@@ -30,6 +30,16 @@ | |||
echo '/>'; | |||
?> | |||
<?php endforeach; ?> | |||
<script type="text/javascript"> | |||
$(function() { | |||
var requesttoken = '<?php echo $_['requesttoken']; ?>'; | |||
$(document).bind('ajaxSend', function(elm, xhr, s){ | |||
if(requesttoken) { | |||
xhr.setRequestHeader('requesttoken', requesttoken); | |||
} | |||
}); | |||
}); | |||
</script> | |||
</head> | |||
<body id="<?php echo $_['bodyid'];?>"> |
@@ -41,6 +41,18 @@ class OC_JSON{ | |||
} | |||
} | |||
/** | |||
* @brief Check an ajax get/post call if the request token is valid. | |||
* @return json Error msg if not valid. | |||
*/ | |||
public static function callCheck(){ | |||
if( !OC_Util::isCallRegistered()){ | |||
$l = OC_L10N::get('core'); | |||
self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') ))); | |||
exit(); | |||
} | |||
} | |||
/** | |||
* Check if the user is a admin, send json error msg if not | |||
*/ |
@@ -53,6 +53,13 @@ class JSON { | |||
return(\OC_JSON::checkLoggedIn()); | |||
} | |||
/** | |||
* @brief Check an ajax get/post call if the request token is valid. | |||
* @return json Error msg if not valid. | |||
*/ | |||
public static function callCheck(){ | |||
return(\OC_JSON::callCheck()); | |||
} | |||
/** | |||
* @brief Send json success msg |
@@ -155,6 +155,9 @@ class OC_Template{ | |||
$this->renderas = $renderas; | |||
$this->application = $app; | |||
$this->vars = array(); | |||
if($renderas == 'user') { | |||
$this->vars['requesttoken'] = OC_Util::callRegister(); | |||
} | |||
$this->l10n = OC_L10N::get($app); | |||
header('X-Frame-Options: Sameorigin'); | |||
header('X-XSS-Protection: 1; mode=block'); | |||
@@ -355,6 +358,7 @@ class OC_Template{ | |||
if( $this->renderas == "user" ){ | |||
$page = new OC_Template( "core", "layout.user" ); | |||
$page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); | |||
$page->assign('requesttoken', $this->vars['requesttoken']); | |||
if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){ | |||
$page->assign('bodyid','body-settings'); | |||
}else{ |
@@ -355,8 +355,9 @@ class OC_Util { | |||
} | |||
/** | |||
* Register an get/post call. This is important to prevent CSRF attacks | |||
* @brief Register an get/post call. This is important to prevent CSRF attacks | |||
* Todo: Write howto | |||
* @return $token Generated token. | |||
*/ | |||
public static function callRegister(){ | |||
//mamimum time before token exires | |||
@@ -381,50 +382,48 @@ class OC_Util { | |||
} | |||
} | |||
} | |||
// return the token | |||
return($token); | |||
} | |||
/** | |||
* Check an ajax get/post call if the request token is valid. exit if not. | |||
* Todo: Write howto | |||
* @brief Check an ajax get/post call if the request token is valid. | |||
* @return boolean False if request token is not set or is invalid. | |||
*/ | |||
public static function callCheck(){ | |||
public static function isCallRegistered(){ | |||
//mamimum time before token exires | |||
$maxtime=(60*60); // 1 hour | |||
// searches in the get and post arrays for the token. | |||
if(isset($_GET['requesttoken'])) { | |||
$token=$_GET['requesttoken']; | |||
}elseif(isset($_POST['requesttoken'])){ | |||
$token=$_POST['requesttoken']; | |||
}elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){ | |||
$token=$_SERVER['HTTP_REQUESTTOKEN']; | |||
}else{ | |||
//no token found. exiting | |||
exit; | |||
//no token found. | |||
return false; | |||
} | |||
// check if the token is in the user session and if the timestamp is from the last hour. | |||
if(isset($_SESSION['requesttoken-'.$token])) { | |||
$timestamp=$_SESSION['requesttoken-'.$token]; | |||
if($timestamp+$maxtime<time()){ | |||
//token exired. exiting | |||
exit; | |||
return false; | |||
}else{ | |||
//token valid | |||
return; | |||
return true; | |||
} | |||
}else{ | |||
//no token found. exiting | |||
exit; | |||
return false; | |||
} | |||
} | |||
/** | |||
* @brief Check an ajax get/post call if the request token is valid. exit if not. | |||
* Todo: Write howto | |||
*/ | |||
public static function callCheck(){ | |||
if(!OC_Util::isCallRegistered()) { | |||
exit; | |||
} | |||
} | |||
} |