[Owncloud] Cross-site request forgery protection
Thomas Tanghus
thomas at tanghus.net
Tue Jun 12 12:16:02 UTC 2012
On Friday 08 June 2012 16:42 Frank Karlitschek wrote:
> /**
> * Register an get/post call
> */
> public static function callRegister(){
> // generate a random token.
> // store the token together with a timestamp in the session.
> // return the token
> }
>
>
> /**
> * Check an ajax get/post call
> */
> public static function callCheck(){
> // searches in the get and post arrays for the token.
> // check if the token is in the user session and if the timestamp is from
> the last hour. // exit if not found and return of found.
> }
>
I just tested this, and we need some extra methods. Something like:
lib/util.php:
public static function isCalledRegistered(){
$maxtime=(60*60); // 1 hour
if(isset($_GET['requesttoken'])) {
$token=$_GET['requesttoken'];
}elseif(isset($_POST['requesttoken'])){
$token=$_POST['requesttoken'];
}else{
return false;
}
if(isset($_SESSION['requesttoken-'.$token])) {
$timestamp=$_SESSION['requesttoken-'.$token];
if($timestamp+$maxtime<time){
return false;
}else{
//token valid
return true;
}
}else{
return false;
}
}
public static function callCheck(){
if(!OC_Util::isCalledRegistered() {
exit;
}
}
lib/json.php:
public static function callCheck(){
if( !OC_Util::isCallRegistered()){
$l = OC_L10N::get('core');
self::error(array( 'data' => array( 'message' => $l->t('Token expired') )));
exit();
}
}
And then the public methods.
--
Med venlig hilsen / Best Regards
Thomas Tanghus
More information about the Owncloud
mailing list