mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added JSON methods for CSRF prevention. Make request token accessible from template and add js var.

This commit is contained in:
Thomas Tanghus 2012-06-13 17:33:19 +02:00
parent 9e9c40eabd
commit 89464721c7
5 changed files with 54 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
core/templates/layout.user.php
View File

@ -30,6 +30,16 @@
echo '/>';
?>
<?php endforeach; ?>
<script type="text/javascript">
$(function() {
var requesttoken = '<?php echo $_['requesttoken']; ?>';
$(document).bind('ajaxSend', function(elm, xhr, s){
if(requesttoken) {
xhr.setRequestHeader('requesttoken', requesttoken);
}
});
});
</script>
</head>
<body id="<?php echo $_['bodyid'];?>">

12
lib/json.php
View File

@ -41,6 +41,18 @@ class OC_JSON{
}
}
/**
* @brief Check an ajax get/post call if the request token is valid.
* @return json Error msg if not valid.
*/
public static function callCheck(){
if( !OC_Util::isCallRegistered()){
$l = OC_L10N::get('core');
self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') )));
exit();
}
}
/**
* Check if the user is a admin, send json error msg if not
*/

7
lib/public/json.php
View File

@ -53,6 +53,13 @@ class JSON {
return(\OC_JSON::checkLoggedIn());
}
/**
* @brief Check an ajax get/post call if the request token is valid.
* @return json Error msg if not valid.
*/
public static function callCheck(){
return(\OC_JSON::callCheck());
}
/**
* @brief Send json success msg

4
lib/template.php
View File

@ -155,6 +155,9 @@ class OC_Template{
$this->renderas = $renderas;
$this->application = $app;
$this->vars = array();
if($renderas == 'user') {
$this->vars['requesttoken'] = OC_Util::callRegister();
}
$this->l10n = OC_L10N::get($app);
header('X-Frame-Options: Sameorigin');
header('X-XSS-Protection: 1; mode=block');
@ -355,6 +358,7 @@ class OC_Template{
if( $this->renderas == "user" ){
$page = new OC_Template( "core", "layout.user" );
$page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' ));
$page->assign('requesttoken', $this->vars['requesttoken']);
if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){
$page->assign('bodyid','body-settings');
}else{

43
lib/util.php
View File

@ -355,8 +355,9 @@ class OC_Util {
}
/**
* Register an get/post call. This is important to prevent CSRF attacks
* @brief Register an get/post call. This is important to prevent CSRF attacks
* Todo: Write howto
* @return $token Generated token.
*/
public static function callRegister(){
//mamimum time before token exires
@ -381,50 +382,48 @@ class OC_Util {
}
}
}
// return the token
return($token);
}
/**
* Check an ajax get/post call if the request token is valid. exit if not.
* Todo: Write howto
* @brief Check an ajax get/post call if the request token is valid.
* @return boolean False if request token is not set or is invalid.
*/
public static function callCheck(){
public static function isCallRegistered(){
//mamimum time before token exires
$maxtime=(60*60); // 1 hour
// searches in the get and post arrays for the token.
if(isset($_GET['requesttoken'])) {
$token=$_GET['requesttoken'];
}elseif(isset($_POST['requesttoken'])){
$token=$_POST['requesttoken'];
}elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){
$token=$_SERVER['HTTP_REQUESTTOKEN'];
}else{
//no token found. exiting
exit;
//no token found.
return false;
}
// check if the token is in the user session and if the timestamp is from the last hour.
if(isset($_SESSION['requesttoken-'.$token])) {
$timestamp=$_SESSION['requesttoken-'.$token];
if($timestamp+$maxtime<time()){
//token exired. exiting
exit;
return false;
}else{
//token valid
return;
return true;
}
}else{
//no token found. exiting
exit;
return false;
}
}
/**
* @brief Check an ajax get/post call if the request token is valid. exit if not.
* Todo: Write howto
*/
public static function callCheck(){
if(!OC_Util::isCallRegistered()) {
exit;
}
}
}