Context Navigation

← Previous Changeset
Next Changeset →

Changeset 2288

Timestamp:

12/11/10 07:14:02 (18 months ago)

Author:

petsagouris

Message:

[Branch 1.5] Made crsf class into a single function. We need to see where to attach it now...

Location:

branches/1.5

Files:

: 2 modified

Hotaru.php (modified) (3 diffs)
libs/extensions/csrf/csrf_class.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

branches/1.5/Hotaru.php

r2287	r2288
103	103	$this->pageHandling = new PageHandling(); // instantiate PageHandling object
104	104
105		$this->csrf(~~'set'~~); // set a csrfToken
	105	$this->csrf(FALSE); // set a csrfToken
106	106	$this->db->setHotaru($this); // pass $h object to EzSQL for error reporting
107	107	}
…	…
147	147	$lang->writeLanguageCache($this);
148	148	$this->ob_flush();
149		~~exit;~~
150	149	}
151	150
…	…
1655	1654	* @return string $key (if using $type "fetch")
1656	1655	*/
1657		public function csrf($type = ~~'check'~~, $script = '', $life = 60)
	1656	public function csrf($type = TRUE, $script = '', $life = 60)
1658	1657	{
1659	1658	$csrf = new csrf();

branches/1.5/libs/extensions/csrf/csrf_class.php

r2153	r2288
10	10	* @todo make work on this class to eliminate the need for instancing it.
11	11	*/
12		class csrf {
13
14		/**
15		* Action page the script is good for
16		* @var string
17		*/
18		public $action = '';
19		/**
20		* Minutes for which key is good
21		* @var integer
22		*/
23		public $life = 0;
24		/**
25		* The database table
26		* @var string
27		*/
28		private $table = '';
29		/**
30		* Session ID of user
31		* @var string
32		*/
33		private $sid;
	12	class csrf
	13	{
34	14
35	15	/**
…	…
41	21	* @return boolean
42	22	*/
43		public function csrfInit($h, $~~type = 'check', $action = 'unspecified'~~, $life = 60)
	23	public function csrfInit($h, $check = TRUE, $action = FALSE, $life = 60)
44	24	{
45		$this->sid = preg_replace('/[^a-z0-9]+/i', '', session_id());
46		$this->action = ($action ) ? $action : $h->getPagename();
47		$this->table = DB_PREFIX.'tokens';
48		$this->life = $life;
	25	$sid = preg_replace('/[^a-z0-9]+/i', '', session_id());
	26	$action = ($action) ? $action : $h->getPageName();
	27	$result = FALSE;
49	28
50		if ($type == 'set') {
51		// set a new token
52		$h->csrfToken = $this->csrfkey($h);
53		} else {
54		// check existing token, then clear it
55		$result = $this->checkcsrf($h);
56		// set a new token
57		$h->csrfToken = $this->csrfkey($h);
58		// return result of check
59		return $result;
	29	if ($check) {
	30	// Remove expired keys
	31	$sql = "DELETE FROM ".TABLE_TOKENS." WHERE token_stamp < ".time();
	32	$h->db->query($sql);
	33
	34	// Check existing token, then clear it
	35
	36	// Try to get csrf token from POST
	37	$key = $h->cage->post->testAlnum('csrf');
	38	// Try to get csrf token from GET
	39	$key = ($key) ? $key : $h->cage->get->testAlnum('csrf');
	40
	41	if ($key) {
	42	// Make sure the key is good
	43	if ($key === preg_replace('/[^a-z0-9]+/', '', $key)) {
	44
	45	$sql = "SELECT token_sid FROM ".TABLE_TOKENS." WHERE token_sid = '".$sid."' AND token_key = '".$key."' AND token_action = '".$action."'";
	46	$results = $h->db->get_results($sql);
	47	if ($results) {
	48	foreach ($results as $row) {
	49	$valid = $row->token_sid;
	50	}
	51	}
	52
	53	if (isset($valid)) {
	54	//var_dump('nice token');
	55	$sql = "DELETE FROM ".TABLE_TOKENS." WHERE token_sid = '".$valid."' AND token_key = '".$key."'";
	56	$h->db->query($sql);
	57	$result = TRUE;
	58	}
	59	}
	60	}
60	61	}
	62
	63	// set a new token
	64	$key = md5(microtime().$sid.rand());
	65	$sql = "INSERT INTO ".TABLE_TOKENS." (token_sid, token_key, token_stamp, token_action) VALUES ('".$sid."', '".$key."', ".(time() + (60 * $life)).", '".$action."')";
	66	$h->db->query($sql);
	67	$h->csrfToken = $key;
	68
	69	// return result of check
	70	return $result;
61	71	}
62	72
63		/**
64		*
65		* @param <type> $h
66		* @return <type>
67		*/
68		~~public function csrfkey($h)~~
69		{
70		~~$key = md5(microtime().$this->sid.rand());~~
71		~~$stamp = time() + (60 * $this->life);~~
72		~~$sql = "INSERT INTO ".$this->table." (token_sid, token_key, token_stamp, token_action) VALUES (%s, %s, %d, %s)";~~
73		~~$h->db->query($h->db->prepare($sql, $this->sid, $key, $stamp, $this->action));~~
74
75		~~return $key;~~
76		}
77
78		~~private function checkcsrf($h)~~
79		{
80		~~$this->cleanOld($h);~~
81
82		~~// Try to get csrf token from POST~~
83		~~$key = $h->cage->post->testAlnum('csrf');~~
84
85		~~// Try to get csrf token from GET~~
86		~~if (!$key) {~~
87		~~$key = $h->cage->get->testAlnum('csrf');~~
88		}
89
90		~~if (!$key) {~~
91		~~return FALSE;~~
92		}
93
94		~~$cleanKey = preg_replace('/[^a-z0-9]+/', '', $key);~~
95		~~if (strcmp($key, $cleanKey) != 0) {~~
96		~~return FALSE;~~
97		}
98
99		~~$sql = "SELECT token_sid FROM ".$this->table." WHERE token_sid = %s AND token_key = %s AND token_action = %s";~~
100		~~$results = $h->db->get_results($h->db->prepare($sql, $this->sid, $cleanKey, $this->action));~~
101		~~if ($results) {~~
102		~~foreach ($results as $row) {~~
103		~~$valid = $row->token_sid;~~
104		}
105		}
106		~~if (isset($valid)) {~~
107		~~$sql = "DELETE FROM ".$this->table." WHERE token_sid = %s AND token_key = %s";~~
108		~~$h->db->query($h->db->prepare($sql, $valid, $cleanKey));~~
109		~~return TRUE;~~
110		}
111		}
112
113		~~private function cleanOld($h)~~
114		{
115		~~// Remove expired keys~~
116		~~$exp = time();~~
117		~~$sql = "DELETE FROM ".$this->table." WHERE token_stamp < %d";~~
118		~~$h->db->query($h->db->prepare($sql, $exp));~~
119		~~return TRUE;~~
120		}
121
122		~~public function logout($h)~~
123		{
124		~~$sql = "DELETE FROM ".$this->table." WHERE token_sid = %s";~~
125		~~$h->db->query($h->db->prepare($sql, $this->sid));~~
126		~~return TRUE;~~
127		}
128	73	}
129		?>

Hotaru CMS

Context Navigation

Changeset 2288

Legend:

branches/1.5/Hotaru.php

branches/1.5/libs/extensions/csrf/csrf_class.php

Download in other formats: