Add CSRF protections

4 files changed, 11 insertions, 26 deletions

diff --git a/app/Model/Base.php b/app/Model/Base.php
index ddc06c3d..66185aeb 100644
--- a/app/Model/Base.php
+++ b/app/Model/Base.php
@@ -55,23 +55,4 @@ abstract class Base
         $this->db = $db;
         $this->event = $event;
     }
-
-    /**
-     * Generate a random token with different methods: openssl or /dev/urandom or fallback to uniqid()
-     *
-     * @static
-     * @access public
-     * @return string  Random token
-     */
-    public static function generateToken()
-    {
-        if (function_exists('openssl_random_pseudo_bytes')) {
-            return bin2hex(\openssl_random_pseudo_bytes(16));
-        }
-        else if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
-            return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30));
-        }
-
-        return hash('sha256', uniqid(mt_rand(), true));
-    }
 }
diff --git a/app/Model/Config.php b/app/Model/Config.php
index 23abd8b5..469e6447 100644
--- a/app/Model/Config.php
+++ b/app/Model/Config.php
@@ -5,6 +5,7 @@ namespace Model;
 use SimpleValidator\Validator;
 use SimpleValidator\Validators;
 use Core\Translator;
+use Core\Security;
 
 /**
  * Config model
@@ -29,7 +30,7 @@ class Config extends Base
      */
     public function getTimezones()
     {
-        $timezones = \timezone_identifiers_list();
+        $timezones = timezone_identifiers_list();
         return array_combine(array_values($timezones), $timezones);
     }
 
@@ -171,12 +172,12 @@ class Config extends Base
      */
     public function regenerateTokens()
     {
-        $this->db->table(self::TABLE)->update(array('webhooks_token' => $this->generateToken()));
+        $this->db->table(self::TABLE)->update(array('webhooks_token' => Security::generateToken()));
 
         $projects = $this->db->table(Project::TABLE)->findAllByColumn('id');
 
         foreach ($projects as $project_id) {
-            $this->db->table(Project::TABLE)->eq('id', $project_id)->update(array('token' => $this->generateToken()));
+            $this->db->table(Project::TABLE)->eq('id', $project_id)->update(array('token' => Security::generateToken()));
         }
     }
 }
diff --git a/app/Model/Project.php b/app/Model/Project.php
index 9fbb0806..e1465012 100644
--- a/app/Model/Project.php
+++ b/app/Model/Project.php
@@ -5,6 +5,7 @@ namespace Model;
 use SimpleValidator\Validator;
 use SimpleValidator\Validators;
 use Event\TaskModification;
+use Core\Security;
 
 /**
  * Project model
@@ -363,7 +364,7 @@ class Project extends Base
     {
         $this->db->startTransaction();
 
-        $values['token'] = self::generateToken();
+        $values['token'] = Security::generateToken();
 
         if (! $this->db->table(self::TABLE)->save($values)) {
             $this->db->cancelTransaction();
diff --git a/app/Model/RememberMe.php b/app/Model/RememberMe.php
index 1494b14a..c9ef819f 100644
--- a/app/Model/RememberMe.php
+++ b/app/Model/RememberMe.php
@@ -2,6 +2,8 @@
 
 namespace Model;
 
+use Core\Security;
+
 /**
  * RememberMe model
  *
@@ -174,8 +176,8 @@ class RememberMe extends Base
      */
     public function create($user_id, $ip, $user_agent)
     {
-        $token = hash('sha256', $user_id.$user_agent.$ip.$this->generateToken());
-        $sequence = $this->generateToken();
+        $token = hash('sha256', $user_id.$user_agent.$ip.Security::generateToken());
+        $sequence = Security::generateToken();
         $expiration = time() + self::EXPIRATION;
 
         $this->cleanup($user_id);
@@ -225,7 +227,7 @@ class RememberMe extends Base
      */
     public function update($token, $sequence)
     {
-        $new_sequence = $this->generateToken();
+        $new_sequence = Security::generateToken();
 
         $this->db
              ->table(self::TABLE)