[pLog-svn] r6083 - in plog/trunk: class/action/admin class/data class/data/validator templates/admin

Reto Hugi plog at hugi.to
Wed Nov 28 12:01:45 EST 2007 

weekend, not week. But yes, please go ahead, I already thought i may be 
a bit late. that's why I mentioned it. I'm away the next 3 evenings...

Mark Wu wrote:
> Hi Reto:
> 
> Next week? Then, it is not good. :P
> 
> If you allowed, I will create a branch for you , and revert the trunk and
> move your commits code there.
> 
> Regards, Mark
>  
> 
>> -----Original Message-----
>> From: plog-svn-bounces at devel.lifetype.net 
>> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
>> Sent: Wednesday, November 28, 2007 6:08 AM
>> To: LifeType Developer List
>> Subject: Re: [pLog-svn] r6083 - in plog/trunk: 
>> class/action/admin class/data class/data/validator templates/admin
>>
>> ok, I'll do that asap. where asap may be next weekend :)
>>
>> On 11/27/2007 10:36 PM, Oscar Renalias wrote:
>>> Looks interesting, but how about we move it to its own branch (from
>>> 'trunk') for the time being? At least until we agree on an 
>>> implementation and see that it really works.
>>>
>>> You can go ahead and create the branch yourself, if you agree :)
>>>
>>> Oscar
>>>
>>> On Nov 27, 2007, at 11:05 PM, reto at devel.lifetype.net wrote:
>>>
>>>> Author: reto
>>>> Date: 2007-11-27 16:05:57 -0500 (Tue, 27 Nov 2007) New 
>> Revision: 6083
>>>> Added:
>>>>   plog/trunk/class/data/nonce.class.php
>>>>   plog/trunk/class/data/validator/noncevalidator.class.php
>>>> Modified:
>>>>   plog/trunk/class/action/admin/adminaction.class.php
>>>>   plog/trunk/class/action/admin/admindeletepostaction.class.php
>>>>   plog/trunk/templates/admin/editposts.template
>>>> Log:
>>>> First PoC implementation for CSRF protection:
>>>> - nonce.class.php does nothing but generating nonces. Note: the 
>>>> randomizer is quite simple and but I'm not sure if there 
>> is need for 
>>>> some more complex (and time consuming) nonce generation.
>>>>
>>>> - noncevalidator compares the nonce in the request with 
>> the nonce in 
>>>> the session
>>>>
>>>> - adminaction stores a new nonce to the users session each 
>> time the 
>>>> method setCommonData is called (this deletes any previously set 
>>>> nonces after validation)
>>>>
>>>> limitations:
>>>> - it doesn't work with javascript enabled ATM.
>>>> - it doesn't work with GET requests (i.e. klicks on the 
>> delete icons)
>>>> - only works on the deletepostaction
>>>>
>>>>
>>>>
>>>> Modified: plog/trunk/class/action/admin/adminaction.class.php
>>>> ===================================================================
>>>> --- plog/trunk/class/action/admin/adminaction.class.php	
>> 2007-11-27  
>>>> 20:56:55 UTC (rev 6082)
>>>> +++ plog/trunk/class/action/admin/adminaction.class.php	
>> 2007-11-27  
>>>> 21:05:57 UTC (rev 6083)
>>>> @@ -1,7 +1,8 @@
>>>> <?php
>>>>
>>>> 	lt_include( PLOG_CLASS_PATH."class/dao/blogstatus.class.php" );	
>>>> -
>>>> +    lt_include( PLOG_CLASS_PATH."class/data/nonce.class.php" );
>>>> +
>>>> 	/**
>>>> 	 * @see AdminAction::requirePermission()
>>>> 	 */
>>>> @@ -34,6 +35,7 @@
>>>> 		var $_pm;
>>>> 		var $_userBlogs;
>>>> 		var $_permissions;
>>>> +		var $_nonce;
>>>>
>>>>         /**
>>>>          * Constructor.
>>>> @@ -167,6 +169,14 @@
>>>>             $this->_view->setValue( "op", $this->_actionInfo-
>>>>> _actionParamValue );
>>>> 			$this->_view->setValue( "locale", 
>> $this->_locale );
>>>> 			$this->_view->setValue( "config", 
>> $this->_config );
>>>> +			
>>>> +			
>>>> +            //let's create a nonce to protect against CSRF
>>>> +            $nonce = new Nonce();
>>>> +            $this->_nonce = $nonce->getNonce();
>>>> +            $this->_session->setValue('nonce',$this->_nonce);
>>>> +			
>>>> +			$this->_view->setValue( "nonce", 
>> $this->_nonce );
>>>>         }
>>>>
>>>>         /**
>>>> @@ -338,4 +348,4 @@
>>>> 			return( $view );
>>>> 		}		
>>>>     }
>>>> -?>
>>>> \ No newline at end of file
>>>> +?>
>>>>
>>>> Modified: plog/trunk/class/action/admin/ 
>>>> admindeletepostaction.class.php 
>>>> ===================================================================
>>>> --- 
>> plog/trunk/class/action/admin/admindeletepostaction.class.php	 
>>>> 2007-11-27 20:56:55 UTC (rev 6082)
>>>> +++ 
>> plog/trunk/class/action/admin/admindeletepostaction.class.php	 
>>>> 2007-11-27 21:05:57 UTC (rev 6083)
>>>> @@ -26,6 +26,8 @@
>>>> 			else
>>>> 				$this->registerFieldValidator( 
>> "postIds", new ArrayValidator( new 
>>>> IntegerValidator()));
>>>>
>>>> +            $this->registerFieldValidator( "nonce", new
>>>> NonceValidator() );
>>>> +
>>>> 			$view = new AdminPostsListView( 
>> $this->_blogInfo );
>>>> 			$view->setErrorMessage( $this->_locale-
>>>>> tr("error_incorrect_article_id"));
>>>> 			$this->setValidationErrorView( $view );	
>>>> @@ -33,6 +35,18 @@
>>>> 			$this->requirePermission( "update_post" );	
>>>>         }
>>>>
>>>> +		/**
>>>> +         *
>>>> +		 */
>>>> +		/*function validate()
>>>> +		{
>>>> +			$nonceValidator = new NonceValidator();
>>>> +			
>>>> +			if( !$nonceValidator->validate( $this->_request-
>>>>> getValue( "nonce" ) ) )
>>>> +                return false;
>>>> +		}*/
>>>> +
>>>> +
>>>>         /**
>>>>          * Carries out the specified action
>>>>          */
>>>> @@ -133,4 +147,4 @@
>>>> 	        return true;
>>>> 		}
>>>>     }
>>>> -?>
>>>> \ No newline at end of file
>>>> +?>
>>>>
>>>> Added: plog/trunk/class/data/nonce.class.php
>>>> ===================================================================
>>>> --- plog/trunk/class/data/nonce.class.php	                
>>          
>>>> (rev 0)
>>>> +++ plog/trunk/class/data/nonce.class.php	2007-11-27 
>> 21:05:57 UTC  
>>>> (rev 6083)
>>>> @@ -0,0 +1,42 @@
>>>> +<?php
>>>> +	/**
>>>> +	 * \ingroup Data
>>>> +	 *	
>>>> +	 * Class to generate random nonces to protect from CSRF attacks.
>>>> +	 *
>>>> +	 */
>>>> +	class Nonce
>>>> +	{
>>>> +		var $_nonce = '';
>>>> +		
>>>> +		/**
>>>> +		 * Constructor.
>>>> +		 */
>>>> +		function Nonce()
>>>> +		{
>>>> +			$this->_nonce = $this->create();
>>>> +
>>>> +		}
>>>> +		
>>>> +		
>>>> +		/**
>>>> +		 * generates a new nonce
>>>> +		 *
>>>> +		 * @return a reasonably enough random string
>>>> +		 */
>>>> +		function create()
>>>> +		{
>>>> +
>>>> +            $nonce = md5(time().rand(1000,9999));
>>>> +			return( $nonce );
>>>> +
>>>> +		}
>>>> +		
>>>> +		function getNonce()
>>>> +		{
>>>> +            		return $this->_nonce;
>>>> +		}
>>>> +
>>>> +
>>>> +	}
>>>> +?>
>>>>
>>>> Added: plog/trunk/class/data/validator/noncevalidator.class.php
>>>> ===================================================================
>>>> --- plog/trunk/class/data/validator/ 
>>>> noncevalidator.class.php	                        (rev 0)
>>>> +++ 
>> plog/trunk/class/data/validator/noncevalidator.class.php	 
>>>> 2007-11-27 21:05:57 UTC (rev 6083)
>>>> @@ -0,0 +1,41 @@
>>>> +<?php
>>>> +
>>>> +
>>>> +
>>>> +    /**
>>>> +     * \ingroup Validator
>>>> +     *
>>>> +     * Validates nonces protecting sensitive actions from CSRF:
>>>> +     *
>>>> +     *
>>>> +     */
>>>> +    class NonceValidator extends Validator
>>>> +    {
>>>> +    	function NonceValidator()
>>>> +        {
>>>> +        	$this->Validator();
>>>> +        }
>>>> +
>>>> +
>>>> +        function validate($requestNonce)
>>>> +        {
>>>> +            $log = LoggerManager::getLogger( "debug" );
>>>> +
>>>> +            // get the session nonce
>>>> +            $session = HttpVars::getSession();
>>>> +            $this->_session = $session["SessionInfo"];
>>>> +            $sessionNonce = $this->_session->getValue('nonce');
>>>> +
>>>> +            $log->info('request: '. $requestNonce);
>>>> +            $log->info('session: '. $sessionNonce);
>>>> +
>>>> +            if ($requestNonce === $sessionNonce) {
>>>> +                return true;
>>>> +            }
>>>> +            else {
>>>> +                return false;
>>>> +            }
>>>> +
>>>> +        }
>>>> +    }
>>>> +?>
>>>>
>>>> Modified: plog/trunk/templates/admin/editposts.template
>>>> ===================================================================
>>>> --- plog/trunk/templates/admin/editposts.template	2007-11-27  
>>>> 20:56:55 UTC (rev 6082)
>>>> +++ plog/trunk/templates/admin/editposts.template	2007-11-27  
>>>> 21:05:57 UTC (rev 6083)
>>>> @@ -120,6 +120,7 @@
>>>>         <a name="bulkEdit"></a>
>>>>         <div id="list_action_bar">
>>>> 			{check_perms perm=update_post}
>>>> +            <input type="hidden" name="nonce" value="{$nonce}" />
>>>>             <input type="submit" name="delete" value="{$locale-
>>>>> tr("delete")}" class="submit" />
>>>>             <input type="hidden" name="op" value="deletePosts" />
>>>> 			{/check_perms}
>>>>
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://limedaley.com/mailman/listinfo/plog-svn
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://limedaley.com/mailman/listinfo/plog-svn
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://limedaley.com/mailman/listinfo/plog-svn
>

More information about the pLog-svn mailing list