add two csrf check calls. Review and lot´s of porting needed.
This commit is contained in:
parent
081e1874cb
commit
344299a074
|
@ -248,6 +248,26 @@ class Util {
|
|||
}
|
||||
|
||||
|
||||
/**
|
||||
* Register an get/post call. This is important to prevent CSRF attacks
|
||||
* TODO: write example
|
||||
*/
|
||||
public static function callRegister(){
|
||||
return(\OC_Util::callRegister());
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Check an ajax get/post call if the request token is valid. exit if not.
|
||||
* Todo: Write howto
|
||||
*/
|
||||
public static function callCheck(){
|
||||
return(\OC_Util::callCheck());
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
56
lib/util.php
56
lib/util.php
|
@ -343,4 +343,60 @@ class OC_Util {
|
|||
}
|
||||
return $id;
|
||||
}
|
||||
|
||||
/**
|
||||
* Register an get/post call. This is important to prevent CSRF attacks
|
||||
* Todo: Write howto
|
||||
*/
|
||||
public static function callRegister(){
|
||||
// generate a random token.
|
||||
$token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
|
||||
|
||||
// store the token together with a timestamp in the session.
|
||||
$_SESSION['requesttoken-'.$token]=time();
|
||||
|
||||
// return the token
|
||||
return($token);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Check an ajax get/post call if the request token is valid. exit if not.
|
||||
* Todo: Write howto
|
||||
*/
|
||||
public static function callCheck(){
|
||||
//mamimum time before token exires
|
||||
$maxtime=(60*60); // 1 hour
|
||||
|
||||
// searches in the get and post arrays for the token.
|
||||
if(isset($_GET['requesttoken'])) {
|
||||
$token=$_GET['requesttoken'];
|
||||
}elseif(isset($_POST['requesttoken'])){
|
||||
$token=$_POST['requesttoken'];
|
||||
}else{
|
||||
//no token found. exiting
|
||||
exit;
|
||||
}
|
||||
|
||||
// check if the token is in the user session and if the timestamp is from the last hour.
|
||||
if(isset($_SESSION['requesttoken-'.$token])) {
|
||||
$timestamp=$_SESSION['requesttoken-'.$token];
|
||||
if($timestamp+$maxtime<time){
|
||||
//token exired. exiting
|
||||
exit;
|
||||
|
||||
}else{
|
||||
//token valid
|
||||
return;
|
||||
}
|
||||
}else{
|
||||
//no token found. exiting
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue