12 years ago · 89464721c7
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -30,6 +30,16 @@
 				echo '/>';
 			?>
 		<?php endforeach; ?>
 		<script type="text/javascript">
 			$(function() {
 				var requesttoken = '<?php echo $_['requesttoken']; ?>';
 				$(document).bind('ajaxSend', function(elm, xhr, s){
 					if(requesttoken) {
 						xhr.setRequestHeader('requesttoken', requesttoken);
 					}
 				});
 			});
 		</script>
 	</head>

 	<body id="<?php echo $_['bodyid'];?>">
--- a/lib/json.php
+++ b/lib/json.php
@@ -41,6 +41,18 @@ class OC_JSON{
 		}
 	}

 	/**
 	 * @brief Check an ajax get/post call if the request token is valid.
 	 * @return json Error msg if not valid.
 	 */
 	public static function callCheck(){
 		if( !OC_Util::isCallRegistered()){
 			$l = OC_L10N::get('core');
 			self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') )));
 			exit();
 		}
 	}
        
 	/**
 	* Check if the user is a admin, send json error msg if not
 	*/
--- a/lib/public/json.php
+++ b/lib/public/json.php
@@ -53,6 +53,13 @@ class JSON {
 		return(\OC_JSON::checkLoggedIn());
 	}

 	/**
 	 * @brief Check an ajax get/post call if the request token is valid.
 	 * @return json Error msg if not valid.
 	 */
 	public static function callCheck(){
 		return(\OC_JSON::callCheck());
 	}

 	/**
 	* @brief Send json success msg
--- a/lib/template.php
+++ b/lib/template.php
@@ -155,6 +155,9 @@ class OC_Template{
 		$this->renderas = $renderas;
 		$this->application = $app;
 		$this->vars = array();
 		if($renderas == 'user') {
 			$this->vars['requesttoken'] = OC_Util::callRegister();
 		}
 		$this->l10n = OC_L10N::get($app);
                header('X-Frame-Options: Sameorigin');
                header('X-XSS-Protection: 1; mode=block');
@@ -355,6 +358,7 @@ class OC_Template{
 			if( $this->renderas == "user" ){
 				$page = new OC_Template( "core", "layout.user" );
 				$page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' ));
 				$page->assign('requesttoken', $this->vars['requesttoken']);
 				if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){
 					$page->assign('bodyid','body-settings');
 				}else{
--- a/lib/util.php
+++ b/lib/util.php
@@ -355,8 +355,9 @@ class OC_Util {
 	}

 	/**
 	 * Register an get/post call. This is important to prevent CSRF attacks
 	 * @brief Register an get/post call. This is important to prevent CSRF attacks
 	 * Todo: Write howto
 	 * @return $token Generated token.
 	 */
 	public static function callRegister(){
 		//mamimum time before token exires
@@ -381,50 +382,48 @@ class OC_Util {
 				}	
 			}
 		}


 		// return the token
 		return($token);
 	}


 	/**
 	 * Check an ajax get/post call if the request token is valid. exit if not.
 	 * Todo: Write howto
 	 * @brief Check an ajax get/post call if the request token is valid.
 	 * @return boolean False if request token is not set or is invalid.
 	 */
 	public static function callCheck(){
 	public static function isCallRegistered(){
 		//mamimum time before token exires
 		$maxtime=(60*60);  // 1 hour

 		// searches in the get and post arrays for the token.
 		if(isset($_GET['requesttoken'])) {
 			$token=$_GET['requesttoken'];
 		}elseif(isset($_POST['requesttoken'])){
 			$token=$_POST['requesttoken'];
 		}elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){
 			$token=$_SERVER['HTTP_REQUESTTOKEN'];
 		}else{
 			//no token found. exiting
 			exit;
 			//no token found.
 			return false;
 		}

 		// check if the token is in the user session and if the timestamp is from the last hour.
 		if(isset($_SESSION['requesttoken-'.$token])) {
 			$timestamp=$_SESSION['requesttoken-'.$token];
 			if($timestamp+$maxtime<time()){
 				//token exired. exiting
 				exit;

 				return false;
 			}else{
 				//token valid
 				return;
 				return true;
 			}
 		}else{
 			//no token found. exiting
 			exit;
 			return false;
 		}
 	}





 	/**
 	 * @brief Check an ajax get/post call if the request token is valid. exit if not.
 	 * Todo: Write howto
 	 */
 	public static function callCheck(){
 		if(!OC_Util::isCallRegistered()) {
 			exit;
 		}
 	}
 }