summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorLukas Reschke <lukas@owncloud.com>2015-02-09 17:35:19 +0100
committerLukas Reschke <lukas@owncloud.com>2015-02-09 17:35:19 +0100
commit47c7eb4e709b92a2c0e1da947b4a2810e7d31180 (patch)
tree03b5eeee16c775ca50a91d2a13ab3741295bb2ab /lib
parent5d8f1a1de3f542a94501c45c500fde2f5fa997c4 (diff)
parent770fa761b8bf8452ff17a2036ca8413e74935a3d (diff)
downloadnextcloud-server-47c7eb4e709b92a2c0e1da947b4a2810e7d31180.tar.gz
nextcloud-server-47c7eb4e709b92a2c0e1da947b4a2810e7d31180.zip
Merge pull request #13973 from owncloud/enhancement/security/13366
Respect `mod_unique_id` and refactor `OC_Request::getRequestId`
Diffstat (limited to 'lib')
-rw-r--r--lib/private/appframework/http/request.php52
-rw-r--r--lib/private/log/owncloud.php2
-rw-r--r--lib/private/request.php12
-rw-r--r--lib/private/server.php7
-rw-r--r--lib/private/template.php2
-rw-r--r--lib/public/irequest.php7
6 files changed, 53 insertions, 29 deletions
diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php
index 6012033fe52..4902671d4b8 100644
--- a/lib/private/appframework/http/request.php
+++ b/lib/private/appframework/http/request.php
@@ -25,6 +25,7 @@
namespace OC\AppFramework\Http;
use OCP\IRequest;
+use OCP\Security\ISecureRandom;
/**
* Class for accessing variables in the request.
@@ -48,24 +49,32 @@ class Request implements \ArrayAccess, \Countable, IRequest {
'method',
'requesttoken',
);
+ /** @var ISecureRandom */
+ protected $secureRandom;
+ /** @var string */
+ protected $requestId = '';
/**
* @param array $vars An associative array with the following optional values:
- * @param array 'urlParams' the parameters which were matched from the URL
- * @param array 'get' the $_GET array
- * @param array|string 'post' the $_POST array or JSON string
- * @param array 'files' the $_FILES array
- * @param array 'server' the $_SERVER array
- * @param array 'env' the $_ENV array
- * @param array 'cookies' the $_COOKIE array
- * @param string 'method' the request method (GET, POST etc)
- * @param string|false 'requesttoken' the requesttoken or false when not available
+ * - array 'urlParams' the parameters which were matched from the URL
+ * - array 'get' the $_GET array
+ * - array|string 'post' the $_POST array or JSON string
+ * - array 'files' the $_FILES array
+ * - array 'server' the $_SERVER array
+ * - array 'env' the $_ENV array
+ * - array 'cookies' the $_COOKIE array
+ * - string 'method' the request method (GET, POST etc)
+ * - string|false 'requesttoken' the requesttoken or false when not available
+ * @param ISecureRandom $secureRandom
+ * @param string $stream
* @see http://www.php.net/manual/en/reserved.variables.php
*/
- public function __construct(array $vars=array(), $stream='php://input') {
-
+ public function __construct(array $vars=array(),
+ ISecureRandom $secureRandom,
+ $stream='php://input') {
$this->inputStream = $stream;
$this->items['params'] = array();
+ $this->secureRandom = $secureRandom;
if(!array_key_exists('method', $vars)) {
$vars['method'] = 'GET';
@@ -384,4 +393,23 @@ class Request implements \ArrayAccess, \Countable, IRequest {
// Valid token
return true;
}
- }}
+ }
+
+ /**
+ * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging
+ * If `mod_unique_id` is installed this value will be taken.
+ * @return string
+ */
+ public function getId() {
+ if(isset($this->server['UNIQUE_ID'])) {
+ return $this->server['UNIQUE_ID'];
+ }
+
+ if(empty($this->requestId)) {
+ $this->requestId = $this->secureRandom->getLowStrengthGenerator()->generate(20);
+ }
+
+ return $this->requestId;
+ }
+
+}
diff --git a/lib/private/log/owncloud.php b/lib/private/log/owncloud.php
index c8ae61032aa..8e55bf1c695 100644
--- a/lib/private/log/owncloud.php
+++ b/lib/private/log/owncloud.php
@@ -68,7 +68,7 @@ class OC_Log_Owncloud {
$timezone = new DateTimeZone('UTC');
}
$time = new DateTime(null, $timezone);
- $reqId = \OC_Request::getRequestID();
+ $reqId = \OC::$server->getRequest()->getId();
$remoteAddr = \OC_Request::getRemoteAddress();
// remove username/passwords from URLs before writing the to the log file
$time = $time->format($format);
diff --git a/lib/private/request.php b/lib/private/request.php
index 3bf7d94d9cf..ab011c913d9 100644
--- a/lib/private/request.php
+++ b/lib/private/request.php
@@ -13,7 +13,6 @@ class OC_Request {
const USER_AGENT_ANDROID_MOBILE_CHROME = '#Android.*Chrome/[.0-9]*#';
const USER_AGENT_FREEBOX = '#^Mozilla/5\.0$#';
const REGEX_LOCALHOST = '/^(127\.0\.0\.1|localhost)$/';
- static protected $reqId;
/**
* Returns the remote address, if the connection came from a trusted proxy and `forwarded_for_headers` has been configured
@@ -44,17 +43,6 @@ class OC_Request {
}
/**
- * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging
- * @return string
- */
- public static function getRequestID() {
- if(self::$reqId === null) {
- self::$reqId = hash('md5', microtime().\OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate(20));
- }
- return self::$reqId;
- }
-
- /**
* Check overwrite condition
* @param string $type
* @return bool
diff --git a/lib/private/server.php b/lib/private/server.php
index 15c33e1905f..b023534ae21 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -10,7 +10,6 @@ use OC\Cache\UserCache;
use OC\Diagnostics\NullQueryLogger;
use OC\Diagnostics\EventLogger;
use OC\Diagnostics\QueryLogger;
-use OC\Files\Config\StorageManager;
use OC\Security\CertificateManager;
use OC\Files\Node\Root;
use OC\Files\View;
@@ -64,7 +63,7 @@ class Server extends SimpleContainer implements IServerContainer {
}
return new Request(
- array(
+ [
'get' => $_GET,
'post' => $_POST,
'files' => $_FILES,
@@ -76,7 +75,9 @@ class Server extends SimpleContainer implements IServerContainer {
: null,
'urlParams' => $urlParams,
'requesttoken' => $requestToken,
- ), $stream
+ ],
+ $this->getSecureRandom(),
+ $stream
);
});
$this->registerService('PreviewManager', function ($c) {
diff --git a/lib/private/template.php b/lib/private/template.php
index d407eb8384c..4fa1c867d54 100644
--- a/lib/private/template.php
+++ b/lib/private/template.php
@@ -223,7 +223,7 @@ class OC_Template extends \OC\Template\Base {
$content->assign('trace', $exception->getTraceAsString());
$content->assign('debugMode', defined('DEBUG') && DEBUG === true);
$content->assign('remoteAddr', OC_Request::getRemoteAddress());
- $content->assign('requestID', OC_Request::getRequestID());
+ $content->assign('requestID', \OC::$server->getRequest()->getId());
$content->printPage();
die();
}
diff --git a/lib/public/irequest.php b/lib/public/irequest.php
index 988b3aebd7b..b5ea1fa95da 100644
--- a/lib/public/irequest.php
+++ b/lib/public/irequest.php
@@ -127,4 +127,11 @@ interface IRequest {
* @return bool true if CSRF check passed
*/
public function passesCSRFCheck();
+
+ /**
+ * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging
+ * If `mod_unique_id` is installed this value will be taken.
+ * @return string
+ */
+ public function getId();
}