Changeset 500 for trunk/lib/App.inc.php

Timestamp:

Nov 15, 2014 9:34:39 PM (10 years ago)

Author:

anonymous

Message:

Many auth and crypto changes; various other bugfixes while working on pulso.

File:

• trunk/lib/App.inc.php (modified) (5 diffs)

trunk/lib/App.inc.php

@@ -80 +80 @@
         'ssl_enabled' => false,
 
+        // Use CSRF tokens.
+        'csrf_token_enabled' => true,
+        'csrf_token_name' => 'csrf_token',
+        'csrf_token_timeout' => 86400, // In seconds. This causes form tokens to be unusable after this duration. This might only cause problems when opening forms in multiple tabs left open beyond the timeout duration. But usually their session will timeout first, and they'll receive new tokens when they load the form again..
+
+        // HMAC signing method
+        'signing_method' => 'sha512+base64',
+
         // Character set for page output. Used in the Content-Type header and the HTML <meta content-type> tag.
         'character_set' => 'utf-8',
@@ -450 +458 @@
 
         if ('' == trim($message)) {
-            $this->logMsg(sprintf('Raised message is an empty string.', __FUNCTION__), LOG_NOTICE, __FILE__, __LINE__);
+            $this->logMsg(sprintf('Raised message is an empty string.', null), LOG_NOTICE, __FILE__, __LINE__);
             return false;
         }
@@ -944 +952 @@
     }
 
-    /*
-    * Return a URL with a version number attached. This is useful for overriding network caches ("cache buster") for sourced media, e.g., /style.css?812763482
-    *
-    * @access   public
-    * @param    string  $url    URL to media (e.g., /foo.js)
-    * @return   string          URL with cache-busting version appended (/foo.js?v=1234567890)
-    * @author   Quinn Comendant <quinn@strangecode.com>
-    * @version  1.0
-    * @since    03 Sep 2014 22:40:24
-    */
-    public function cacheBustURL($url)
-    {
-        // Get the first delimiter that is needed in the url.
-        $delim = mb_strpos($url, '?') !== false ? ini_get('arg_separator.output') : '?';
-        $v = crc32($this->getParam('codebase_version') . '|' . $this->getParam('site_version'));
-        return sprintf('%s%sv=%s', $url, $delim, $v);
-    }
-
     /**
      * Prints a hidden form element with the PHPSESSID when cookies are not used, as well
@@ -971 +961 @@
      *                                      array('key1'=>'value', key2'='value')  <-- to set keys to default values if not present in form data.
      *                                      false  <-- To not carry any queries. If URL already has queries those will be retained.
-     */
-    public function printHiddenSession($carry_args=null)
+     * @param   bool    $include_csrf_token     Set to true to include the csrf_token in the form. Only use this for forms with action="post" to prevent the token from being revealed in the URL.
+     */
+    public function printHiddenSession($carry_args=null, $include_csrf_token=false)
     {
         if (!$this->running) {
@@ -1023 +1014 @@
             printf('<input type="hidden" name="%s" value="%s" />', session_name(), session_id());
         }
+
+        // Include the csrf_token in the form.
+        // This token can be validated upon form submission with $app->verifyCSRFToken() or $app->requireValidCSRFToken()
+        if ($this->getParam('csrf_token_enabled') && $include_csrf_token) {
+            printf('<input type="hidden" name="%s" value="%s" />', $this->getParam('csrf_token_name'), $this->recycleCSRFToken());
+        }
+    }
+
+    /*
+    * Return a URL with a version number attached. This is useful for overriding network caches ("cache buster") for sourced media, e.g., /style.css?812763482
+    *
+    * @access   public
+    * @param    string  $url    URL to media (e.g., /foo.js)
+    * @return   string          URL with cache-busting version appended (/foo.js?v=1234567890)
+    * @author   Quinn Comendant <quinn@strangecode.com>
+    * @version  1.0
+    * @since    03 Sep 2014 22:40:24
+    */
+    public function cacheBustURL($url)
+    {
+        // Get the first delimiter that is needed in the url.
+        $delim = mb_strpos($url, '?') !== false ? ini_get('arg_separator.output') : '?';
+        $v = crc32($this->getParam('codebase_version') . '|' . $this->getParam('site_version'));
+        return sprintf('%s%sv=%s', $url, $delim, $v);
+    }
+
+    /*
+    * Generate a csrf_token, saving it to the session and returning its value.
+    * https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern
+    * @access   public
+    * @return   string  The new csrf_token.
+    * @author   Quinn Comendant <quinn@strangecode.com>
+    * @version  1.0
+    * @since    15 Nov 2014 17:53:51
+    */
+    public function generateCSRFToken()
+    {
+        return $_SESSION['_app'][$this->_ns]['csrf_tokens'][] = addSignature(time(), null, 64);
+    }
+
+    /*
+    * Update the csrf_token to a new value if it hasn't been set yet or has expired.
+    * Save the previous csrf_token in the session to ensure continuity of currently open sessions.
+    *
+    * @access   public
+    * @return   string The current csrf_token
+    * @author   Quinn Comendant <quinn@strangecode.com>
+    * @version  1.0
+    * @since    15 Nov 2014 17:57:17
+    */
+    public function recycleCSRFToken()
+    {
+        if (!isset($_SESSION['_app'][$this->_ns]['csrf_tokens'])) {
+            // No token yet; generate one and return it.
+            $_SESSION['_app'][$this->_ns]['csrf_tokens'] = array();
+            $return = $this->generateCSRFToken();
+        }
+        if (removeSignature(end($_SESSION['_app'][$this->_ns]['csrf_tokens'])) + $this->getParam('csrf_token_timeout') < time()) {
+            // Newest token is expired; prune array of tokens and generate new token.
+            // We'll save the 10-most-recent tokens. This allows the user to submit up to 5 forms saved in previously opened tabs with expired tokens (loading a form will prune one token, and submitting a form will prune one token, thus 10 = 5).
+            $_SESSION['_app'][$this->_ns]['csrf_tokens'] = array_slice($_SESSION['_app'][$this->_ns]['csrf_tokens'], -10, 10);
+            $return = $this->generateCSRFToken();
+        }
+        // Current token is not expired; return it.
+        $return = end($_SESSION['_app'][$this->_ns]['csrf_tokens']);
+        $app =& App::getInstance();
+        return $return;
+    }
+
+    /*
+    * Compares the given csrf_token with the current or previous one saved in the session.
+    *
+    * @access   public
+    * @param    string  $csrf_token     The token to compare with the session token.
+    * @return   bool    True if the tokens match, false otherwise.
+    * @author   Quinn Comendant <quinn@strangecode.com>
+    * @version  1.0
+    * @since    15 Nov 2014 18:06:55
+    */
+    public function verifyCSRFToken($csrf_token)
+    {
+        $app =& App::getInstance();
+
+        if (!$this->getParam('csrf_token_enabled')) {
+            $app->logMsg(sprintf('%s method called, but csrf_token_enabled=false', __FUNCTION__), LOG_ERR, __FILE__, __LINE__);
+            return false;
+        }
+        if ('' == trim($csrf_token)) {
+            $app->logMsg(sprintf('Empty string failed CSRF verification.', null), LOG_NOTICE, __FILE__, __LINE__);
+            return false;
+        }
+        if (!verifySignature($csrf_token, null, 64)) {
+            $app->logMsg(sprintf('Input failed CSRF verification (invalid signature in %s).', $csrf_token), LOG_WARNING, __FILE__, __LINE__);
+            return false;
+        }
+        $this->recycleCSRFToken();
+        if (!in_array($csrf_token, $_SESSION['_app'][$this->_ns]['csrf_tokens'])) {
+            $app->logMsg(sprintf('Input failed CSRF verification (%s not in %s).', $csrf_token, getDump($_SESSION['_app'][$this->_ns]['csrf_tokens'])), LOG_WARNING, __FILE__, __LINE__);
+            return false;
+        }
+        // $app->logMsg(sprintf('Verified token %s is in %s', $csrf_token, getDump($_SESSION['_app'][$this->_ns]['csrf_tokens'])), LOG_DEBUG, __FILE__, __LINE__);
+        return true;
+    }
+
+    /*
+    * Bounce user if they submit a token that doesn't match the one saved in the session.
+    * Because this function calls dieURL() it must be called before any other HTTP header output.
+    *
+    * @access   public
+    * @param    string  $csrf_token The token to compare with the session token.
+    * @param    string  $message    Optional message to display to the user (otherwise default message will display). Set to an empty string to display no message.
+    * @param    int    $type    The type of message: MSG_NOTICE,
+    *                           MSG_SUCCESS, MSG_WARNING, or MSG_ERR.
+    * @param    string $file    __FILE__.
+    * @param    string $line    __LINE__.
+    * @return   void
+    * @author   Quinn Comendant <quinn@strangecode.com>
+    * @version  1.0
+    * @since    15 Nov 2014 18:10:17
+    */
+    public function requireValidCSRFToken($csrf_token, $message=null, $type=MSG_NOTICE, $file=null, $line=null)
+    {
+        $app =& App::getInstance();
+
+        if (!$this->verifyCSRFToken($csrf_token)) {
+            $message = isset($message) ? $message : _("Something went wrong; please try again.");
+            $app->raiseMsg($message, $type, $file, $line);
+            $app->dieBoomerangURL();
+        }
     }