Merge pull request #178 from owncloud/JustOneCSRFTokenPerSession

Just one CSRF token per session

3 files changed, 6 insertions, 27 deletions

diff --git a/lib/base.php b/lib/base.php
index 5c3d3fb80ce..c54fdc618cb 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -264,8 +264,6 @@ class OC{
 		OC_Util::addScript( "jquery-tipsy" );
 		OC_Util::addScript( "oc-dialogs" );
 		OC_Util::addScript( "js" );
-		// request protection token MUST be defined after the jquery library but before any $('document').ready()
-		OC_Util::addScript( "requesttoken" );
 		OC_Util::addScript( "eventsource" );
 		OC_Util::addScript( "config" );
 		//OC_Util::addScript( "multiselect" );
diff --git a/lib/template.php b/lib/template.php
index ed2481afba2..e8dbe622419 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -172,7 +172,6 @@ class OC_Template{
 		$this->application = $app;
 		$this->vars = array();
 		$this->vars['requesttoken'] = OC_Util::callRegister();
-		$this->vars['requestlifespan'] = OC_Util::$callLifespan;
 		$parts = explode('/', $app); // fix translation when app is something like core/lostpassword
 		$this->l10n = OC_L10N::get($parts[0]);
 
@@ -391,7 +390,6 @@ class OC_Template{
 			$page = new OC_TemplateLayout($this->renderas);
 			if($this->renderas == 'user') {
 				$page->assign('requesttoken', $this->vars['requesttoken']);
-				$page->assign('requestlifespan', $this->vars['requestlifespan']);
 			}
 
 			// Add custom headers
diff --git a/lib/util.php b/lib/util.php
index a9bc5c061c8..5907cc46a08 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -473,17 +473,6 @@ class OC_Util {
 	}
 
 	/**
-	 * @brief Static lifespan (in seconds) when a request token expires.
-	 * @see OC_Util::callRegister()
-	 * @see OC_Util::isCallRegistered()
-	 * @description
-	 * Also required for the client side to compute the piont in time when to
-	 * request a fresh token. The client will do so when nearly 97% of the
-	 * timespan coded here has expired.
-	 */
-	public static $callLifespan = 3600; // 3600 secs = 1 hour
-
-	/**
 	 * @brief Register an get/post call. Important to prevent CSRF attacks.
 	 * @todo Write howto: CSRF protection guide
 	 * @return $token Generated token.
@@ -491,30 +480,24 @@ class OC_Util {
 	 * Creates a 'request token' (random) and stores it inside the session.
 	 * Ever subsequent (ajax) request must use such a valid token to succeed,
 	 * otherwise the request will be denied as a protection against CSRF.
-	 * The tokens expire after a fixed lifespan.
-	 * @see OC_Util::$callLifespan
 	 * @see OC_Util::isCallRegistered()
 	 */
 	public static function callRegister() {
 		// Check if a token exists
-		if(!isset($_SESSION['requesttoken']) || time() >$_SESSION['requesttoken']['time']) {
+		if(!isset($_SESSION['requesttoken'])) {
 			// No valid token found, generate a new one.
-			$requestTokenArray = array(
-				"requesttoken" => self::generate_random_bytes(20),
-				"time" => time()+self::$callLifespan,
-				);
-			$_SESSION['requesttoken']=$requestTokenArray;
+			$requestToken = self::generate_random_bytes(20);
+			$_SESSION['requesttoken']=$requestToken;
 		} else {
 			// Valid token already exists, send it
-			$requestTokenArray = $_SESSION['requesttoken'];
+			$requestToken = $_SESSION['requesttoken'];
 		}
-		return($requestTokenArray['requesttoken']);
+		return($requestToken);
 	}
 
 	/**
 	 * @brief Check an ajax get/post call if the request token is valid.
 	 * @return boolean False if request token is not set or is invalid.
-	 * @see OC_Util::$callLifespan
 	 * @see OC_Util::callRegister()
 	 */
 	public static function isCallRegistered() {
@@ -530,7 +513,7 @@ class OC_Util {
 		}
 
 		// Check if the token is valid
-		if(!isset($_SESSION['requesttoken']) || time() > $_SESSION['requesttoken']["time"]) {
+		if($token !== $_SESSION['requesttoken']) {
 			// Not valid
 			return false;
 		} else {