[Owncloud] Cross-site request forgery protection

Frank Karlitschek frank at owncloud.org
Fri Jun 8 14:42:22 UTC 2012


Hi everybody,

we have to do something in ownCloud against the CSRF thread. We have some protection in some areas already but I think we need a general solution here.
We have to check if a GET request, form POST or Ajax request really comes from the user and ownCloud itself or if it was triggered by an evil JS script of flash applet from an remote site.

Read here for more information:
http://en.wikipedia.org/wiki/Cross-site_request_forgery

I thought about simpler solutions but they all have problems so I think we have to do the real thing which means a lot of changes in ownCloud.


We have to register every possible ajax call or form submit or button press on the page where this call could happen with a special function. This functions returns a token. This token has to be included in the GET or POST  request.


The two needed calls could work like this:


/**
* Register an get/post call
*/
public static function callRegister(){
	// generate a random token.
	// store the token together with a timestamp in the session.
	// return the token
}


/**
* Check an ajax get/post call
*/
public static function callCheck(){
	// searches in the get and post arrays for the token.
	// check if the token is in the user session and if the timestamp is from the last hour.
	// exit if not found and return of found.
}


The callRegister call has to be included on all pages with links, ajax calls or forms.
The callCheck has to be included on all pages that are called by other pages.


Opinions? Does this make sense?

And does someone volunteer to help me to implement all this? :-)



Frank







More information about the Owncloud mailing list