[pLog-svn] r7011 - in plugins/branches/lifetype-1.2/csrf: . class class/dao class/security
jondaley at devel.lifetype.net
jondaley at devel.lifetype.net
Sat Jul 31 02:05:12 EDT 2010
Author: jondaley
Date: 2010-07-31 02:05:10 -0400 (Sat, 31 Jul 2010)
New Revision: 7011
Added:
plugins/branches/lifetype-1.2/csrf/class/dao/
plugins/branches/lifetype-1.2/csrf/class/dao/csrfurls.class.php
Modified:
plugins/branches/lifetype-1.2/csrf/class/security/csrffilter.class.php
plugins/branches/lifetype-1.2/csrf/plugincsrf.class.php
Log:
now just protect the ops that we care about. Then we can be a little looser about checking for an <a href...>, though if someone wants to write a post about the new cool CSRF protector, we'll need to be more careful. Any ideas?
Added: plugins/branches/lifetype-1.2/csrf/class/dao/csrfurls.class.php
===================================================================
--- plugins/branches/lifetype-1.2/csrf/class/dao/csrfurls.class.php (rev 0)
+++ plugins/branches/lifetype-1.2/csrf/class/dao/csrfurls.class.php 2010-07-31 06:05:10 UTC (rev 7011)
@@ -0,0 +1,116 @@
+<?php
+
+class CsrfUrls{
+ // Two modes of operation:
+ // 1. Takes in an Op and returns whether it should be protected (true) or not (false)
+ // 2. Called without an op, returns entire array of protected URLs
+ function getProtectedOps($op=""){
+ $protected = array(
+ "previewPost",
+ "addPost",
+ "addArticleCategory",
+ "addArticleCategoryAjax",
+ "updateBlogSettings",
+ "deletePost",
+ "deletePosts",
+ "changePostsStatus",
+ "changePostsCategory",
+ "addLinkCategory",
+ "addLink",
+ "updatePost",
+ "deleteArticleCategory",
+ "deleteArticleCategories",
+ "editArticleCategory",
+ "updateArticleCategory",
+ "deleteLink",
+ "deleteLinks",
+ "changeLinksCategory",
+ "deleteLinkCategory",
+ "deleteLinkCategories",
+ "updateLink",
+ "updateLinkCategory",
+ "deleteComment",
+ "deleteComments",
+ "changeCommentsStatus",
+ "updateUserSettings",
+ "sendTrackbacks",
+ "deleteUsers",
+ "deleteUser",
+ "updateGlobalSettings",
+ "updateUserProfile",
+ "addUser",
+ "addBlog",
+ "updateEditBlog",
+ "updateBlogUsers",
+ "addBlogUser",
+ "deleteBlogUserPermissions",
+ "deleteBlogUsersPermissions",
+ "deleteLocales",
+ "deleteLocale",
+ "uploadLocale",
+ "scanLocales",
+ "deleteTemplates",
+ "deleteTemplate",
+ "addTemplateUpload",
+ "scanTemplates",
+ "addBlogTemplate",
+ "scanBlogTemplates",
+ "deleteBlogTemplate",
+ "deleteBlogTemplates",
+ "deleteBlogs",
+ "deleteBlog",
+ "purgePosts",
+ "addResourceAlbum",
+ "addResource",
+ "updateResource",
+ "deleteResource",
+ "updateResourceAlbum",
+ "deleteResourceAlbum",
+ "deleteResourceItems",
+ "changeGalleryItemsAlbum",
+ "markComment",
+ "markTrackback",
+ "purgeSpamComments",
+ "regeneratePreview",
+ "addCustomField",
+ "deleteCustomFields",
+ "deleteCustomField",
+ "updateCustomField",
+ "saveDraftArticleAjax",
+ "deleteTrackback",
+ "deleteTrackbacks",
+ "changeTrackbacksStatus",
+ "deleteReferrer",
+ "deleteReferrers",
+ "deleteArticleReferrer",
+ "deleteArticleReferrers",
+ "doCleanUp",
+ "purgeUsers",
+ "purgeBlogs",
+ "finishRegisterBlog",
+ "addBlogCategory",
+ "deleteBlogCategory",
+ "deleteBlogCategories",
+ "addGlobalArticleCategory",
+ "deleteGlobalArticleCategory",
+ "deleteGlobalArticleCategories",
+ "updateGlobalArticleCategory",
+ "resendConfirmation",
+ "adminBlogSelect",
+ "updateBlogCategory",
+ "deletePermission",
+ "deletePermissions",
+ "updatePermission",
+ "updatePermission",
+ "addPermission",
+ "updateBlogUser",
+ "updatePluginSettings",
+ "changeBlogStatus",
+ "changeUserStatus",
+ );
+ if($op)
+ return in_array($op, $protected);
+ else
+ return $protected;
+ }
+}
\ No newline at end of file
Modified: plugins/branches/lifetype-1.2/csrf/class/security/csrffilter.class.php
===================================================================
--- plugins/branches/lifetype-1.2/csrf/class/security/csrffilter.class.php 2010-07-31 05:46:51 UTC (rev 7010)
+++ plugins/branches/lifetype-1.2/csrf/class/security/csrffilter.class.php 2010-07-31 06:05:10 UTC (rev 7011)
@@ -9,131 +9,18 @@
function filter(){
$request = $this->_pipelineRequest->getHttpRequest();
- $token = $request->getValue(CSRF_TOKEN_NAME);
$op = $request->getValue("op");
-
- // Allow logouts to go through without CSRF protection
- /* if(($op == "Logout") ||
- ($op == "blogSelect" && $request->getValue("action") == "Logout"))
- {
- return new PipelineResult();
- }*/
- // Explicitly block those operations we care about and allow
- // all others through.
- switch($op){
- case "previewPost":
- case "addPost":
- case "addArticleCategory":
- case "addArticleCategoryAjax":
- case "updateBlogSettings":
- case "deletePost":
- case "deletePosts":
- case "changePostsStatus":
- case "changePostsCategory":
- case "addLinkCategory":
- case "addLink":
- case "updatePost":
- case "deleteArticleCategory":
- case "deleteArticleCategories":
- case "editArticleCategory":
- case "updateArticleCategory":
- case "deleteLink":
- case "deleteLinks":
- case "changeLinksCategory":
- case "deleteLinkCategory":
- case "deleteLinkCategories":
- case "updateLink":
- case "updateLinkCategory":
- case "deleteComment":
- case "deleteComments":
- case "changeCommentsStatus":
- case "updateUserSettings":
- case "sendTrackbacks":
- case "deleteUsers":
- case "deleteUser":
- case "updateGlobalSettings":
- case "updateUserProfile":
- case "addUser":
- case "addBlog":
- case "updateEditBlog":
- case "updateBlogUsers":
- case "addBlogUser":
- case "deleteBlogUserPermissions":
- case "deleteBlogUsersPermissions":
- case "deleteLocales":
- case "deleteLocale":
- case "uploadLocale":
- case "scanLocales":
- case "deleteTemplates":
- case "deleteTemplate":
- case "addTemplateUpload":
- case "scanTemplates":
- case "addBlogTemplate":
- case "scanBlogTemplates":
- case "deleteBlogTemplate":
- case "deleteBlogTemplates":
- case "deleteBlogs":
- case "deleteBlog":
- case "purgePosts":
- case "addResourceAlbum":
- case "addResource":
- case "updateResource":
- case "deleteResource":
- case "updateResourceAlbum":
- case "deleteResourceAlbum":
- case "deleteResourceItems":
- case "changeGalleryItemsAlbum":
- case "markComment":
- case "markTrackback":
- case "purgeSpamComments":
- case "regeneratePreview":
- case "addCustomField":
- case "deleteCustomFields":
- case "deleteCustomField":
- case "updateCustomField":
- case "saveDraftArticleAjax":
- case "deleteTrackback":
- case "deleteTrackbacks":
- case "changeTrackbacksStatus":
- case "deleteReferrer":
- case "deleteReferrers":
- case "deleteArticleReferrer":
- case "deleteArticleReferrers":
- case "doCleanUp":
- case "purgeUsers":
- case "purgeBlogs":
- case "finishRegisterBlog":
- case "addBlogCategory":
- case "deleteBlogCategory":
- case "deleteBlogCategories":
- case "addGlobalArticleCategory":
- case "deleteGlobalArticleCategory":
- case "deleteGlobalArticleCategories":
- case "updateGlobalArticleCategory":
- case "resendConfirmation":
- case "adminBlogSelect":
- case "updateBlogCategory":
- case "deletePermission":
- case "deletePermissions":
- case "updatePermission":
- case "updatePermission":
- case "addPermission":
- case "updateBlogUser":
- case "updatePluginSettings":
- case "changeBlogStatus":
- case "changeUserStatus":
- // Interesting operations, whether by GET or POST
- break;
- default:
- // don't care about the rest
+ // Check if this operation needs to be blocked
+ lt_include(PLOG_CLASS_PATH."plugins/csrf/class/dao/csrfurls.class.php");
+ if(!CsrfUrls::getProtectedOps($op))
return new PipelineResult();
- }
// Get our token from the session
$session = HttpVars::getSession();
$sessioninfo = $session["SessionInfo"];
$saved_token = $sessioninfo->getValue(CSRF_TOKEN_NAME);
+ $token = $request->getValue(CSRF_TOKEN_NAME);
if(!empty($saved_token) && $token == $saved_token){
// it's not empty and it matches, yay.
Modified: plugins/branches/lifetype-1.2/csrf/plugincsrf.class.php
===================================================================
--- plugins/branches/lifetype-1.2/csrf/plugincsrf.class.php 2010-07-31 05:46:51 UTC (rev 7010)
+++ plugins/branches/lifetype-1.2/csrf/plugincsrf.class.php 2010-07-31 06:05:10 UTC (rev 7011)
@@ -29,10 +29,16 @@
switch($eventType){
case EVENT_PROCESS_BLOG_ADMIN_TEMPLATE_OUTPUT:
+ lt_include(PLOG_CLASS_PATH."plugins/csrf/class/dao/csrfurls.class.php");
+
// Handle all GET/links
// TODO: don't modify any links that are going outside the domain
// TODO: only modify links that we explicitly care about?
- $params['content'] = preg_replace('/(<a[^>]+op=[a-zA-Z]+)/i', '$1' .
+ $protectedOps = CsrfUrls::getProtectedOps();
+ foreach($protectedOps as $key => $op){
+ $protectedOps[$key] = "/(op=$op)/";
+ }
+ $params['content'] = preg_replace($protectedOps, '$1' .
'&'.CSRF_TOKEN_NAME.'='.
$sessioninfo->getValue(CSRF_TOKEN_NAME),
$params['content']);
More information about the pLog-svn
mailing list