[Owncloud] Cross-site request forgery protection
Thomas Tanghus
thomas at tanghus.net
Sat Jun 30 11:35:15 UTC 2012
On Saturday 30 June 2012 01:36 Florian Hülsmann wrote:
> Just found out that installation process fails when I disable HTTP
> referer URL. This is because of CSRF protection in lib/base.php which
> checks for the referer in HTTP headers.
I believe it was agreed upon to remove the referer check earlier in this thread?
If you call OCP\JSON::callCheck() in ajax scripts that creates/updates/deletes it
will check for the token. In most cases the token is sent automatically when you
make ajax calls, but if you e.g. make a call that creates a dialog with a form,
you will have to assign the token to the template, and make a hidden field in the form.
In the ajax call:
$.getJSON(OC.filePath('contacts', 'ajax', 'action.php'),{'id':this.id, 'requesttoken':requesttoken},function(jsondata){ .. }
In action.php:
$requesttoken = $_GET['requesttoken'];
$id = $_GET['id'];
$tmpl = new OCP\Template("contacts", "part.action");
$tmpl->assign('tmpkey', $tmpkey);
$tmpl->assign('id', $id);
$tmpl->assign('requesttoken', $requesttoken);
$page = $tmpl->fetchPage();
And in the template:
<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken']; ?>">
> Would it be possible to do CSRF protection without requiring the browser
> to send the referer header?? I'm not familiar with CSRF, but I remember
> having seen something like CSRF protection tokens in HTTP headers on
> other sites/web apps, which we don't have in ownCloud (do we?). Maybe
> that's a way to go...
>
> Florian
>
> Am 13.06.2012 23:01, schrieb Thomas Tanghus:
> > On Wednesday 13 June 2012 22:40 Frank Karlitschek wrote:
> >> Very cool!!
> >>
> >> do you think it´s possible to backport it to stable4?
> >
> > It's probably easiest to copy/paste it ;-) I'll have a look at it
> > tomorrow.
--
Med venlig hilsen / Best Regards
Thomas Tanghus
More information about the Owncloud
mailing list