCheck(){ + return(\OC_JSON::callCheck()); + } /** * @brief Send json success msg diff --git a/lib/template.php b/lib/template.php index 14833a1e5b5..9ce041a71c3 100644 --- a/lib/template.php +++ b/lib/template.php @@ -155,6 +155,9 @@ class OC_Template{ $this->renderas = $renderas; $this->application = $app; $this->vars = array(); + if($renderas == 'user') { + $this->vars['requesttoken'] = OC_Util::callRegister(); + } $this->l10n = OC_L10N::get($app); header('X-Frame-Options: Sameorigin'); header('X-XSS-Protection: 1; mode=block'); @@ -355,6 +358,7 @@ class OC_Template{ if( $this->renderas == "user" ){ $page = new OC_Template( "core", "layout.user" ); $page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); + $page->assign('requesttoken', $this->vars['requesttoken']); if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){ $page->assign('bodyid','body-settings'); }else{ diff --git a/lib/util.php b/lib/util.php index e4efd953ec5..0266a8ecc5f 100755 --- a/lib/util.php +++ b/lib/util.php @@ -355,8 +355,9 @@ class OC_Util { } /** - * Register an get/post call. This is important to prevent CSRF attacks + * @brief Register an get/post call. This is important to prevent CSRF attacks * Todo: Write howto + * @return $token Generated token. */ public static function callRegister(){ //mamimum time before token exires @@ -381,50 +382,48 @@ class OC_Util { } } } - - // return the token return($token); } /** - * Check an ajax get/post call if the request token is valid. exit if not. - * Todo: Write howto + * @brief Check an ajax get/post call if the request token is valid. + * @return boolean False if request token is not set or is invalid. */ - public static function callCheck(){ + public static function isCallRegistered(){ //mamimum time before token exires $maxtime=(60*60); // 1 hour - - // searches in the get and post arrays for the token. if(isset($_GET['requesttoken'])) { $token=$_GET['requesttoken']; }elseif(isset($_POST['requesttoken'])){ $token=$_POST['requesttoken']; + }elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){ + $token=$_SERVER['HTTP_REQUESTTOKEN']; }else{ - //no token found. exiting - exit; + //no token found. + return false; } - - // check if the token is in the user session and if the timestamp is from the last hour. if(isset($_SESSION['requesttoken-'.$token])) { $timestamp=$_SESSION['requesttoken-'.$token]; if($timestamp+$maxtime