From 89464721c7aa4464419cbcbedc658843f6c4696d Mon Sep 17 00:00:00 2001 From: Thomas Tanghus Date: Wed, 13 Jun 2012 17:33:19 +0200 Subject: Added JSON methods for CSRF prevention. Make request token accessible from template and add js var. --- lib/util.php | 43 +++++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 22 deletions(-) (limited to 'lib/util.php') diff --git a/lib/util.php b/lib/util.php index e4efd953ec5..0266a8ecc5f 100755 --- a/lib/util.php +++ b/lib/util.php @@ -355,8 +355,9 @@ class OC_Util { } /** - * Register an get/post call. This is important to prevent CSRF attacks + * @brief Register an get/post call. This is important to prevent CSRF attacks * Todo: Write howto + * @return $token Generated token. */ public static function callRegister(){ //mamimum time before token exires @@ -381,50 +382,48 @@ class OC_Util { } } } - - // return the token return($token); } /** - * Check an ajax get/post call if the request token is valid. exit if not. - * Todo: Write howto + * @brief Check an ajax get/post call if the request token is valid. + * @return boolean False if request token is not set or is invalid. */ - public static function callCheck(){ + public static function isCallRegistered(){ //mamimum time before token exires $maxtime=(60*60); // 1 hour - - // searches in the get and post arrays for the token. if(isset($_GET['requesttoken'])) { $token=$_GET['requesttoken']; }elseif(isset($_POST['requesttoken'])){ $token=$_POST['requesttoken']; + }elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){ + $token=$_SERVER['HTTP_REQUESTTOKEN']; }else{ - //no token found. exiting - exit; + //no token found. + return false; } - - // check if the token is in the user session and if the timestamp is from the last hour. if(isset($_SESSION['requesttoken-'.$token])) { $timestamp=$_SESSION['requesttoken-'.$token]; if($timestamp+$maxtime