Add CSRF protections
This commit is contained in:
Frédéric Guillot
@@ -55,23 +55,4 @@ abstract class Base
|
||||
$this->db = $db;
|
||||
$this->event = $event;
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a random token with different methods: openssl or /dev/urandom or fallback to uniqid()
|
||||
*
|
||||
* @static
|
||||
* @access public
|
||||
* @return string Random token
|
||||
*/
|
||||
public static function generateToken()
|
||||
{
|
||||
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||
return bin2hex(\openssl_random_pseudo_bytes(16));
|
||||
}
|
||||
else if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
|
||||
return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30));
|
||||
}
|
||||
|
||||
return hash('sha256', uniqid(mt_rand(), true));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@ namespace Model;
|
||||
use SimpleValidator\Validator;
|
||||
use SimpleValidator\Validators;
|
||||
use Core\Translator;
|
||||
use Core\Security;
|
||||
|
||||
/**
|
||||
* Config model
|
||||
@@ -29,7 +30,7 @@ class Config extends Base
|
||||
*/
|
||||
public function getTimezones()
|
||||
{
|
||||
$timezones = \timezone_identifiers_list();
|
||||
$timezones = timezone_identifiers_list();
|
||||
return array_combine(array_values($timezones), $timezones);
|
||||
}
|
||||
|
||||
@@ -171,12 +172,12 @@ class Config extends Base
|
||||
*/
|
||||
public function regenerateTokens()
|
||||
{
|
||||
$this->db->table(self::TABLE)->update(array('webhooks_token' => $this->generateToken()));
|
||||
$this->db->table(self::TABLE)->update(array('webhooks_token' => Security::generateToken()));
|
||||
|
||||
$projects = $this->db->table(Project::TABLE)->findAllByColumn('id');
|
||||
|
||||
foreach ($projects as $project_id) {
|
||||
$this->db->table(Project::TABLE)->eq('id', $project_id)->update(array('token' => $this->generateToken()));
|
||||
$this->db->table(Project::TABLE)->eq('id', $project_id)->update(array('token' => Security::generateToken()));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@ namespace Model;
|
||||
use SimpleValidator\Validator;
|
||||
use SimpleValidator\Validators;
|
||||
use Event\TaskModification;
|
||||
use Core\Security;
|
||||
|
||||
/**
|
||||
* Project model
|
||||
@@ -363,7 +364,7 @@ class Project extends Base
|
||||
{
|
||||
$this->db->startTransaction();
|
||||
|
||||
$values['token'] = self::generateToken();
|
||||
$values['token'] = Security::generateToken();
|
||||
|
||||
if (! $this->db->table(self::TABLE)->save($values)) {
|
||||
$this->db->cancelTransaction();
|
||||
|
||||
@@ -2,6 +2,8 @@
|
||||
|
||||
namespace Model;
|
||||
|
||||
use Core\Security;
|
||||
|
||||
/**
|
||||
* RememberMe model
|
||||
*
|
||||
@@ -174,8 +176,8 @@ class RememberMe extends Base
|
||||
*/
|
||||
public function create($user_id, $ip, $user_agent)
|
||||
{
|
||||
$token = hash('sha256', $user_id.$user_agent.$ip.$this->generateToken());
|
||||
$sequence = $this->generateToken();
|
||||
$token = hash('sha256', $user_id.$user_agent.$ip.Security::generateToken());
|
||||
$sequence = Security::generateToken();
|
||||
$expiration = time() + self::EXPIRATION;
|
||||
|
||||
$this->cleanup($user_id);
|
||||
@@ -225,7 +227,7 @@ class RememberMe extends Base
|
||||
*/
|
||||
public function update($token, $sequence)
|
||||
{
|
||||
$new_sequence = $this->generateToken();
|
||||
$new_sequence = Security::generateToken();
|
||||
|
||||
$this->db
|
||||
->table(self::TABLE)
|
||||
|
||||
Reference in New Issue
Block a user