diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/base.php | 2 | ||||
| -rw-r--r-- | lib/template.php | 2 | ||||
| -rwxr-xr-x | lib/util.php | 29 |
3 files changed, 6 insertions, 27 deletions
diff --git a/lib/base.php b/lib/base.php index d7d5eef3256..87fb1644240 100644 --- a/lib/base.php +++ b/lib/base.php @@ -254,8 +254,6 @@ class OC{ OC_Util::addScript( "jquery-tipsy" ); OC_Util::addScript( "oc-dialogs" ); OC_Util::addScript( "js" ); - // request protection token MUST be defined after the jquery library but before any $('document').ready() - OC_Util::addScript( "requesttoken" ); OC_Util::addScript( "eventsource" ); OC_Util::addScript( "config" ); //OC_Util::addScript( "multiselect" ); diff --git a/lib/template.php b/lib/template.php index 1ad47cbe52c..caac6891cb8 100644 --- a/lib/template.php +++ b/lib/template.php @@ -172,7 +172,6 @@ class OC_Template{ $this->application = $app; $this->vars = array(); $this->vars['requesttoken'] = OC_Util::callRegister(); - $this->vars['requestlifespan'] = OC_Util::$callLifespan; $parts = explode('/', $app); // fix translation when app is something like core/lostpassword $this->l10n = OC_L10N::get($parts[0]); @@ -391,7 +390,6 @@ class OC_Template{ $page = new OC_TemplateLayout($this->renderas); if($this->renderas == 'user') { $page->assign('requesttoken', $this->vars['requesttoken']); - $page->assign('requestlifespan', $this->vars['requestlifespan']); } // Add custom headers diff --git a/lib/util.php b/lib/util.php index de89e339d99..cb81f0a948c 100755 --- a/lib/util.php +++ b/lib/util.php @@ -473,17 +473,6 @@ class OC_Util { } /** - * @brief Static lifespan (in seconds) when a request token expires. - * @see OC_Util::callRegister() - * @see OC_Util::isCallRegistered() - * @description - * Also required for the client side to compute the piont in time when to - * request a fresh token. The client will do so when nearly 97% of the - * timespan coded here has expired. - */ - public static $callLifespan = 3600; // 3600 secs = 1 hour - - /** * @brief Register an get/post call. Important to prevent CSRF attacks. * @todo Write howto: CSRF protection guide * @return $token Generated token. @@ -491,30 +480,24 @@ class OC_Util { * Creates a 'request token' (random) and stores it inside the session. * Ever subsequent (ajax) request must use such a valid token to succeed, * otherwise the request will be denied as a protection against CSRF. - * The tokens expire after a fixed lifespan. - * @see OC_Util::$callLifespan * @see OC_Util::isCallRegistered() */ public static function callRegister() { // Check if a token exists - if(!isset($_SESSION['requesttoken']) || time() >$_SESSION['requesttoken']['time']) { + if(!isset($_SESSION['requesttoken'])) { // No valid token found, generate a new one. - $requestTokenArray = array( - "requesttoken" => self::generate_random_bytes(20), - "time" => time()+self::$callLifespan, - ); - $_SESSION['requesttoken']=$requestTokenArray; + $requestToken = self::generate_random_bytes(20); + $_SESSION['requesttoken']=$requestToken; } else { // Valid token already exists, send it - $requestTokenArray = $_SESSION['requesttoken']; + $requestToken = $_SESSION['requesttoken']; } - return($requestTokenArray['requesttoken']); + return($requestToken); } /** * @brief Check an ajax get/post call if the request token is valid. * @return boolean False if request token is not set or is invalid. - * @see OC_Util::$callLifespan * @see OC_Util::callRegister() */ public static function isCallRegistered() { @@ -530,7 +513,7 @@ class OC_Util { } // Check if the token is valid - if(!isset($_SESSION['requesttoken']) || time() > $_SESSION['requesttoken']["time"]) { + if($token !== $_SESSION['requesttoken']) { // Not valid return false; } else { |