[pLog-svn] r6083 - in plog/trunk: class/action/admin class/data class/data/validator templates/admin
reto at devel.lifetype.net
reto at devel.lifetype.net
Tue Nov 27 16:05:57 EST 2007
Author: reto
Date: 2007-11-27 16:05:57 -0500 (Tue, 27 Nov 2007)
New Revision: 6083
Added:
plog/trunk/class/data/nonce.class.php
plog/trunk/class/data/validator/noncevalidator.class.php
Modified:
plog/trunk/class/action/admin/adminaction.class.php
plog/trunk/class/action/admin/admindeletepostaction.class.php
plog/trunk/templates/admin/editposts.template
Log:
First PoC implementation for CSRF protection:
- nonce.class.php does nothing but generating nonces. Note: the randomizer is quite simple and but I'm not sure if there is need for some more complex (and time consuming) nonce generation.
- noncevalidator compares the nonce in the request with the nonce in the session
- adminaction stores a new nonce to the users session each time the method setCommonData is called (this deletes any previously set nonces after validation)
limitations:
- it doesn't work with javascript enabled ATM.
- it doesn't work with GET requests (i.e. klicks on the delete icons)
- only works on the deletepostaction
Modified: plog/trunk/class/action/admin/adminaction.class.php
===================================================================
--- plog/trunk/class/action/admin/adminaction.class.php 2007-11-27 20:56:55 UTC (rev 6082)
+++ plog/trunk/class/action/admin/adminaction.class.php 2007-11-27 21:05:57 UTC (rev 6083)
@@ -1,7 +1,8 @@
<?php
lt_include( PLOG_CLASS_PATH."class/dao/blogstatus.class.php" );
-
+ lt_include( PLOG_CLASS_PATH."class/data/nonce.class.php" );
+
/**
* @see AdminAction::requirePermission()
*/
@@ -34,6 +35,7 @@
var $_pm;
var $_userBlogs;
var $_permissions;
+ var $_nonce;
/**
* Constructor.
@@ -167,6 +169,14 @@
$this->_view->setValue( "op", $this->_actionInfo->_actionParamValue );
$this->_view->setValue( "locale", $this->_locale );
$this->_view->setValue( "config", $this->_config );
+
+
+ //let's create a nonce to protect against CSRF
+ $nonce = new Nonce();
+ $this->_nonce = $nonce->getNonce();
+ $this->_session->setValue('nonce',$this->_nonce);
+
+ $this->_view->setValue( "nonce", $this->_nonce );
}
/**
@@ -338,4 +348,4 @@
return( $view );
}
}
-?>
\ No newline at end of file
+?>
Modified: plog/trunk/class/action/admin/admindeletepostaction.class.php
===================================================================
--- plog/trunk/class/action/admin/admindeletepostaction.class.php 2007-11-27 20:56:55 UTC (rev 6082)
+++ plog/trunk/class/action/admin/admindeletepostaction.class.php 2007-11-27 21:05:57 UTC (rev 6083)
@@ -26,6 +26,8 @@
else
$this->registerFieldValidator( "postIds", new ArrayValidator( new IntegerValidator()));
+ $this->registerFieldValidator( "nonce", new NonceValidator() );
+
$view = new AdminPostsListView( $this->_blogInfo );
$view->setErrorMessage( $this->_locale->tr("error_incorrect_article_id"));
$this->setValidationErrorView( $view );
@@ -33,6 +35,18 @@
$this->requirePermission( "update_post" );
}
+ /**
+ *
+ */
+ /*function validate()
+ {
+ $nonceValidator = new NonceValidator();
+
+ if( !$nonceValidator->validate( $this->_request->getValue( "nonce" ) ) )
+ return false;
+ }*/
+
+
/**
* Carries out the specified action
*/
@@ -133,4 +147,4 @@
return true;
}
}
-?>
\ No newline at end of file
+?>
Added: plog/trunk/class/data/nonce.class.php
===================================================================
--- plog/trunk/class/data/nonce.class.php (rev 0)
+++ plog/trunk/class/data/nonce.class.php 2007-11-27 21:05:57 UTC (rev 6083)
@@ -0,0 +1,42 @@
+<?php
+ /**
+ * \ingroup Data
+ *
+ * Class to generate random nonces to protect from CSRF attacks.
+ *
+ */
+ class Nonce
+ {
+ var $_nonce = '';
+
+ /**
+ * Constructor.
+ */
+ function Nonce()
+ {
+ $this->_nonce = $this->create();
+
+ }
+
+
+ /**
+ * generates a new nonce
+ *
+ * @return a reasonably enough random string
+ */
+ function create()
+ {
+
+ $nonce = md5(time().rand(1000,9999));
+ return( $nonce );
+
+ }
+
+ function getNonce()
+ {
+ return $this->_nonce;
+ }
+
+
+ }
+?>
Added: plog/trunk/class/data/validator/noncevalidator.class.php
===================================================================
--- plog/trunk/class/data/validator/noncevalidator.class.php (rev 0)
+++ plog/trunk/class/data/validator/noncevalidator.class.php 2007-11-27 21:05:57 UTC (rev 6083)
@@ -0,0 +1,41 @@
+<?php
+
+
+
+ /**
+ * \ingroup Validator
+ *
+ * Validates nonces protecting sensitive actions from CSRF:
+ *
+ *
+ */
+ class NonceValidator extends Validator
+ {
+ function NonceValidator()
+ {
+ $this->Validator();
+ }
+
+
+ function validate($requestNonce)
+ {
+ $log = LoggerManager::getLogger( "debug" );
+
+ // get the session nonce
+ $session = HttpVars::getSession();
+ $this->_session = $session["SessionInfo"];
+ $sessionNonce = $this->_session->getValue('nonce');
+
+ $log->info('request: '. $requestNonce);
+ $log->info('session: '. $sessionNonce);
+
+ if ($requestNonce === $sessionNonce) {
+ return true;
+ }
+ else {
+ return false;
+ }
+
+ }
+ }
+?>
Modified: plog/trunk/templates/admin/editposts.template
===================================================================
--- plog/trunk/templates/admin/editposts.template 2007-11-27 20:56:55 UTC (rev 6082)
+++ plog/trunk/templates/admin/editposts.template 2007-11-27 21:05:57 UTC (rev 6083)
@@ -120,6 +120,7 @@
<a name="bulkEdit"></a>
<div id="list_action_bar">
{check_perms perm=update_post}
+ <input type="hidden" name="nonce" value="{$nonce}" />
<input type="submit" name="delete" value="{$locale->tr("delete")}" class="submit" />
<input type="hidden" name="op" value="deletePosts" />
{/check_perms}
More information about the pLog-svn
mailing list