diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2012-10-28 20:50:50 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2012-10-29 16:35:29 +0100 |
| commit | ac784baef689ca5c0f22c8acdce8e13f6d918101 (patch) | |
| tree | 22181d662f2d7487cc7fa39c351ac42e964d03a5 | |
| parent | 4d61eb3e4cf51a3c5d3610df93544ef340c057e0 (diff) | |
| download | nextcloud-server-ac784baef689ca5c0f22c8acdce8e13f6d918101.tar.gz nextcloud-server-ac784baef689ca5c0f22c8acdce8e13f6d918101.zip | |
Generate only one CSRF token
| -rwxr-xr-x | lib/util.php | 50 |
1 files changed, 19 insertions, 31 deletions
diff --git a/lib/util.php b/lib/util.php index 8f00acde7ef..de89e339d99 100755 --- a/lib/util.php +++ b/lib/util.php @@ -496,28 +496,19 @@ class OC_Util { * @see OC_Util::isCallRegistered() */ public static function callRegister() { - // generate a random token. - $token = self::generate_random_bytes(20); - - // store the token together with a timestamp in the session. - $_SESSION['requesttoken-'.$token]=time(); - - // cleanup old tokens garbage collector - // only run every 20th time so we don't waste cpu cycles - if(rand(0, 20)==0) { - foreach($_SESSION as $key=>$value) { - // search all tokens in the session - if(substr($key, 0, 12)=='requesttoken') { - // check if static lifespan has expired - if($value+self::$callLifespan<time()) { - // remove outdated tokens - unset($_SESSION[$key]); - } - } - } + // Check if a token exists + if(!isset($_SESSION['requesttoken']) || time() >$_SESSION['requesttoken']['time']) { + // No valid token found, generate a new one. + $requestTokenArray = array( + "requesttoken" => self::generate_random_bytes(20), + "time" => time()+self::$callLifespan, + ); + $_SESSION['requesttoken']=$requestTokenArray; + } else { + // Valid token already exists, send it + $requestTokenArray = $_SESSION['requesttoken']; } - // return the token - return($token); + return($requestTokenArray['requesttoken']); } /** @@ -537,17 +528,14 @@ class OC_Util { //no token found. return false; } - if(isset($_SESSION['requesttoken-'.$token])) { - $timestamp=$_SESSION['requesttoken-'.$token]; - // check if static lifespan has expired - if($timestamp+self::$callLifespan<time()) { - return false; - }else{ - //token valid - return true; - } - }else{ + + // Check if the token is valid + if(!isset($_SESSION['requesttoken']) || time() > $_SESSION['requesttoken']["time"]) { + // Not valid return false; + } else { + // Valid token + return true; } } |