[Owncloud] Cross-site request forgery protection
Frank Karlitschek
frank at owncloud.org
Wed Jun 13 09:55:49 UTC 2012
Makes a lot of sense IMHO. :-)
Frank
On 12.06.2012, at 14:16, Thomas Tanghus <thomas at tanghus.net> wrote:
> On Friday 08 June 2012 16:42 Frank Karlitschek wrote:
>
>> /**
>> * Register an get/post call
>> */
>> public static function callRegister(){
>> // generate a random token.
>> // store the token together with a timestamp in the session.
>> // return the token
>> }
>>
>>
>> /**
>> * Check an ajax get/post call
>> */
>> public static function callCheck(){
>> // searches in the get and post arrays for the token.
>> // check if the token is in the user session and if the timestamp is from
>> the last hour. // exit if not found and return of found.
>> }
>>
>
> I just tested this, and we need some extra methods. Something like:
>
> lib/util.php:
>
> public static function isCalledRegistered(){
> $maxtime=(60*60); // 1 hour
> if(isset($_GET['requesttoken'])) {
> $token=$_GET['requesttoken'];
> }elseif(isset($_POST['requesttoken'])){
> $token=$_POST['requesttoken'];
> }else{
> return false;
> }
> if(isset($_SESSION['requesttoken-'.$token])) {
> $timestamp=$_SESSION['requesttoken-'.$token];
> if($timestamp+$maxtime<time){
> return false;
> }else{
> //token valid
> return true;
> }
> }else{
> return false;
> }
> }
>
> public static function callCheck(){
> if(!OC_Util::isCalledRegistered() {
> exit;
> }
> }
>
> lib/json.php:
>
> public static function callCheck(){
> if( !OC_Util::isCallRegistered()){
> $l = OC_L10N::get('core');
> self::error(array( 'data' => array( 'message' => $l->t('Token expired') )));
> exit();
> }
> }
>
> And then the public methods.
>
> --
> Med venlig hilsen / Best Regards
>
> Thomas Tanghus
More information about the Owncloud
mailing list