summaryrefslogtreecommitdiffstats
path: root/lib/private/util.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/private/util.php')
-rw-r--r--lib/private/util.php8
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/private/util.php b/lib/private/util.php
index 501dbf5c4c5..edd375b5c36 100644
--- a/lib/private/util.php
+++ b/lib/private/util.php
@@ -1057,7 +1057,8 @@ class OC_Util {
/**
* Register an get/post call. Important to prevent CSRF attacks.
*
- * @return string Generated token.
+ * @return string The encrypted CSRF token, the shared secret is appended after the `:`.
+ *
* @description
* Creates a 'request token' (random) and stores it inside the session.
* Ever subsequent (ajax) request must use such a valid token to succeed,
@@ -1074,7 +1075,10 @@ class OC_Util {
// Valid token already exists, send it
$requestToken = \OC::$server->getSession()->get('requesttoken');
}
- return ($requestToken);
+
+ // Encrypt the token to mitigate breach-like attacks
+ $sharedSecret = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10);
+ return \OC::$server->getCrypto()->encrypt($requestToken, $sharedSecret) . ':' . $sharedSecret;
}
/**
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-14 22:11:23 +0000