From 21cbef0d2cc80228d2a473ccfb6ad5b071f314c7 Mon Sep 17 00:00:00 2001 From: Bart Visscher <bartv@thisnet.nl> Date: Fri, 27 Sep 2013 15:16:34 +0200 Subject: passesCSRFCheck added to OCP\IRequest --- lib/private/appframework/http/request.php | 38 ++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) (limited to 'lib/private/appframework') diff --git a/lib/private/appframework/http/request.php b/lib/private/appframework/http/request.php index f152956c8cf..3e1f4ff87ed 100644 --- a/lib/private/appframework/http/request.php +++ b/lib/private/appframework/http/request.php @@ -43,7 +43,8 @@ class Request implements \ArrayAccess, \Countable, IRequest { 'cookies', 'urlParams', 'parameters', - 'method' + 'method', + 'requesttoken', ); /** @@ -54,9 +55,9 @@ class Request implements \ArrayAccess, \Countable, IRequest { * @param array 'files' the $_FILES array * @param array 'server' the $_SERVER array * @param array 'env' the $_ENV array - * @param array 'session' the $_SESSION array * @param array 'cookies' the $_COOKIE array * @param string 'method' the request method (GET, POST etc) + * @param string|false 'requesttoken' the requesttoken or false when not available * @see http://www.php.net/manual/en/reserved.variables.php */ public function __construct(array $vars=array()) { @@ -354,4 +355,35 @@ class Request implements \ArrayAccess, \Countable, IRequest { return $this->content; } -} + + /** + * Checks if the CSRF check was correct + * @return bool true if CSRF check passed + * @see OC_Util::$callLifespan + * @see OC_Util::callRegister() + */ + public function passesCSRFCheck() { + if($this->items['requesttoken'] === false) { + return false; + } + + if (isset($this->items['get']['requesttoken'])) { + $token = $this->items['get']['requesttoken']; + } elseif (isset($this->items['post']['requesttoken'])) { + $token = $this->items['post']['requesttoken']; + } elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) { + $token = $this->items['server']['HTTP_REQUESTTOKEN']; + } else { + //no token found. + return false; + } + + // Check if the token is valid + if($token !== $this->items['requesttoken']) { + // Not valid + return false; + } else { + // Valid token + return true; + } + }} -- cgit v1.2.3