Congegni/sintonia
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fixed CSRF prevention checks for REST calls, moved CSRF initialization to Bootstrap

Browse source
This commit is contained in:
Duncan Sommerville 2015-02-20 13:12:49 -05:00
parent 0177e40083
commit be7cae4408
4 changed files with 33 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

3
airtime_mvc/application/controllers/LoginController.php
View file

@ -98,6 +98,9 @@ class LoginController extends Zend_Controller_Action
{
$auth = Zend_Auth::getInstance();
$auth->clearIdentity();
// Unset all session variables relating to CSRF prevention on logout
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
$csrf_namespace->unsetAll();
$this->_redirect('showbuilder/index');
}

5
airtime_mvc/application/controllers/PluploadController.php
View file

@ -32,8 +32,9 @@ class PluploadController extends Zend_Controller_Action
}
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
$csrf_namespace->setExpirationSeconds(5*60*60);
$csrf_namespace->authtoken = sha1(uniqid(rand(),1));
/* Moved to be globally set in Bootstrap */
// $csrf_namespace->setExpirationSeconds(5*60*60);
// $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
$csrf_element = new Zend_Form_Element_Hidden('csrf');
$csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');

19
airtime_mvc/application/controllers/plugins/Acl_plugin.php
View file

@ -148,17 +148,22 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
}
}
} else { //We have a session/identity.
// If we have an identity and we're making a RESTful request,
// we need to check the CSRF token
if ($request->_action != "get" && $request->getModuleName() == "rest") {
$tokenValid = $this->verifyCSRFToken($request->getParam("csrf_token"));
if ($_SERVER['REQUEST_METHOD'] != "GET" && $request->getModuleName() == "rest") {
$token = $request->getParam("csrf_token");
$tokenValid = $this->verifyCSRFToken($token);
if (!$tokenValid) {
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
$csrf_namespace->authtoken = sha1(uniqid(rand(),1));
Logging::warn("Invalid CSRF token: $token");
$this->getResponse()
->setHttpResponseCode(401)
->appendBody("ERROR: CSRF token mismatch.");
return;
->appendBody("ERROR: CSRF token mismatch.")
->sendResponse();
die();
}
}
@ -202,9 +207,7 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
$current_namespace = new Zend_Session_Namespace('csrf_namespace');
$observed_csrf_token = $token;
$expected_csrf_token = $current_namespace->authtoken;
Logging::error("Observed: " . $observed_csrf_token);
Logging::error("Expected: " . $expected_csrf_token);
return ($observed_csrf_token == $expected_csrf_token);
}