diff options
| author | Bart Visscher <bartv@thisnet.nl> | 2013-09-27 15:16:34 +0200 |
|---|---|---|
| committer | Bart Visscher <bartv@thisnet.nl> | 2013-10-04 18:13:04 +0200 |
| commit | 21cbef0d2cc80228d2a473ccfb6ad5b071f314c7 (patch) | |
| tree | 214ccd2c50590fc6c996280797be93e0b1aeae92 | |
| parent | 61a9098b7d88656d0297a18c1b7685c04d1c64dc (diff) | |
| download | nextcloud-server-21cbef0d2cc80228d2a473ccfb6ad5b071f314c7.tar.gz nextcloud-server-21cbef0d2cc80228d2a473ccfb6ad5b071f314c7.zip | |
passesCSRFCheck added to OCP\IRequest
| -rw-r--r-- | lib/private/appframework/http/request.php | 38 | ||||
| -rw-r--r-- | lib/private/server.php | 17 | ||||
| -rwxr-xr-x | lib/private/util.php | 24 | ||||
| -rw-r--r-- | lib/public/irequest.php | 5 |
4 files changed, 57 insertions, 27 deletions
diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php index f152956c8cf..3e1f4ff87ed 100644 --- a/lib/private/appframework/http/request.php +++ b/lib/private/appframework/http/request.php @@ -43,7 +43,8 @@ class Request implements \ArrayAccess, \Countable, IRequest { 'cookies', 'urlParams', 'parameters', - 'method' + 'method', + 'requesttoken', ); /** @@ -54,9 +55,9 @@ class Request implements \ArrayAccess, \Countable, IRequest { * @param array 'files' the $_FILES array * @param array 'server' the $_SERVER array * @param array 'env' the $_ENV array - * @param array 'session' the $_SESSION array * @param array 'cookies' the $_COOKIE array * @param string 'method' the request method (GET, POST etc) + * @param string|false 'requesttoken' the requesttoken or false when not available * @see http://www.php.net/manual/en/reserved.variables.php */ public function __construct(array $vars=array()) { @@ -354,4 +355,35 @@ class Request implements \ArrayAccess, \Countable, IRequest { return $this->content; } -} + + /** + * Checks if the CSRF check was correct + * @return bool true if CSRF check passed + * @see OC_Util::$callLifespan + * @see OC_Util::callRegister() + */ + public function passesCSRFCheck() { + if($this->items['requesttoken'] === false) { + return false; + } + + if (isset($this->items['get']['requesttoken'])) { + $token = $this->items['get']['requesttoken']; + } elseif (isset($this->items['post']['requesttoken'])) { + $token = $this->items['post']['requesttoken']; + } elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) { + $token = $this->items['server']['HTTP_REQUESTTOKEN']; + } else { + //no token found. + return false; + } + + // Check if the token is valid + if($token !== $this->items['requesttoken']) { + // Not valid + return false; + } else { + // Valid token + return true; + } + }} diff --git a/lib/private/server.php b/lib/private/server.php index 4000f546a3b..73a0cbd6ce6 100644 --- a/lib/private/server.php +++ b/lib/private/server.php @@ -22,6 +22,19 @@ class Server extends SimpleContainer implements IServerContainer { return new ContactsManager(); }); $this->registerService('Request', function($c) { + if (isset($c['urlParams'])) { + $urlParams = $c['urlParams']; + } else { + $urlParams = array(); + } + + if (\OC::$session->exists('requesttoken')) { + $requesttoken = \OC::$session->get('requesttoken'); + } else { + $requesttoken = false; + } + + return new Request( array( 'get' => $_GET, @@ -33,7 +46,9 @@ class Server extends SimpleContainer implements IServerContainer { 'method' => (isset($_SERVER) && isset($_SERVER['REQUEST_METHOD'])) ? $_SERVER['REQUEST_METHOD'] : null, - 'urlParams' => $c['urlParams'] + 'params' => $params, + 'urlParams' => $urlParams, + 'requesttoken' => $requesttoken, ) ); }); diff --git a/lib/private/util.php b/lib/private/util.php index 04a020ff006..c5b4d2ae93e 100755 --- a/lib/private/util.php +++ b/lib/private/util.php @@ -695,29 +695,7 @@ class OC_Util { * @see OC_Util::callRegister() */ public static function isCallRegistered() { - if(!\OC::$session->exists('requesttoken')) { - return false; - } - - if(isset($_GET['requesttoken'])) { - $token = $_GET['requesttoken']; - } elseif(isset($_POST['requesttoken'])) { - $token = $_POST['requesttoken']; - } elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])) { - $token = $_SERVER['HTTP_REQUESTTOKEN']; - } else { - //no token found. - return false; - } - - // Check if the token is valid - if($token !== \OC::$session->get('requesttoken')) { - // Not valid - return false; - } else { - // Valid token - return true; - } + return \OC::$server->getRequest()->passesCSRFCheck(); } /** diff --git a/lib/public/irequest.php b/lib/public/irequest.php index 054f15d9eb2..45b27868d70 100644 --- a/lib/public/irequest.php +++ b/lib/public/irequest.php @@ -107,4 +107,9 @@ interface IRequest { function getCookie($key); + /** + * Checks if the CSRF check was correct + * @return bool true if CSRF check passed + */ + public function passesCSRFCheck(); } |