From 743826bbf34b82b92371cf7e9b0478897188c046 Mon Sep 17 00:00:00 2001 From: Christian Reiner Date: Fri, 28 Sep 2012 13:30:44 +0200 Subject: Reimplementation of CSRF protection including autorefresh --- lib/base.php | 2 ++ lib/template.php | 6 ------ lib/util.php | 36 ++++++++++++++++++++++++++---------- 3 files changed, 28 insertions(+), 16 deletions(-) (limited to 'lib') diff --git a/lib/base.php b/lib/base.php index f6afc8fe2fe..5a2decc6f63 100644 --- a/lib/base.php +++ b/lib/base.php @@ -240,6 +240,8 @@ class OC{ OC_Util::addScript( "jquery-tipsy" ); OC_Util::addScript( "oc-dialogs" ); OC_Util::addScript( "js" ); + // request protection token MUST be defined after the jquery library but before any $('document').ready() + OC_Util::addScript( "requesttoken" ); OC_Util::addScript( "eventsource" ); OC_Util::addScript( "config" ); //OC_Util::addScript( "multiselect" ); diff --git a/lib/template.php b/lib/template.php index 0987d6f0d88..0033683b66f 100644 --- a/lib/template.php +++ b/lib/template.php @@ -155,9 +155,6 @@ class OC_Template{ $this->renderas = $renderas; $this->application = $app; $this->vars = array(); - if($renderas == 'user') { - $this->vars['requesttoken'] = OC_Util::callRegister(); - } $parts = explode('/', $app); // fix translation when app is something like core/lostpassword $this->l10n = OC_L10N::get($parts[0]); header('X-Frame-Options: Sameorigin'); @@ -372,9 +369,6 @@ class OC_Template{ if( $this->renderas ) { $page = new OC_TemplateLayout($this->renderas); - if($this->renderas == 'user') { - $page->assign('requesttoken', $this->vars['requesttoken']); - } // Add custom headers $page->assign('headers',$this->headers, false); diff --git a/lib/util.php b/lib/util.php index 08412464254..b14664c9d1e 100755 --- a/lib/util.php +++ b/lib/util.php @@ -416,14 +416,29 @@ class OC_Util { } /** - * @brief Register an get/post call. This is important to prevent CSRF attacks - * Todo: Write howto + * @brief Static lifespan (in seconds) when a request token expires. + * @see OC_Util::callRegister() + * @see OC_Util::isCallRegistered() + * @description + * Also required for the client side to compute the piont in time when to + * request a fresh token. The client will do so when nearly 97% of the + * timespan coded here has expired. + */ + public static $callLifespan = 3600; // 3600 secs = 1 hour + + /** + * @brief Register an get/post call. Important to prevent CSRF attacks. + * @todo Write howto: CSRF protection guide * @return $token Generated token. + * @description + * Creates a 'request token' (random) and stores it inside the session. + * Ever subsequent (ajax) request must use such a valid token to succeed, + * otherwise the request will be denied as a protection against CSRF. + * The tokens expire after a fixed lifespan. + * @see OC_Util::$callLifespan + * @see OC_Util::isCallRegistered() */ public static function callRegister() { - //mamimum time before token exires - $maxtime=(60*60); // 1 hour - // generate a random token. $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); @@ -436,7 +451,8 @@ class OC_Util { foreach($_SESSION as $key=>$value) { // search all tokens in the session if(substr($key,0,12)=='requesttoken') { - if($value+$maxtime