diff --git a/lib/public/util.php b/lib/public/util.php index 9b499574da..995161e2ab 100644 --- a/lib/public/util.php +++ b/lib/public/util.php @@ -248,6 +248,26 @@ class Util { } + /** + * Register an get/post call. This is important to prevent CSRF attacks + * TODO: write example + */ + public static function callRegister(){ + return(\OC_Util::callRegister()); + } + + + /** + * Check an ajax get/post call if the request token is valid. exit if not. + * Todo: Write howto + */ + public static function callCheck(){ + return(\OC_Util::callCheck()); + } + + + + } ?> diff --git a/lib/util.php b/lib/util.php index 20888fa71f..ef8ba8efe7 100644 --- a/lib/util.php +++ b/lib/util.php @@ -343,4 +343,60 @@ class OC_Util { } return $id; } + + /** + * Register an get/post call. This is important to prevent CSRF attacks + * Todo: Write howto + */ + public static function callRegister(){ + // generate a random token. + $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); + + // store the token together with a timestamp in the session. + $_SESSION['requesttoken-'.$token]=time(); + + // return the token + return($token); + } + + + /** + * Check an ajax get/post call if the request token is valid. exit if not. + * Todo: Write howto + */ + public static function callCheck(){ + //mamimum time before token exires + $maxtime=(60*60); // 1 hour + + // searches in the get and post arrays for the token. + if(isset($_GET['requesttoken'])) { + $token=$_GET['requesttoken']; + }elseif(isset($_POST['requesttoken'])){ + $token=$_POST['requesttoken']; + }else{ + //no token found. exiting + exit; + } + + // check if the token is in the user session and if the timestamp is from the last hour. + if(isset($_SESSION['requesttoken-'.$token])) { + $timestamp=$_SESSION['requesttoken-'.$token]; + if($timestamp+$maxtime