valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* use get_random_bytes() for CSRF token 

* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
This commit is contained in:
Andrew Dolgov 2020-09-17 08:59:18 +03:00
parent 0757ad0406
commit a817d3794d
2 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
include/functions.php
View File

@ -581,7 +581,7 @@
$_SESSION["name"] = $row["login"];
$_SESSION["access_level"] = $row["access_level"];
$_SESSION["csrf_token"] = uniqid_short();
$_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
$usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?");
$usth->execute([$user_id]);
@ -608,9 +608,8 @@
$_SESSION["auth_module"] = false;
if (!$_SESSION["csrf_token"]) {
$_SESSION["csrf_token"] = uniqid_short();
}
if (!$_SESSION["csrf_token"])
$_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
@ -680,7 +679,7 @@
}
function validate_csrf($csrf_token) {
return $csrf_token === $_SESSION['csrf_token'];
return hash_equals($csrf_token, $_SESSION['csrf_token']);
}
function load_user_plugins($owner_uid, $pluginhost = false) {
@ -1669,7 +1668,9 @@
}
function get_random_bytes($length) {
if (function_exists('openssl_random_pseudo_bytes')) {
if (function_exists('random_bytes')) {
return random_bytes($length);
} else if (function_exists('openssl_random_pseudo_bytes')) {
return openssl_random_pseudo_bytes($length);
} else {
$output = "";

4
plugins/af_proxy_http/init.php
View File

@ -30,7 +30,7 @@ class Af_Proxy_Http extends Plugin {
$host->add_hook($host::HOOK_PREFS_TAB, $this);
if (!$_SESSION['af_proxy_http_token'])
$_SESSION['af_proxy_http_token'] = uniqid_short();
$_SESSION['af_proxy_http_token'] = bin2hex(get_random_bytes(16));
}
function hook_enclosure_entry($enc) {
@ -202,7 +202,7 @@ class Af_Proxy_Http extends Plugin {
function hook_prefs_tab($args) {
if ($args != "prefFeeds") return;
print "<div dojoType=\"dijit.layout.AccordionPane\"
print "<div dojoType=\"dijit.layout.AccordionPane\"
title=\"<i class='material-icons'>extension</i> ".__('Image proxy settings (af_proxy_http)')."\">";
print "<form dojoType=\"dijit.form.Form\">";