summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2012-10-31 08:39:12 -0400
committerjim-p <jimp@pfsense.org>2012-10-31 08:39:29 -0400
commitb3a1733da5a4ca752216c38201f23bb02d527b45 (patch)
tree961efdc1f389c20f731594bd6aec869681bee436
parent80ff6bfe42210cfc6850874486bee5d02a16b50a (diff)
downloadpfsense-b3a1733da5a4ca752216c38201f23bb02d527b45.zip
pfsense-b3a1733da5a4ca752216c38201f23bb02d527b45.tar.gz
Update CSRF Magic
-rw-r--r--usr/local/www/csrf/csrf-magic.js4
-rw-r--r--usr/local/www/csrf/csrf-magic.php17
2 files changed, 12 insertions, 9 deletions
diff --git a/usr/local/www/csrf/csrf-magic.js b/usr/local/www/csrf/csrf-magic.js
index 6992402..243e37e 100644
--- a/usr/local/www/csrf/csrf-magic.js
+++ b/usr/local/www/csrf/csrf-magic.js
@@ -108,7 +108,9 @@ CsrfMagic.end = function() {
}
// Sets things up for Mozilla/Opera/nice browsers
-if (window.XMLHttpRequest && window.XMLHttpRequest.prototype) {
+// We very specifically match against Internet Explorer, since they haven't
+// implemented prototypes correctly yet.
+if (window.XMLHttpRequest && window.XMLHttpRequest.prototype && '\v' != '\v') {
var x = XMLHttpRequest.prototype;
var c = CsrfMagic.prototype;
diff --git a/usr/local/www/csrf/csrf-magic.php b/usr/local/www/csrf/csrf-magic.php
index befad0a..fc02dea 100644
--- a/usr/local/www/csrf/csrf-magic.php
+++ b/usr/local/www/csrf/csrf-magic.php
@@ -212,6 +212,7 @@ function csrf_get_tokens() {
// $ip implements a composite key, which is sent if the user hasn't sent
// any cookies. It may or may not be used, depending on whether or not
// the cookies "stick"
+ $secret = csrf_get_secret();
if (!$has_cookies && $secret) {
// :TODO: Harden this against proxy-spoofing attacks
$ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
@@ -229,7 +230,7 @@ function csrf_get_tokens() {
}
if ($GLOBALS['csrf']['key']) return 'key:' . csrf_hash($GLOBALS['csrf']['key']) . $ip;
// These further algorithms require a server-side secret
- if ($secret === '') return 'invalid';
+ if (!$secret) return 'invalid';
if ($GLOBALS['csrf']['user'] !== false) {
return 'user:' . csrf_hash($GLOBALS['csrf']['user']);
}
@@ -286,11 +287,11 @@ function csrf_check_token($token) {
// that doesn't make me feel good then about the cookie-based
// implementation.
case 'user':
- if ($GLOBALS['csrf']['secret'] === '') return false;
+ if (!csrf_get_secret()) return false;
if ($GLOBALS['csrf']['user'] === false) return false;
return $value === csrf_hash($GLOBALS['csrf']['user'], $time);
case 'ip':
- if (csrf_get_secret() === '') return false;
+ if (!csrf_get_secret()) return false;
// do not allow IP-based checks if the username is set, or if
// the browser sent cookies
if ($GLOBALS['csrf']['user'] !== false) return false;
@@ -347,12 +348,12 @@ function csrf_get_secret() {
* Generates a random string as the hash of time, microtime, and mt_rand.
*/
function csrf_generate_secret($len = 32) {
- $secret = '';
+ $r = '';
for ($i = 0; $i < 32; $i++) {
- $secret .= chr(mt_rand(0, 255));
+ $r .= chr(mt_rand(0, 255));
}
- $secret .= time() . microtime();
- return sha1($secret);
+ $r .= time() . microtime();
+ return sha1($r);
}
/**
@@ -361,7 +362,7 @@ function csrf_generate_secret($len = 32) {
*/
function csrf_hash($value, $time = null) {
if (!$time) $time = time();
- return sha1($secret . $value . $time) . ',' . $time;
+ return sha1($GLOBALS['csrf']['secret'] . $value . $time) . ',' . $time;
}
// Load user configuration
OpenPOWER on IntegriCloud