[pLog-svn] r6083 - in plog/trunk: class/action/admin class/data class/data/validator templates/admin
Mark Wu
markplace at gmail.com
Wed Nov 28 11:42:11 EST 2007
Hi Reto:
Next week? Then, it is not good. :P
If you allowed, I will create a branch for you , and revert the trunk and
move your commits code there.
Regards, Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
> Sent: Wednesday, November 28, 2007 6:08 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] r6083 - in plog/trunk:
> class/action/admin class/data class/data/validator templates/admin
>
> ok, I'll do that asap. where asap may be next weekend :)
>
> On 11/27/2007 10:36 PM, Oscar Renalias wrote:
> > Looks interesting, but how about we move it to its own branch (from
> > 'trunk') for the time being? At least until we agree on an
> > implementation and see that it really works.
> >
> > You can go ahead and create the branch yourself, if you agree :)
> >
> > Oscar
> >
> > On Nov 27, 2007, at 11:05 PM, reto at devel.lifetype.net wrote:
> >
> >> Author: reto
> >> Date: 2007-11-27 16:05:57 -0500 (Tue, 27 Nov 2007) New
> Revision: 6083
> >>
> >> Added:
> >> plog/trunk/class/data/nonce.class.php
> >> plog/trunk/class/data/validator/noncevalidator.class.php
> >> Modified:
> >> plog/trunk/class/action/admin/adminaction.class.php
> >> plog/trunk/class/action/admin/admindeletepostaction.class.php
> >> plog/trunk/templates/admin/editposts.template
> >> Log:
> >> First PoC implementation for CSRF protection:
> >> - nonce.class.php does nothing but generating nonces. Note: the
> >> randomizer is quite simple and but I'm not sure if there
> is need for
> >> some more complex (and time consuming) nonce generation.
> >>
> >> - noncevalidator compares the nonce in the request with
> the nonce in
> >> the session
> >>
> >> - adminaction stores a new nonce to the users session each
> time the
> >> method setCommonData is called (this deletes any previously set
> >> nonces after validation)
> >>
> >> limitations:
> >> - it doesn't work with javascript enabled ATM.
> >> - it doesn't work with GET requests (i.e. klicks on the
> delete icons)
> >> - only works on the deletepostaction
> >>
> >>
> >>
> >> Modified: plog/trunk/class/action/admin/adminaction.class.php
> >> ===================================================================
> >> --- plog/trunk/class/action/admin/adminaction.class.php
> 2007-11-27
> >> 20:56:55 UTC (rev 6082)
> >> +++ plog/trunk/class/action/admin/adminaction.class.php
> 2007-11-27
> >> 21:05:57 UTC (rev 6083)
> >> @@ -1,7 +1,8 @@
> >> <?php
> >>
> >> lt_include( PLOG_CLASS_PATH."class/dao/blogstatus.class.php" );
> >> -
> >> + lt_include( PLOG_CLASS_PATH."class/data/nonce.class.php" );
> >> +
> >> /**
> >> * @see AdminAction::requirePermission()
> >> */
> >> @@ -34,6 +35,7 @@
> >> var $_pm;
> >> var $_userBlogs;
> >> var $_permissions;
> >> + var $_nonce;
> >>
> >> /**
> >> * Constructor.
> >> @@ -167,6 +169,14 @@
> >> $this->_view->setValue( "op", $this->_actionInfo-
> >> >_actionParamValue );
> >> $this->_view->setValue( "locale",
> $this->_locale );
> >> $this->_view->setValue( "config",
> $this->_config );
> >> +
> >> +
> >> + //let's create a nonce to protect against CSRF
> >> + $nonce = new Nonce();
> >> + $this->_nonce = $nonce->getNonce();
> >> + $this->_session->setValue('nonce',$this->_nonce);
> >> +
> >> + $this->_view->setValue( "nonce",
> $this->_nonce );
> >> }
> >>
> >> /**
> >> @@ -338,4 +348,4 @@
> >> return( $view );
> >> }
> >> }
> >> -?>
> >> \ No newline at end of file
> >> +?>
> >>
> >> Modified: plog/trunk/class/action/admin/
> >> admindeletepostaction.class.php
> >> ===================================================================
> >> ---
> plog/trunk/class/action/admin/admindeletepostaction.class.php
> >> 2007-11-27 20:56:55 UTC (rev 6082)
> >> +++
> plog/trunk/class/action/admin/admindeletepostaction.class.php
> >> 2007-11-27 21:05:57 UTC (rev 6083)
> >> @@ -26,6 +26,8 @@
> >> else
> >> $this->registerFieldValidator(
> "postIds", new ArrayValidator( new
> >> IntegerValidator()));
> >>
> >> + $this->registerFieldValidator( "nonce", new
> >> NonceValidator() );
> >> +
> >> $view = new AdminPostsListView(
> $this->_blogInfo );
> >> $view->setErrorMessage( $this->_locale-
> >> >tr("error_incorrect_article_id"));
> >> $this->setValidationErrorView( $view );
> >> @@ -33,6 +35,18 @@
> >> $this->requirePermission( "update_post" );
> >> }
> >>
> >> + /**
> >> + *
> >> + */
> >> + /*function validate()
> >> + {
> >> + $nonceValidator = new NonceValidator();
> >> +
> >> + if( !$nonceValidator->validate( $this->_request-
> >> >getValue( "nonce" ) ) )
> >> + return false;
> >> + }*/
> >> +
> >> +
> >> /**
> >> * Carries out the specified action
> >> */
> >> @@ -133,4 +147,4 @@
> >> return true;
> >> }
> >> }
> >> -?>
> >> \ No newline at end of file
> >> +?>
> >>
> >> Added: plog/trunk/class/data/nonce.class.php
> >> ===================================================================
> >> --- plog/trunk/class/data/nonce.class.php
>
> >> (rev 0)
> >> +++ plog/trunk/class/data/nonce.class.php 2007-11-27
> 21:05:57 UTC
> >> (rev 6083)
> >> @@ -0,0 +1,42 @@
> >> +<?php
> >> + /**
> >> + * \ingroup Data
> >> + *
> >> + * Class to generate random nonces to protect from CSRF attacks.
> >> + *
> >> + */
> >> + class Nonce
> >> + {
> >> + var $_nonce = '';
> >> +
> >> + /**
> >> + * Constructor.
> >> + */
> >> + function Nonce()
> >> + {
> >> + $this->_nonce = $this->create();
> >> +
> >> + }
> >> +
> >> +
> >> + /**
> >> + * generates a new nonce
> >> + *
> >> + * @return a reasonably enough random string
> >> + */
> >> + function create()
> >> + {
> >> +
> >> + $nonce = md5(time().rand(1000,9999));
> >> + return( $nonce );
> >> +
> >> + }
> >> +
> >> + function getNonce()
> >> + {
> >> + return $this->_nonce;
> >> + }
> >> +
> >> +
> >> + }
> >> +?>
> >>
> >> Added: plog/trunk/class/data/validator/noncevalidator.class.php
> >> ===================================================================
> >> --- plog/trunk/class/data/validator/
> >> noncevalidator.class.php (rev 0)
> >> +++
> plog/trunk/class/data/validator/noncevalidator.class.php
> >> 2007-11-27 21:05:57 UTC (rev 6083)
> >> @@ -0,0 +1,41 @@
> >> +<?php
> >> +
> >> +
> >> +
> >> + /**
> >> + * \ingroup Validator
> >> + *
> >> + * Validates nonces protecting sensitive actions from CSRF:
> >> + *
> >> + *
> >> + */
> >> + class NonceValidator extends Validator
> >> + {
> >> + function NonceValidator()
> >> + {
> >> + $this->Validator();
> >> + }
> >> +
> >> +
> >> + function validate($requestNonce)
> >> + {
> >> + $log = LoggerManager::getLogger( "debug" );
> >> +
> >> + // get the session nonce
> >> + $session = HttpVars::getSession();
> >> + $this->_session = $session["SessionInfo"];
> >> + $sessionNonce = $this->_session->getValue('nonce');
> >> +
> >> + $log->info('request: '. $requestNonce);
> >> + $log->info('session: '. $sessionNonce);
> >> +
> >> + if ($requestNonce === $sessionNonce) {
> >> + return true;
> >> + }
> >> + else {
> >> + return false;
> >> + }
> >> +
> >> + }
> >> + }
> >> +?>
> >>
> >> Modified: plog/trunk/templates/admin/editposts.template
> >> ===================================================================
> >> --- plog/trunk/templates/admin/editposts.template 2007-11-27
> >> 20:56:55 UTC (rev 6082)
> >> +++ plog/trunk/templates/admin/editposts.template 2007-11-27
> >> 21:05:57 UTC (rev 6083)
> >> @@ -120,6 +120,7 @@
> >> <a name="bulkEdit"></a>
> >> <div id="list_action_bar">
> >> {check_perms perm=update_post}
> >> + <input type="hidden" name="nonce" value="{$nonce}" />
> >> <input type="submit" name="delete" value="{$locale-
> >> >tr("delete")}" class="submit" />
> >> <input type="hidden" name="op" value="deletePosts" />
> >> {/check_perms}
> >>
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://limedaley.com/mailman/listinfo/plog-svn
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list