[pLog-svn] r6083 - in plog/trunk: class/action/admin class/data class/data/validator templates/admin

Oscar Renalias oscar at renalias.net
Tue Nov 27 16:36:00 EST 2007 

Looks interesting, but how about we move it to its own branch (from  
'trunk') for the time being? At least until we agree on an  
implementation and see that it really works.

You can go ahead and create the branch yourself, if you agree :)

Oscar

On Nov 27, 2007, at 11:05 PM, reto at devel.lifetype.net wrote:

> Author: reto
> Date: 2007-11-27 16:05:57 -0500 (Tue, 27 Nov 2007)
> New Revision: 6083
>
> Added:
>   plog/trunk/class/data/nonce.class.php
>   plog/trunk/class/data/validator/noncevalidator.class.php
> Modified:
>   plog/trunk/class/action/admin/adminaction.class.php
>   plog/trunk/class/action/admin/admindeletepostaction.class.php
>   plog/trunk/templates/admin/editposts.template
> Log:
> First PoC implementation for CSRF protection:
> - nonce.class.php does nothing but generating nonces. Note: the  
> randomizer is quite simple and but I'm not sure if there is need for  
> some more complex (and time consuming) nonce generation.
>
> - noncevalidator compares the nonce in the request with the nonce in  
> the session
>
> - adminaction stores a new nonce to the users session each time the  
> method setCommonData is called (this deletes any previously set  
> nonces after validation)
>
> limitations:
> - it doesn't work with javascript enabled ATM.
> - it doesn't work with GET requests (i.e. klicks on the delete icons)
> - only works on the deletepostaction
>
>
>
> Modified: plog/trunk/class/action/admin/adminaction.class.php
> ===================================================================
> --- plog/trunk/class/action/admin/adminaction.class.php	2007-11-27  
> 20:56:55 UTC (rev 6082)
> +++ plog/trunk/class/action/admin/adminaction.class.php	2007-11-27  
> 21:05:57 UTC (rev 6083)
> @@ -1,7 +1,8 @@
> <?php
>
> 	lt_include( PLOG_CLASS_PATH."class/dao/blogstatus.class.php" );	
> -
> +    lt_include( PLOG_CLASS_PATH."class/data/nonce.class.php" );
> +
> 	/**
> 	 * @see AdminAction::requirePermission()
> 	 */
> @@ -34,6 +35,7 @@
> 		var $_pm;
> 		var $_userBlogs;
> 		var $_permissions;
> +		var $_nonce;
>
>         /**
>          * Constructor.
> @@ -167,6 +169,14 @@
>             $this->_view->setValue( "op", $this->_actionInfo- 
> >_actionParamValue );
> 			$this->_view->setValue( "locale", $this->_locale );
> 			$this->_view->setValue( "config", $this->_config );
> +			
> +			
> +            //let's create a nonce to protect against CSRF
> +            $nonce = new Nonce();
> +            $this->_nonce = $nonce->getNonce();
> +            $this->_session->setValue('nonce',$this->_nonce);
> +			
> +			$this->_view->setValue( "nonce", $this->_nonce );
>         }
>
>         /**
> @@ -338,4 +348,4 @@
> 			return( $view );
> 		}		
>     }
> -?>
> \ No newline at end of file
> +?>
>
> Modified: plog/trunk/class/action/admin/ 
> admindeletepostaction.class.php
> ===================================================================
> --- plog/trunk/class/action/admin/admindeletepostaction.class.php	 
> 2007-11-27 20:56:55 UTC (rev 6082)
> +++ plog/trunk/class/action/admin/admindeletepostaction.class.php	 
> 2007-11-27 21:05:57 UTC (rev 6083)
> @@ -26,6 +26,8 @@
> 			else
> 				$this->registerFieldValidator( "postIds", new  
> ArrayValidator( new IntegerValidator()));
>
> +            $this->registerFieldValidator( "nonce", new  
> NonceValidator() );
> +
> 			$view = new AdminPostsListView( $this->_blogInfo );
> 			$view->setErrorMessage( $this->_locale- 
> >tr("error_incorrect_article_id"));
> 			$this->setValidationErrorView( $view );	
> @@ -33,6 +35,18 @@
> 			$this->requirePermission( "update_post" );	
>         }
>
> +		/**
> +         *
> +		 */
> +		/*function validate()
> +		{
> +			$nonceValidator = new NonceValidator();
> +			
> +			if( !$nonceValidator->validate( $this->_request- 
> >getValue( "nonce" ) ) )
> +                return false;
> +		}*/
> +
> +
>         /**
>          * Carries out the specified action
>          */
> @@ -133,4 +147,4 @@
> 	        return true;
> 		}
>     }
> -?>
> \ No newline at end of file
> +?>
>
> Added: plog/trunk/class/data/nonce.class.php
> ===================================================================
> --- plog/trunk/class/data/nonce.class.php	                         
> (rev 0)
> +++ plog/trunk/class/data/nonce.class.php	2007-11-27 21:05:57 UTC  
> (rev 6083)
> @@ -0,0 +1,42 @@
> +<?php
> +	/**
> +	 * \ingroup Data
> +	 *	
> +	 * Class to generate random nonces to protect from CSRF attacks.
> +	 *
> +	 */
> +	class Nonce
> +	{
> +		var $_nonce = '';
> +		
> +		/**
> +		 * Constructor.
> +		 */
> +		function Nonce()
> +		{
> +			$this->_nonce = $this->create();
> +
> +		}
> +		
> +		
> +		/**
> +		 * generates a new nonce
> +		 *
> +		 * @return a reasonably enough random string
> +		 */
> +		function create()
> +		{
> +
> +            $nonce = md5(time().rand(1000,9999));
> +			return( $nonce );
> +
> +		}
> +		
> +		function getNonce()
> +		{
> +            		return $this->_nonce;
> +		}
> +
> +
> +	}
> +?>
>
> Added: plog/trunk/class/data/validator/noncevalidator.class.php
> ===================================================================
> --- plog/trunk/class/data/validator/ 
> noncevalidator.class.php	                        (rev 0)
> +++ plog/trunk/class/data/validator/noncevalidator.class.php	 
> 2007-11-27 21:05:57 UTC (rev 6083)
> @@ -0,0 +1,41 @@
> +<?php
> +
> +
> +
> +    /**
> +     * \ingroup Validator
> +     *
> +     * Validates nonces protecting sensitive actions from CSRF:
> +     *
> +     *
> +     */
> +    class NonceValidator extends Validator
> +    {
> +    	function NonceValidator()
> +        {
> +        	$this->Validator();
> +        }
> +
> +
> +        function validate($requestNonce)
> +        {
> +            $log = LoggerManager::getLogger( "debug" );
> +
> +            // get the session nonce
> +            $session = HttpVars::getSession();
> +            $this->_session = $session["SessionInfo"];
> +            $sessionNonce = $this->_session->getValue('nonce');
> +
> +            $log->info('request: '. $requestNonce);
> +            $log->info('session: '. $sessionNonce);
> +
> +            if ($requestNonce === $sessionNonce) {
> +                return true;
> +            }
> +            else {
> +                return false;
> +            }
> +
> +        }
> +    }
> +?>
>
> Modified: plog/trunk/templates/admin/editposts.template
> ===================================================================
> --- plog/trunk/templates/admin/editposts.template	2007-11-27  
> 20:56:55 UTC (rev 6082)
> +++ plog/trunk/templates/admin/editposts.template	2007-11-27  
> 21:05:57 UTC (rev 6083)
> @@ -120,6 +120,7 @@
>         <a name="bulkEdit"></a>
>         <div id="list_action_bar">
> 			{check_perms perm=update_post}
> +            <input type="hidden" name="nonce" value="{$nonce}" />
>             <input type="submit" name="delete" value="{$locale- 
> >tr("delete")}" class="submit" />
>             <input type="hidden" name="op" value="deletePosts" />
> 			{/check_perms}
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list