diff options
| author | Roeland Jago Douma <rullzer@owncloud.com> | 2016-04-14 19:21:18 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <rullzer@owncloud.com> | 2016-04-14 19:21:18 +0200 |
| commit | 9050e76d955e06a5e5ed9b4b1c444bdf03699ba0 (patch) | |
| tree | eeded71dd4672fc9dc2f67296b0faff8cd62ab73 /lib/private/Security/CSRF/CsrfToken.php | |
| parent | 5911ce530b003d46348f59e9280b610f684de85a (diff) | |
| download | nextcloud-server-9050e76d955e06a5e5ed9b4b1c444bdf03699ba0.tar.gz nextcloud-server-9050e76d955e06a5e5ed9b4b1c444bdf03699ba0.zip | |
Move \OC\Security to PSR-4
Diffstat (limited to 'lib/private/Security/CSRF/CsrfToken.php')
| -rw-r--r-- | lib/private/Security/CSRF/CsrfToken.php | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/lib/private/Security/CSRF/CsrfToken.php b/lib/private/Security/CSRF/CsrfToken.php new file mode 100644 index 00000000000..4524d0db6e6 --- /dev/null +++ b/lib/private/Security/CSRF/CsrfToken.php @@ -0,0 +1,69 @@ +<?php +/** + * @author Lukas Reschke <lukas@owncloud.com> + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OC\Security\CSRF; + +/** + * Class CsrfToken represents the stored or provided CSRF token. To mitigate + * BREACH alike vulnerabilities the token is returned in an encrypted value as + * well in an unencrypted value. For display measures to the user always the + * unencrypted one should be chosen. + * + * @package OC\Security\CSRF + */ +class CsrfToken { + /** @var string */ + private $value; + + /** + * @param string $value Value of the token. Can be encrypted or not encrypted. + */ + public function __construct($value) { + $this->value = $value; + } + + /** + * Encrypted value of the token. This is used to mitigate BREACH alike + * vulnerabilities. For display measures do use this functionality. + * + * @return string + */ + public function getEncryptedValue() { + $sharedSecret = base64_encode(random_bytes(strlen($this->value))); + return base64_encode($this->value ^ $sharedSecret) .':'.$sharedSecret; + } + + /** + * The unencrypted value of the token. Used for decrypting an already + * encrypted token. + * + * @return int + */ + public function getDecryptedValue() { + $token = explode(':', $this->value); + if (count($token) !== 2) { + return ''; + } + $obfuscatedToken = $token[0]; + $secret = $token[1]; + return base64_decode($obfuscatedToken) ^ $secret; + } +} |