aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrank Karlitschek <frank@owncloud.org>2012-06-09 15:05:14 +0200
committerFrank Karlitschek <frank@owncloud.org>2012-06-09 15:05:14 +0200
commit344299a074e135140262d051531f723be69c786f (patch)
tree06788914bb755c45e71cd2d86981f08b2cd70cc8
parent081e1874cb476a16d7fd2d6ed5dabaeca61fffae (diff)
downloadnextcloud-server-344299a074e135140262d051531f723be69c786f.tar.gz
nextcloud-server-344299a074e135140262d051531f723be69c786f.zip
add two csrf check calls. Review and lot´s of porting needed.
-rw-r--r--lib/public/util.php20
-rw-r--r--lib/util.php56
2 files changed, 76 insertions, 0 deletions
diff --git a/lib/public/util.php b/lib/public/util.php
index 9b499574da1..995161e2abe 100644
--- a/lib/public/util.php
+++ b/lib/public/util.php
@@ -248,6 +248,26 @@ class Util {
}
+ /**
+ * Register an get/post call. This is important to prevent CSRF attacks
+ * TODO: write example
+ */
+ public static function callRegister(){
+ return(\OC_Util::callRegister());
+ }
+
+
+ /**
+ * Check an ajax get/post call if the request token is valid. exit if not.
+ * Todo: Write howto
+ */
+ public static function callCheck(){
+ return(\OC_Util::callCheck());
+ }
+
+
+
+
}
?>
diff --git a/lib/util.php b/lib/util.php
index 20888fa71f4..ef8ba8efe72 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -343,4 +343,60 @@ class OC_Util {
}
return $id;
}
+
+ /**
+ * Register an get/post call. This is important to prevent CSRF attacks
+ * Todo: Write howto
+ */
+ public static function callRegister(){
+ // generate a random token.
+ $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
+
+ // store the token together with a timestamp in the session.
+ $_SESSION['requesttoken-'.$token]=time();
+
+ // return the token
+ return($token);
+ }
+
+
+ /**
+ * Check an ajax get/post call if the request token is valid. exit if not.
+ * Todo: Write howto
+ */
+ public static function callCheck(){
+ //mamimum time before token exires
+ $maxtime=(60*60); // 1 hour
+
+ // searches in the get and post arrays for the token.
+ if(isset($_GET['requesttoken'])) {
+ $token=$_GET['requesttoken'];
+ }elseif(isset($_POST['requesttoken'])){
+ $token=$_POST['requesttoken'];
+ }else{
+ //no token found. exiting
+ exit;
+ }
+
+ // check if the token is in the user session and if the timestamp is from the last hour.
+ if(isset($_SESSION['requesttoken-'.$token])) {
+ $timestamp=$_SESSION['requesttoken-'.$token];
+ if($timestamp+$maxtime<time){
+ //token exired. exiting
+ exit;
+
+ }else{
+ //token valid
+ return;
+ }
+ }else{
+ //no token found. exiting
+ exit;
+ }
+ }
+
+
+
+
+
}