[Owncloud] Cross-site request forgery protection

Thomas Tanghus thomas at tanghus.net
Sat Jun 30 11:35:15 UTC 2012


On Saturday 30 June 2012 01:36 Florian Hülsmann wrote:
> Just found out that installation process fails when I disable HTTP
> referer URL. This is because of CSRF protection in lib/base.php which
> checks for the referer in HTTP headers.

I believe it was agreed upon to remove the referer check earlier in this thread?
If you call OCP\JSON::callCheck() in ajax scripts that creates/updates/deletes it 
will check for the token. In most cases the token is sent automatically when you 
make ajax calls, but if you e.g. make a call that creates a dialog with a form, 
you will have to assign the token to the template, and make a hidden field in the form.

In the ajax call:

 $.getJSON(OC.filePath('contacts', 'ajax', 'action.php'),{'id':this.id, 'requesttoken':requesttoken},function(jsondata){ .. }

In action.php:

$requesttoken = $_GET['requesttoken'];
$id = $_GET['id'];
$tmpl = new OCP\Template("contacts", "part.action");
$tmpl->assign('tmpkey', $tmpkey);
$tmpl->assign('id', $id);
$tmpl->assign('requesttoken', $requesttoken);
$page = $tmpl->fetchPage();

And in the template:

<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken']; ?>">



> Would it be possible to do CSRF protection without requiring the browser
> to send the referer header?? I'm not familiar with CSRF, but I remember
> having seen something like CSRF protection tokens in HTTP headers on
> other sites/web apps, which we don't have in ownCloud (do we?). Maybe
> that's a way to go...
> 
> Florian
> 
> Am 13.06.2012 23:01, schrieb Thomas Tanghus:
> > On Wednesday 13 June 2012 22:40 Frank Karlitschek wrote:
> >> Very cool!!
> >> 
> >> do you think it´s possible to backport it to stable4?
> > 
> > It's probably easiest to copy/paste it ;-) I'll have a look at it
> > tomorrow.
-- 
Med venlig hilsen / Best Regards

Thomas Tanghus



More information about the Owncloud mailing list