diff options
author | Frank Karlitschek <frank@owncloud.org> | 2012-06-09 15:05:14 +0200 |
---|---|---|
committer | Frank Karlitschek <frank@owncloud.org> | 2012-06-09 15:05:14 +0200 |
commit | 344299a074e135140262d051531f723be69c786f (patch) | |
tree | 06788914bb755c45e71cd2d86981f08b2cd70cc8 | |
parent | 081e1874cb476a16d7fd2d6ed5dabaeca61fffae (diff) | |
download | nextcloud-server-344299a074e135140262d051531f723be69c786f.tar.gz nextcloud-server-344299a074e135140262d051531f723be69c786f.zip |
add two csrf check calls. Review and lot´s of porting needed.
-rw-r--r-- | lib/public/util.php | 20 | ||||
-rw-r--r-- | lib/util.php | 56 |
2 files changed, 76 insertions, 0 deletions
diff --git a/lib/public/util.php b/lib/public/util.php index 9b499574da1..995161e2abe 100644 --- a/lib/public/util.php +++ b/lib/public/util.php @@ -248,6 +248,26 @@ class Util { } + /** + * Register an get/post call. This is important to prevent CSRF attacks + * TODO: write example + */ + public static function callRegister(){ + return(\OC_Util::callRegister()); + } + + + /** + * Check an ajax get/post call if the request token is valid. exit if not. + * Todo: Write howto + */ + public static function callCheck(){ + return(\OC_Util::callCheck()); + } + + + + } ?> diff --git a/lib/util.php b/lib/util.php index 20888fa71f4..ef8ba8efe72 100644 --- a/lib/util.php +++ b/lib/util.php @@ -343,4 +343,60 @@ class OC_Util { } return $id; } + + /** + * Register an get/post call. This is important to prevent CSRF attacks + * Todo: Write howto + */ + public static function callRegister(){ + // generate a random token. + $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); + + // store the token together with a timestamp in the session. + $_SESSION['requesttoken-'.$token]=time(); + + // return the token + return($token); + } + + + /** + * Check an ajax get/post call if the request token is valid. exit if not. + * Todo: Write howto + */ + public static function callCheck(){ + //mamimum time before token exires + $maxtime=(60*60); // 1 hour + + // searches in the get and post arrays for the token. + if(isset($_GET['requesttoken'])) { + $token=$_GET['requesttoken']; + }elseif(isset($_POST['requesttoken'])){ + $token=$_POST['requesttoken']; + }else{ + //no token found. exiting + exit; + } + + // check if the token is in the user session and if the timestamp is from the last hour. + if(isset($_SESSION['requesttoken-'.$token])) { + $timestamp=$_SESSION['requesttoken-'.$token]; + if($timestamp+$maxtime<time){ + //token exired. exiting + exit; + + }else{ + //token valid + return; + } + }else{ + //no token found. exiting + exit; + } + } + + + + + } |