diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2012-06-13 17:33:19 +0200 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2012-06-13 17:33:19 +0200 |
| commit | 89464721c7aa4464419cbcbedc658843f6c4696d (patch) | |
| tree | a832cf7faa050440aaeb66c3df831d15d0da751a | |
| parent | 9e9c40eabd07cc4b44f2a9ae3d7935ad2a07b9fa (diff) | |
| download | nextcloud-server-89464721c7aa4464419cbcbedc658843f6c4696d.tar.gz nextcloud-server-89464721c7aa4464419cbcbedc658843f6c4696d.zip | |
Added JSON methods for CSRF prevention. Make request token accessible from template and add js var.
| -rw-r--r-- | core/templates/layout.user.php | 10 | ||||
| -rw-r--r-- | lib/json.php | 12 | ||||
| -rw-r--r-- | lib/public/json.php | 7 | ||||
| -rw-r--r-- | lib/template.php | 4 | ||||
| -rwxr-xr-x | lib/util.php | 43 |
5 files changed, 54 insertions, 22 deletions
diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php index e04fcabf137..6f9b02237c9 100644 --- a/core/templates/layout.user.php +++ b/core/templates/layout.user.php @@ -30,6 +30,16 @@ echo '/>'; ?> <?php endforeach; ?> + <script type="text/javascript"> + $(function() { + var requesttoken = '<?php echo $_['requesttoken']; ?>'; + $(document).bind('ajaxSend', function(elm, xhr, s){ + if(requesttoken) { + xhr.setRequestHeader('requesttoken', requesttoken); + } + }); + }); + </script> </head> <body id="<?php echo $_['bodyid'];?>"> diff --git a/lib/json.php b/lib/json.php index f3bbe9ac899..dfc0a7b894e 100644 --- a/lib/json.php +++ b/lib/json.php @@ -42,6 +42,18 @@ class OC_JSON{ } /** + * @brief Check an ajax get/post call if the request token is valid. + * @return json Error msg if not valid. + */ + public static function callCheck(){ + if( !OC_Util::isCallRegistered()){ + $l = OC_L10N::get('core'); + self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') ))); + exit(); + } + } + + /** * Check if the user is a admin, send json error msg if not */ public static function checkAdminUser(){ diff --git a/lib/public/json.php b/lib/public/json.php index a8554671d10..b6edbd65bd5 100644 --- a/lib/public/json.php +++ b/lib/public/json.php @@ -53,6 +53,13 @@ class JSON { return(\OC_JSON::checkLoggedIn()); } + /** + * @brief Check an ajax get/post call if the request token is valid. + * @return json Error msg if not valid. + */ + public static function callCheck(){ + return(\OC_JSON::callCheck()); + } /** * @brief Send json success msg diff --git a/lib/template.php b/lib/template.php index 14833a1e5b5..9ce041a71c3 100644 --- a/lib/template.php +++ b/lib/template.php @@ -155,6 +155,9 @@ class OC_Template{ $this->renderas = $renderas; $this->application = $app; $this->vars = array(); + if($renderas == 'user') { + $this->vars['requesttoken'] = OC_Util::callRegister(); + } $this->l10n = OC_L10N::get($app); header('X-Frame-Options: Sameorigin'); header('X-XSS-Protection: 1; mode=block'); @@ -355,6 +358,7 @@ class OC_Template{ if( $this->renderas == "user" ){ $page = new OC_Template( "core", "layout.user" ); $page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); + $page->assign('requesttoken', $this->vars['requesttoken']); if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){ $page->assign('bodyid','body-settings'); }else{ diff --git a/lib/util.php b/lib/util.php index e4efd953ec5..0266a8ecc5f 100755 --- a/lib/util.php +++ b/lib/util.php @@ -355,8 +355,9 @@ class OC_Util { } /** - * Register an get/post call. This is important to prevent CSRF attacks + * @brief Register an get/post call. This is important to prevent CSRF attacks * Todo: Write howto + * @return $token Generated token. */ public static function callRegister(){ //mamimum time before token exires @@ -381,50 +382,48 @@ class OC_Util { } } } - - // return the token return($token); } /** - * Check an ajax get/post call if the request token is valid. exit if not. - * Todo: Write howto + * @brief Check an ajax get/post call if the request token is valid. + * @return boolean False if request token is not set or is invalid. */ - public static function callCheck(){ + public static function isCallRegistered(){ //mamimum time before token exires $maxtime=(60*60); // 1 hour - - // searches in the get and post arrays for the token. if(isset($_GET['requesttoken'])) { $token=$_GET['requesttoken']; }elseif(isset($_POST['requesttoken'])){ $token=$_POST['requesttoken']; + }elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){ + $token=$_SERVER['HTTP_REQUESTTOKEN']; }else{ - //no token found. exiting - exit; + //no token found. + return false; } - - // check if the token is in the user session and if the timestamp is from the last hour. if(isset($_SESSION['requesttoken-'.$token])) { $timestamp=$_SESSION['requesttoken-'.$token]; if($timestamp+$maxtime<time()){ - //token exired. exiting - exit; - + return false; }else{ //token valid - return; + return true; } }else{ - //no token found. exiting - exit; + return false; } } - - - - + /** + * @brief Check an ajax get/post call if the request token is valid. exit if not. + * Todo: Write howto + */ + public static function callCheck(){ + if(!OC_Util::isCallRegistered()) { + exit; + } + } } |