oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Provide a framework for CSRF protection, with tests.

Browse source 
Add CSRF protection to Asset editSave, AssetManager, VersionTags and Group operations.
This commit is contained in:
Colin Kuskie 2009-07-06 16:58:57 +00:00
parent 4664ab7035
commit 5e4db3adb4
19 changed files with 362 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

19
lib/WebGUI/Session/Form.pm
View file

@ -174,5 +174,24 @@ sub process {
});
}
#-------------------------------------------------------------------
=head2 validToken ( )
Checks that the current form has a method=POST, and that it has a CSRF token matching
the one in this user's current session.
=cut
sub validToken {
my ($self) = @_;
my $session = $self->session;
$session->log->warn('method: '. $session->request->method);
$session->log->warn('token: '. $session->scratch->get('webguiCsrfToken'));
return 0 unless $session->request->method eq 'POST';
return 0 unless $self->param('webguiCsrfToken') eq $session->scratch->get('webguiCsrfToken');
return 1;
}
1;

4
lib/WebGUI/Session/Var.pm
View file

@ -194,6 +194,7 @@ sub new {
$self->{_var}{expires} = $session->datetime->time() + $session->setting->get("sessionTimeout");
$self->session->{_sessionId} = $self->{_var}{sessionId};
$session->db->setRow("userSession","sessionId",$self->{_var});
return $self;
}
else { ##Start a new default session with the requested, non-existant id.
$self->start(1,$sessionId);
@ -222,7 +223,7 @@ sub session {
=head2 start ( [ userId, sessionId ] )
Start a new user session. Returns the user session id. The session variable's sessionId
is set to the var object's session id.
is set to the var object's session id. Also sets the user's CSRF token.
=head3 userId
@ -251,6 +252,7 @@ sub start {
$self->{_var}{sessionId} = $sessionId;
$self->session->db->setRow("userSession","sessionId",$self->{_var},$sessionId);
$self->session->{_sessionId} = $sessionId;
$self->session->scratch->set('webguiCsrfToken', $self->session->id->generate);
}
#-------------------------------------------------------------------