[pLog-svn] r6086 - in plog/branches/lifetype-2.0-csrf: class/action/admin class/data class/data/validator templates/admin

mark at devel.lifetype.net mark at devel.lifetype.net
Wed Nov 28 14:35:13 EST 2007 

Author: mark
Date: 2007-11-28 14:35:13 -0500 (Wed, 28 Nov 2007)
New Revision: 6086

Added:
   plog/branches/lifetype-2.0-csrf/class/data/nonce.class.php
   plog/branches/lifetype-2.0-csrf/class/data/validator/noncevalidator.class.php
Modified:
   plog/branches/lifetype-2.0-csrf/class/action/admin/adminaction.class.php
   plog/branches/lifetype-2.0-csrf/class/action/admin/admindeletepostaction.class.php
   plog/branches/lifetype-2.0-csrf/templates/admin/editposts.template
Log:
Re-commit reto's 6083 commit.
----
First PoC implementation for CSRF protection:
- nonce.class.php does nothing but generating nonces. Note: the randomizer is quite simple and but I'm not sure if there is need for some more complex (and time consuming) nonce generation.

- noncevalidator compares the nonce in the request with the nonce in the session

- adminaction stores a new nonce to the users session each time the method setCommonData is called (this deletes any previously set nonces after validation)

limitations:
- it doesn't work with javascript enabled ATM.
- it doesn't work with GET requests (i.e. klicks on the delete icons)
- only works on the deletepostaction

Modified: plog/branches/lifetype-2.0-csrf/class/action/admin/adminaction.class.php
===================================================================
--- plog/branches/lifetype-2.0-csrf/class/action/admin/adminaction.class.php	2007-11-28 19:32:02 UTC (rev 6085)
+++ plog/branches/lifetype-2.0-csrf/class/action/admin/adminaction.class.php	2007-11-28 19:35:13 UTC (rev 6086)
@@ -1,7 +1,8 @@
 <?php
 
 	lt_include( PLOG_CLASS_PATH."class/dao/blogstatus.class.php" );	
-
+    lt_include( PLOG_CLASS_PATH."class/data/nonce.class.php" );
+    
 	/**
 	 * @see AdminAction::requirePermission()
 	 */
@@ -34,6 +35,7 @@
 		var $_pm;
 		var $_userBlogs;
 		var $_permissions;
+		var $_nonce;
 
         /**
          * Constructor.
@@ -167,6 +169,14 @@
             $this->_view->setValue( "op", $this->_actionInfo->_actionParamValue );
 			$this->_view->setValue( "locale", $this->_locale );
 			$this->_view->setValue( "config", $this->_config );
+			
+			
+            //let's create a nonce to protect against CSRF
+            $nonce = new Nonce();
+            $this->_nonce = $nonce->getNonce();
+            $this->_session->setValue('nonce',$this->_nonce);
+			
+			$this->_view->setValue( "nonce", $this->_nonce );
         }
 
         /**
@@ -338,4 +348,4 @@
 			return( $view );
 		}		
     }
-?>
\ No newline at end of file
+?>

Modified: plog/branches/lifetype-2.0-csrf/class/action/admin/admindeletepostaction.class.php
===================================================================
--- plog/branches/lifetype-2.0-csrf/class/action/admin/admindeletepostaction.class.php	2007-11-28 19:32:02 UTC (rev 6085)
+++ plog/branches/lifetype-2.0-csrf/class/action/admin/admindeletepostaction.class.php	2007-11-28 19:35:13 UTC (rev 6086)
@@ -26,6 +26,8 @@
 			else 
 				$this->registerFieldValidator( "postIds", new ArrayValidator( new IntegerValidator()));
 
+            $this->registerFieldValidator( "nonce", new NonceValidator() );
+
 			$view = new AdminPostsListView( $this->_blogInfo );
 			$view->setErrorMessage( $this->_locale->tr("error_incorrect_article_id"));
 			$this->setValidationErrorView( $view );	
@@ -33,6 +35,18 @@
 			$this->requirePermission( "update_post" );	
         }
 
+		/**
+         *
+		 */
+		/*function validate()
+		{
+			$nonceValidator = new NonceValidator();
+			
+			if( !$nonceValidator->validate( $this->_request->getValue( "nonce" ) ) )
+                return false;
+		}*/
+
+
         /**
          * Carries out the specified action
          */
@@ -133,4 +147,4 @@
 	        return true;
 		}                
     }
-?>
\ No newline at end of file
+?>

Copied: plog/branches/lifetype-2.0-csrf/class/data/nonce.class.php (from rev 6083, plog/trunk/class/data/nonce.class.php)
===================================================================
--- plog/branches/lifetype-2.0-csrf/class/data/nonce.class.php	                        (rev 0)
+++ plog/branches/lifetype-2.0-csrf/class/data/nonce.class.php	2007-11-28 19:35:13 UTC (rev 6086)
@@ -0,0 +1,42 @@
+<?php
+	/**
+	 * \ingroup Data
+	 *	
+	 * Class to generate random nonces to protect from CSRF attacks. 
+	 *
+	 */
+	class Nonce
+	{
+		var $_nonce = '';
+		
+		/**
+		 * Constructor. 
+		 */
+		function Nonce()
+		{
+			$this->_nonce = $this->create();
+
+		}
+		
+		
+		/**
+		 * generates a new nonce
+		 *
+		 * @return a reasonably enough random string
+		 */
+		function create()
+		{
+            
+            $nonce = md5(time().rand(1000,9999));
+			return( $nonce );
+
+		}
+		
+		function getNonce() 
+		{
+            		return $this->_nonce;
+		}
+
+
+	}
+?>

Copied: plog/branches/lifetype-2.0-csrf/class/data/validator/noncevalidator.class.php (from rev 6083, plog/trunk/class/data/validator/noncevalidator.class.php)
===================================================================
--- plog/branches/lifetype-2.0-csrf/class/data/validator/noncevalidator.class.php	                        (rev 0)
+++ plog/branches/lifetype-2.0-csrf/class/data/validator/noncevalidator.class.php	2007-11-28 19:35:13 UTC (rev 6086)
@@ -0,0 +1,41 @@
+<?php
+
+
+
+    /**
+     * \ingroup Validator
+     *
+     * Validates nonces protecting sensitive actions from CSRF:
+     *
+     *
+     */
+    class NonceValidator extends Validator 
+    {
+    	function NonceValidator()
+        {
+        	$this->Validator();
+        }
+        
+        
+        function validate($requestNonce)
+        {
+            $log = LoggerManager::getLogger( "debug" );
+            
+            // get the session nonce
+            $session = HttpVars::getSession();
+            $this->_session = $session["SessionInfo"];
+            $sessionNonce = $this->_session->getValue('nonce');
+            
+            $log->info('request: '. $requestNonce);
+            $log->info('session: '. $sessionNonce);
+
+            if ($requestNonce === $sessionNonce) {
+                return true;
+            }  
+            else {
+                return false;
+            }
+                
+        }
+    }
+?>

Modified: plog/branches/lifetype-2.0-csrf/templates/admin/editposts.template
===================================================================
--- plog/branches/lifetype-2.0-csrf/templates/admin/editposts.template	2007-11-28 19:32:02 UTC (rev 6085)
+++ plog/branches/lifetype-2.0-csrf/templates/admin/editposts.template	2007-11-28 19:35:13 UTC (rev 6086)
@@ -120,6 +120,7 @@
         <a name="bulkEdit"></a>
         <div id="list_action_bar">
 			{check_perms perm=update_post}
+            <input type="hidden" name="nonce" value="{$nonce}" />
             <input type="submit" name="delete" value="{$locale->tr("delete")}" class="submit" />
             <input type="hidden" name="op" value="deletePosts" />
 			{/check_perms}

More information about the pLog-svn mailing list