diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2012-09-28 10:54:11 -0700 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2012-09-28 10:54:11 -0700 |
| commit | cfc98398120065d33659f36573f81bcea9a3e97d (patch) | |
| tree | dfb19e6ecabf61e14eef01b646825c1685233045 /lib/util.php | |
| parent | 35357f3afb90dec1d0a9755ab0e0504a916c5e5a (diff) | |
| parent | 71454b1bca0accd1ab5d7628169d4714bb682030 (diff) | |
| download | nextcloud-server-cfc98398120065d33659f36573f81bcea9a3e97d.tar.gz nextcloud-server-cfc98398120065d33659f36573f81bcea9a3e97d.zip | |
Merge pull request #19 from arkascha/master
Reimplementation of CSRF protection strategy
Diffstat (limited to 'lib/util.php')
| -rwxr-xr-x | lib/util.php | 36 |
1 files changed, 26 insertions, 10 deletions
diff --git a/lib/util.php b/lib/util.php index c89c4d8c7c1..777cb7a28fc 100755 --- a/lib/util.php +++ b/lib/util.php @@ -416,14 +416,29 @@ class OC_Util { } /** - * @brief Register an get/post call. This is important to prevent CSRF attacks - * Todo: Write howto + * @brief Static lifespan (in seconds) when a request token expires. + * @see OC_Util::callRegister() + * @see OC_Util::isCallRegistered() + * @description + * Also required for the client side to compute the piont in time when to + * request a fresh token. The client will do so when nearly 97% of the + * timespan coded here has expired. + */ + public static $callLifespan = 3600; // 3600 secs = 1 hour + + /** + * @brief Register an get/post call. Important to prevent CSRF attacks. + * @todo Write howto: CSRF protection guide * @return $token Generated token. + * @description + * Creates a 'request token' (random) and stores it inside the session. + * Ever subsequent (ajax) request must use such a valid token to succeed, + * otherwise the request will be denied as a protection against CSRF. + * The tokens expire after a fixed lifespan. + * @see OC_Util::$callLifespan + * @see OC_Util::isCallRegistered() */ public static function callRegister() { - //mamimum time before token exires - $maxtime=(60*60); // 1 hour - // generate a random token. $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); @@ -436,7 +451,8 @@ class OC_Util { foreach($_SESSION as $key=>$value) { // search all tokens in the session if(substr($key,0,12)=='requesttoken') { - if($value+$maxtime<time()) { + // check if static lifespan has expired + if($value+self::$callLifespan<time()) { // remove outdated tokens unset($_SESSION[$key]); } @@ -447,14 +463,13 @@ class OC_Util { return($token); } - /** * @brief Check an ajax get/post call if the request token is valid. * @return boolean False if request token is not set or is invalid. + * @see OC_Util::$callLifespan + * @see OC_Util::calLRegister() */ public static function isCallRegistered() { - //mamimum time before token exires - $maxtime=(60*60); // 1 hour if(isset($_GET['requesttoken'])) { $token=$_GET['requesttoken']; }elseif(isset($_POST['requesttoken'])) { @@ -467,7 +482,8 @@ class OC_Util { } if(isset($_SESSION['requesttoken-'.$token])) { $timestamp=$_SESSION['requesttoken-'.$token]; - if($timestamp+$maxtime<time()) { + // check if static lifespan has expired + if($timestamp+self::$callLifespan<time()) { return false; }else{ //token valid |