[pLog-svn] r6083 - in plog/trunk: class/action/admin class/data class/data/validator templates/admin

Reto Hugi plog at hugi.to
Tue Nov 27 17:08:25 EST 2007 

ok, I'll do that asap. where asap may be next weekend :)

On 11/27/2007 10:36 PM, Oscar Renalias wrote:
> Looks interesting, but how about we move it to its own branch (from  
> 'trunk') for the time being? At least until we agree on an  
> implementation and see that it really works.
> 
> You can go ahead and create the branch yourself, if you agree :)
> 
> Oscar
> 
> On Nov 27, 2007, at 11:05 PM, reto at devel.lifetype.net wrote:
> 
>> Author: reto
>> Date: 2007-11-27 16:05:57 -0500 (Tue, 27 Nov 2007)
>> New Revision: 6083
>>
>> Added:
>>   plog/trunk/class/data/nonce.class.php
>>   plog/trunk/class/data/validator/noncevalidator.class.php
>> Modified:
>>   plog/trunk/class/action/admin/adminaction.class.php
>>   plog/trunk/class/action/admin/admindeletepostaction.class.php
>>   plog/trunk/templates/admin/editposts.template
>> Log:
>> First PoC implementation for CSRF protection:
>> - nonce.class.php does nothing but generating nonces. Note: the  
>> randomizer is quite simple and but I'm not sure if there is need for  
>> some more complex (and time consuming) nonce generation.
>>
>> - noncevalidator compares the nonce in the request with the nonce in  
>> the session
>>
>> - adminaction stores a new nonce to the users session each time the  
>> method setCommonData is called (this deletes any previously set  
>> nonces after validation)
>>
>> limitations:
>> - it doesn't work with javascript enabled ATM.
>> - it doesn't work with GET requests (i.e. klicks on the delete icons)
>> - only works on the deletepostaction
>>
>>
>>
>> Modified: plog/trunk/class/action/admin/adminaction.class.php
>> ===================================================================
>> --- plog/trunk/class/action/admin/adminaction.class.php	2007-11-27  
>> 20:56:55 UTC (rev 6082)
>> +++ plog/trunk/class/action/admin/adminaction.class.php	2007-11-27  
>> 21:05:57 UTC (rev 6083)
>> @@ -1,7 +1,8 @@
>> <?php
>>
>> 	lt_include( PLOG_CLASS_PATH."class/dao/blogstatus.class.php" );	
>> -
>> +    lt_include( PLOG_CLASS_PATH."class/data/nonce.class.php" );
>> +
>> 	/**
>> 	 * @see AdminAction::requirePermission()
>> 	 */
>> @@ -34,6 +35,7 @@
>> 		var $_pm;
>> 		var $_userBlogs;
>> 		var $_permissions;
>> +		var $_nonce;
>>
>>         /**
>>          * Constructor.
>> @@ -167,6 +169,14 @@
>>             $this->_view->setValue( "op", $this->_actionInfo- 
>> >_actionParamValue );
>> 			$this->_view->setValue( "locale", $this->_locale );
>> 			$this->_view->setValue( "config", $this->_config );
>> +			
>> +			
>> +            //let's create a nonce to protect against CSRF
>> +            $nonce = new Nonce();
>> +            $this->_nonce = $nonce->getNonce();
>> +            $this->_session->setValue('nonce',$this->_nonce);
>> +			
>> +			$this->_view->setValue( "nonce", $this->_nonce );
>>         }
>>
>>         /**
>> @@ -338,4 +348,4 @@
>> 			return( $view );
>> 		}		
>>     }
>> -?>
>> \ No newline at end of file
>> +?>
>>
>> Modified: plog/trunk/class/action/admin/ 
>> admindeletepostaction.class.php
>> ===================================================================
>> --- plog/trunk/class/action/admin/admindeletepostaction.class.php	 
>> 2007-11-27 20:56:55 UTC (rev 6082)
>> +++ plog/trunk/class/action/admin/admindeletepostaction.class.php	 
>> 2007-11-27 21:05:57 UTC (rev 6083)
>> @@ -26,6 +26,8 @@
>> 			else
>> 				$this->registerFieldValidator( "postIds", new  
>> ArrayValidator( new IntegerValidator()));
>>
>> +            $this->registerFieldValidator( "nonce", new  
>> NonceValidator() );
>> +
>> 			$view = new AdminPostsListView( $this->_blogInfo );
>> 			$view->setErrorMessage( $this->_locale- 
>> >tr("error_incorrect_article_id"));
>> 			$this->setValidationErrorView( $view );	
>> @@ -33,6 +35,18 @@
>> 			$this->requirePermission( "update_post" );	
>>         }
>>
>> +		/**
>> +         *
>> +		 */
>> +		/*function validate()
>> +		{
>> +			$nonceValidator = new NonceValidator();
>> +			
>> +			if( !$nonceValidator->validate( $this->_request- 
>> >getValue( "nonce" ) ) )
>> +                return false;
>> +		}*/
>> +
>> +
>>         /**
>>          * Carries out the specified action
>>          */
>> @@ -133,4 +147,4 @@
>> 	        return true;
>> 		}
>>     }
>> -?>
>> \ No newline at end of file
>> +?>
>>
>> Added: plog/trunk/class/data/nonce.class.php
>> ===================================================================
>> --- plog/trunk/class/data/nonce.class.php	                         
>> (rev 0)
>> +++ plog/trunk/class/data/nonce.class.php	2007-11-27 21:05:57 UTC  
>> (rev 6083)
>> @@ -0,0 +1,42 @@
>> +<?php
>> +	/**
>> +	 * \ingroup Data
>> +	 *	
>> +	 * Class to generate random nonces to protect from CSRF attacks.
>> +	 *
>> +	 */
>> +	class Nonce
>> +	{
>> +		var $_nonce = '';
>> +		
>> +		/**
>> +		 * Constructor.
>> +		 */
>> +		function Nonce()
>> +		{
>> +			$this->_nonce = $this->create();
>> +
>> +		}
>> +		
>> +		
>> +		/**
>> +		 * generates a new nonce
>> +		 *
>> +		 * @return a reasonably enough random string
>> +		 */
>> +		function create()
>> +		{
>> +
>> +            $nonce = md5(time().rand(1000,9999));
>> +			return( $nonce );
>> +
>> +		}
>> +		
>> +		function getNonce()
>> +		{
>> +            		return $this->_nonce;
>> +		}
>> +
>> +
>> +	}
>> +?>
>>
>> Added: plog/trunk/class/data/validator/noncevalidator.class.php
>> ===================================================================
>> --- plog/trunk/class/data/validator/ 
>> noncevalidator.class.php	                        (rev 0)
>> +++ plog/trunk/class/data/validator/noncevalidator.class.php	 
>> 2007-11-27 21:05:57 UTC (rev 6083)
>> @@ -0,0 +1,41 @@
>> +<?php
>> +
>> +
>> +
>> +    /**
>> +     * \ingroup Validator
>> +     *
>> +     * Validates nonces protecting sensitive actions from CSRF:
>> +     *
>> +     *
>> +     */
>> +    class NonceValidator extends Validator
>> +    {
>> +    	function NonceValidator()
>> +        {
>> +        	$this->Validator();
>> +        }
>> +
>> +
>> +        function validate($requestNonce)
>> +        {
>> +            $log = LoggerManager::getLogger( "debug" );
>> +
>> +            // get the session nonce
>> +            $session = HttpVars::getSession();
>> +            $this->_session = $session["SessionInfo"];
>> +            $sessionNonce = $this->_session->getValue('nonce');
>> +
>> +            $log->info('request: '. $requestNonce);
>> +            $log->info('session: '. $sessionNonce);
>> +
>> +            if ($requestNonce === $sessionNonce) {
>> +                return true;
>> +            }
>> +            else {
>> +                return false;
>> +            }
>> +
>> +        }
>> +    }
>> +?>
>>
>> Modified: plog/trunk/templates/admin/editposts.template
>> ===================================================================
>> --- plog/trunk/templates/admin/editposts.template	2007-11-27  
>> 20:56:55 UTC (rev 6082)
>> +++ plog/trunk/templates/admin/editposts.template	2007-11-27  
>> 21:05:57 UTC (rev 6083)
>> @@ -120,6 +120,7 @@
>>         <a name="bulkEdit"></a>
>>         <div id="list_action_bar">
>> 			{check_perms perm=update_post}
>> +            <input type="hidden" name="nonce" value="{$nonce}" />
>>             <input type="submit" name="delete" value="{$locale- 
>> >tr("delete")}" class="submit" />
>>             <input type="hidden" name="op" value="deletePosts" />
>> 			{/check_perms}
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
> 
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list