Reimplementation of CSRF protection strategy #19
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Looks fine for me, as this pull request fixes some bugs and shouldn't break something, I'm totally fine with merging this already for 4.5. Anyone against it? Btw. I'm really impressed of this pull request description, thank you very much Christian for doing this! |
| @@ -155,9 +155,6 @@ public function __construct( $app, $name, $renderas = "" ) { | |||
| $this->renderas = $renderas; | |||
| $this->application = $app; | |||
| $this->vars = array(); | |||
| if($renderas == 'user') { | |||
| $this->vars['requesttoken'] = OC_Util::callRegister(); | |||
There was a problem hiding this comment.
This and L367 breaks some apps which do things like:
<input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>">
IMHO, you shouldn't remove these vars.
(Just commit a new version to your repository and this pull request will get updated.)
… containing the request token (currently the contacts app and maybe some 3rd party implementations)
LukasReschke
added a commit
that referenced
this pull request
Sep 28, 2012
Reimplementation of CSRF protection strategy
ghost
mentioned this pull request
ghost
mentioned this pull request
This was referenced Jul 29, 2016
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As discussed on the mailinglist I reimplemented the CSRF protection code ( "[Owncloud] CSRF behaviour is annoying" )
Motivation:
the current (static) strategy has an annoying side effect: since the token expires the user gets an error and is asked to "reload" when using an OC view older than 1 hour. This is fine for most things. This happens when leaving the client for a while (having lunch...) or using apps that do not require a full page reload for every click (like the 'Shorty' app for example).
In the Shorty app I implemented a refresh strategy to pull fresh tokens to prevent that annoying problem That strategy works and appears safe to me. I was asked to implement that strategy in OC core which I did.
Details:
I tried to stick with the previous naming scheme where possible. I added two files and modified a few details. The new strategy:
Bugfix:
This commit also fixes Bug oc-1593 - Race condition with CSRF protection token initialization
Implementation:
The (first) token is still generated whilst evaluating the layout.user template. Alongside its lifespan is stored, that way that value is controlled from a single place in the code instead of being hard coded at various places. The new file core/js/requesttoken.js handles the token and its refreshing. It stores the token in the OC namespace and binds it to ajax requests. EventSource has been modified to use that token storage too.
A fresh token is pulled via an ajax call shortyl before the old one expire (96%). For this a new ajax backend has been implemented: core/ajax/requesttoken.php
Security:
The new strategy allows autorefreshment of the token. In my eyes this is not a security thread, since a fresh token can be generated anyway at all times simply by loading and OC view. So complex implementations can work around that protection anyway.
In the current state pulling a fresh token itself is not protected by a token. Also, in my eyes this is not a security problem, same reason. Though this can be argued about. Pulling a fresh token obviously still requires being authenticated and having a valid session.
Conclusion:
the commit implements an advanced strategy offering two advantages
1.) get rid of annoying error thrown into the users face
2.) fix race condition (bug 1593)
For questions and discussions: I often hang around at IRC #owncloud & #owncloud-dev, nick name 'arkascha'.