mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added JSON methods for CSRF prevention. Make request token accessible from template and add js var.

This commit is contained in:
Thomas Tanghus 2012-06-13 17:33:19 +02:00
parent 9e9c40eabd
commit 89464721c7
5 changed files with 54 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
core/templates/layout.user.php
View File

@ -30,6 +30,16 @@
echo '/>'; echo '/>';
?> ?>
<?php endforeach; ?> <?php endforeach; ?>
<script type="text/javascript">
$(function() {
var requesttoken = '<?php echo $_['requesttoken']; ?>';
$(document).bind('ajaxSend', function(elm, xhr, s){
if(requesttoken) {
xhr.setRequestHeader('requesttoken', requesttoken);
}
});
});
</script>
</head> </head>
<body id="<?php echo $_['bodyid'];?>"> <body id="<?php echo $_['bodyid'];?>">

12
lib/json.php
View File

@ -41,6 +41,18 @@ class OC_JSON{
} }
} }
/**
* @brief Check an ajax get/post call if the request token is valid.
* @return json Error msg if not valid.
*/
public static function callCheck(){
if( !OC_Util::isCallRegistered()){
$l = OC_L10N::get('core');
self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') )));
exit();
}
}
/** /**
* Check if the user is a admin, send json error msg if not * Check if the user is a admin, send json error msg if not
*/ */

7
lib/public/json.php
View File

@ -53,6 +53,13 @@ class JSON {
return(\OC_JSON::checkLoggedIn()); return(\OC_JSON::checkLoggedIn());
} }
/**
* @brief Check an ajax get/post call if the request token is valid.
* @return json Error msg if not valid.
*/
public static function callCheck(){
return(\OC_JSON::callCheck());
}
/** /**
* @brief Send json success msg * @brief Send json success msg

4
lib/template.php
View File

@ -155,6 +155,9 @@ class OC_Template{
$this->renderas = $renderas; $this->renderas = $renderas;
$this->application = $app; $this->application = $app;
$this->vars = array(); $this->vars = array();
if($renderas == 'user') {
$this->vars['requesttoken'] = OC_Util::callRegister();
}
$this->l10n = OC_L10N::get($app); $this->l10n = OC_L10N::get($app);
header('X-Frame-Options: Sameorigin'); header('X-Frame-Options: Sameorigin');
header('X-XSS-Protection: 1; mode=block'); header('X-XSS-Protection: 1; mode=block');
@ -355,6 +358,7 @@ class OC_Template{
if( $this->renderas == "user" ){ if( $this->renderas == "user" ){
$page = new OC_Template( "core", "layout.user" ); $page = new OC_Template( "core", "layout.user" );
$page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); $page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' ));
$page->assign('requesttoken', $this->vars['requesttoken']);
if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){ if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){
$page->assign('bodyid','body-settings'); $page->assign('bodyid','body-settings');
}else{ }else{

43
lib/util.php
View File

@ -355,8 +355,9 @@ class OC_Util {
} }
/** /**
* Register an get/post call. This is important to prevent CSRF attacks * @brief Register an get/post call. This is important to prevent CSRF attacks
* Todo: Write howto * Todo: Write howto
* @return $token Generated token.
*/ */
public static function callRegister(){ public static function callRegister(){
//mamimum time before token exires //mamimum time before token exires
@ -381,50 +382,48 @@ class OC_Util {
} }
} }
} }
// return the token // return the token
return($token); return($token);
} }
/** /**
* Check an ajax get/post call if the request token is valid. exit if not. * @brief Check an ajax get/post call if the request token is valid.
* Todo: Write howto * @return boolean False if request token is not set or is invalid.
*/ */
public static function callCheck(){ public static function isCallRegistered(){
//mamimum time before token exires //mamimum time before token exires
$maxtime=(60*60); // 1 hour $maxtime=(60*60); // 1 hour
// searches in the get and post arrays for the token.
if(isset($_GET['requesttoken'])) { if(isset($_GET['requesttoken'])) {
$token=$_GET['requesttoken']; $token=$_GET['requesttoken'];
}elseif(isset($_POST['requesttoken'])){ }elseif(isset($_POST['requesttoken'])){
$token=$_POST['requesttoken']; $token=$_POST['requesttoken'];
}elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){
$token=$_SERVER['HTTP_REQUESTTOKEN'];
}else{ }else{
//no token found. exiting //no token found.
exit; return false;
} }
// check if the token is in the user session and if the timestamp is from the last hour.
if(isset($_SESSION['requesttoken-'.$token])) { if(isset($_SESSION['requesttoken-'.$token])) {
$timestamp=$_SESSION['requesttoken-'.$token]; $timestamp=$_SESSION['requesttoken-'.$token];
if($timestamp+$maxtime<time()){ if($timestamp+$maxtime<time()){
//token exired. exiting return false;
exit;
}else{ }else{
//token valid //token valid
return; return true;
} }
}else{ }else{
//no token found. exiting return false;
exit;
} }
} }
/**
* @brief Check an ajax get/post call if the request token is valid. exit if not.
* Todo: Write howto
*/
public static function callCheck(){
if(!OC_Util::isCallRegistered()) {
exit;
}
}
} }