diff options
author | Lukas Reschke <lukas@owncloud.com> | 2015-02-09 17:35:19 +0100 |
---|---|---|
committer | Lukas Reschke <lukas@owncloud.com> | 2015-02-09 17:35:19 +0100 |
commit | 47c7eb4e709b92a2c0e1da947b4a2810e7d31180 (patch) | |
tree | 03b5eeee16c775ca50a91d2a13ab3741295bb2ab /lib | |
parent | 5d8f1a1de3f542a94501c45c500fde2f5fa997c4 (diff) | |
parent | 770fa761b8bf8452ff17a2036ca8413e74935a3d (diff) | |
download | nextcloud-server-47c7eb4e709b92a2c0e1da947b4a2810e7d31180.tar.gz nextcloud-server-47c7eb4e709b92a2c0e1da947b4a2810e7d31180.zip |
Merge pull request #13973 from owncloud/enhancement/security/13366
Respect `mod_unique_id` and refactor `OC_Request::getRequestId`
Diffstat (limited to 'lib')
-rw-r--r-- | lib/private/appframework/http/request.php | 52 | ||||
-rw-r--r-- | lib/private/log/owncloud.php | 2 | ||||
-rw-r--r-- | lib/private/request.php | 12 | ||||
-rw-r--r-- | lib/private/server.php | 7 | ||||
-rw-r--r-- | lib/private/template.php | 2 | ||||
-rw-r--r-- | lib/public/irequest.php | 7 |
6 files changed, 53 insertions, 29 deletions
diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php index 6012033fe52..4902671d4b8 100644 --- a/lib/private/appframework/http/request.php +++ b/lib/private/appframework/http/request.php @@ -25,6 +25,7 @@ namespace OC\AppFramework\Http; use OCP\IRequest; +use OCP\Security\ISecureRandom; /** * Class for accessing variables in the request. @@ -48,24 +49,32 @@ class Request implements \ArrayAccess, \Countable, IRequest { 'method', 'requesttoken', ); + /** @var ISecureRandom */ + protected $secureRandom; + /** @var string */ + protected $requestId = ''; /** * @param array $vars An associative array with the following optional values: - * @param array 'urlParams' the parameters which were matched from the URL - * @param array 'get' the $_GET array - * @param array|string 'post' the $_POST array or JSON string - * @param array 'files' the $_FILES array - * @param array 'server' the $_SERVER array - * @param array 'env' the $_ENV array - * @param array 'cookies' the $_COOKIE array - * @param string 'method' the request method (GET, POST etc) - * @param string|false 'requesttoken' the requesttoken or false when not available + * - array 'urlParams' the parameters which were matched from the URL + * - array 'get' the $_GET array + * - array|string 'post' the $_POST array or JSON string + * - array 'files' the $_FILES array + * - array 'server' the $_SERVER array + * - array 'env' the $_ENV array + * - array 'cookies' the $_COOKIE array + * - string 'method' the request method (GET, POST etc) + * - string|false 'requesttoken' the requesttoken or false when not available + * @param ISecureRandom $secureRandom + * @param string $stream * @see http://www.php.net/manual/en/reserved.variables.php */ - public function __construct(array $vars=array(), $stream='php://input') { - + public function __construct(array $vars=array(), + ISecureRandom $secureRandom, + $stream='php://input') { $this->inputStream = $stream; $this->items['params'] = array(); + $this->secureRandom = $secureRandom; if(!array_key_exists('method', $vars)) { $vars['method'] = 'GET'; @@ -384,4 +393,23 @@ class Request implements \ArrayAccess, \Countable, IRequest { // Valid token return true; } - }} + } + + /** + * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging + * If `mod_unique_id` is installed this value will be taken. + * @return string + */ + public function getId() { + if(isset($this->server['UNIQUE_ID'])) { + return $this->server['UNIQUE_ID']; + } + + if(empty($this->requestId)) { + $this->requestId = $this->secureRandom->getLowStrengthGenerator()->generate(20); + } + + return $this->requestId; + } + +} diff --git a/lib/private/log/owncloud.php b/lib/private/log/owncloud.php index c8ae61032aa..8e55bf1c695 100644 --- a/lib/private/log/owncloud.php +++ b/lib/private/log/owncloud.php @@ -68,7 +68,7 @@ class OC_Log_Owncloud { $timezone = new DateTimeZone('UTC'); } $time = new DateTime(null, $timezone); - $reqId = \OC_Request::getRequestID(); + $reqId = \OC::$server->getRequest()->getId(); $remoteAddr = \OC_Request::getRemoteAddress(); // remove username/passwords from URLs before writing the to the log file $time = $time->format($format); diff --git a/lib/private/request.php b/lib/private/request.php index 3bf7d94d9cf..ab011c913d9 100644 --- a/lib/private/request.php +++ b/lib/private/request.php @@ -13,7 +13,6 @@ class OC_Request { const USER_AGENT_ANDROID_MOBILE_CHROME = '#Android.*Chrome/[.0-9]*#'; const USER_AGENT_FREEBOX = '#^Mozilla/5\.0$#'; const REGEX_LOCALHOST = '/^(127\.0\.0\.1|localhost)$/'; - static protected $reqId; /** * Returns the remote address, if the connection came from a trusted proxy and `forwarded_for_headers` has been configured @@ -44,17 +43,6 @@ class OC_Request { } /** - * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging - * @return string - */ - public static function getRequestID() { - if(self::$reqId === null) { - self::$reqId = hash('md5', microtime().\OC::$server->getSecureRandom()->getLowStrengthGenerator()->generate(20)); - } - return self::$reqId; - } - - /** * Check overwrite condition * @param string $type * @return bool diff --git a/lib/private/server.php b/lib/private/server.php index 15c33e1905f..b023534ae21 100644 --- a/lib/private/server.php +++ b/lib/private/server.php @@ -10,7 +10,6 @@ use OC\Cache\UserCache; use OC\Diagnostics\NullQueryLogger; use OC\Diagnostics\EventLogger; use OC\Diagnostics\QueryLogger; -use OC\Files\Config\StorageManager; use OC\Security\CertificateManager; use OC\Files\Node\Root; use OC\Files\View; @@ -64,7 +63,7 @@ class Server extends SimpleContainer implements IServerContainer { } return new Request( - array( + [ 'get' => $_GET, 'post' => $_POST, 'files' => $_FILES, @@ -76,7 +75,9 @@ class Server extends SimpleContainer implements IServerContainer { : null, 'urlParams' => $urlParams, 'requesttoken' => $requestToken, - ), $stream + ], + $this->getSecureRandom(), + $stream ); }); $this->registerService('PreviewManager', function ($c) { diff --git a/lib/private/template.php b/lib/private/template.php index d407eb8384c..4fa1c867d54 100644 --- a/lib/private/template.php +++ b/lib/private/template.php @@ -223,7 +223,7 @@ class OC_Template extends \OC\Template\Base { $content->assign('trace', $exception->getTraceAsString()); $content->assign('debugMode', defined('DEBUG') && DEBUG === true); $content->assign('remoteAddr', OC_Request::getRemoteAddress()); - $content->assign('requestID', OC_Request::getRequestID()); + $content->assign('requestID', \OC::$server->getRequest()->getId()); $content->printPage(); die(); } diff --git a/lib/public/irequest.php b/lib/public/irequest.php index 988b3aebd7b..b5ea1fa95da 100644 --- a/lib/public/irequest.php +++ b/lib/public/irequest.php @@ -127,4 +127,11 @@ interface IRequest { * @return bool true if CSRF check passed */ public function passesCSRFCheck(); + + /** + * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging + * If `mod_unique_id` is installed this value will be taken. + * @return string + */ + public function getId(); } |