* use get_random_bytes() for CSRF token

* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
This commit is contained in:
Andrew Dolgov 2020-09-17 08:59:18 +03:00
parent 0757ad0406
commit a817d3794d
2 changed files with 9 additions and 8 deletions

View File

@ -581,7 +581,7 @@
$_SESSION["name"] = $row["login"]; $_SESSION["name"] = $row["login"];
$_SESSION["access_level"] = $row["access_level"]; $_SESSION["access_level"] = $row["access_level"];
$_SESSION["csrf_token"] = uniqid_short(); $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
$usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?"); $usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?");
$usth->execute([$user_id]); $usth->execute([$user_id]);
@ -608,9 +608,8 @@
$_SESSION["auth_module"] = false; $_SESSION["auth_module"] = false;
if (!$_SESSION["csrf_token"]) { if (!$_SESSION["csrf_token"])
$_SESSION["csrf_token"] = uniqid_short(); $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
}
$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"]; $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
@ -680,7 +679,7 @@
} }
function validate_csrf($csrf_token) { function validate_csrf($csrf_token) {
return $csrf_token === $_SESSION['csrf_token']; return hash_equals($csrf_token, $_SESSION['csrf_token']);
} }
function load_user_plugins($owner_uid, $pluginhost = false) { function load_user_plugins($owner_uid, $pluginhost = false) {
@ -1669,7 +1668,9 @@
} }
function get_random_bytes($length) { function get_random_bytes($length) {
if (function_exists('openssl_random_pseudo_bytes')) { if (function_exists('random_bytes')) {
return random_bytes($length);
} else if (function_exists('openssl_random_pseudo_bytes')) {
return openssl_random_pseudo_bytes($length); return openssl_random_pseudo_bytes($length);
} else { } else {
$output = ""; $output = "";

View File

@ -30,7 +30,7 @@ class Af_Proxy_Http extends Plugin {
$host->add_hook($host::HOOK_PREFS_TAB, $this); $host->add_hook($host::HOOK_PREFS_TAB, $this);
if (!$_SESSION['af_proxy_http_token']) if (!$_SESSION['af_proxy_http_token'])
$_SESSION['af_proxy_http_token'] = uniqid_short(); $_SESSION['af_proxy_http_token'] = bin2hex(get_random_bytes(16));
} }
function hook_enclosure_entry($enc) { function hook_enclosure_entry($enc) {
@ -202,7 +202,7 @@ class Af_Proxy_Http extends Plugin {
function hook_prefs_tab($args) { function hook_prefs_tab($args) {
if ($args != "prefFeeds") return; if ($args != "prefFeeds") return;
print "<div dojoType=\"dijit.layout.AccordionPane\" print "<div dojoType=\"dijit.layout.AccordionPane\"
title=\"<i class='material-icons'>extension</i> ".__('Image proxy settings (af_proxy_http)')."\">"; title=\"<i class='material-icons'>extension</i> ".__('Image proxy settings (af_proxy_http)')."\">";
print "<form dojoType=\"dijit.form.Form\">"; print "<form dojoType=\"dijit.form.Form\">";