From 445ef6d1481745cd4e7af7e671f534a25d4495dc Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Wed, 28 May 2014 15:14:52 -0400
Subject: Add CSRF protections

---
 app/Core/Request.php  | 24 ++++++++++++--
 app/Core/Response.php |  4 ++-
 app/Core/Security.php | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 112 insertions(+), 3 deletions(-)
 create mode 100644 app/Core/Security.php

(limited to 'app/Core')

diff --git a/app/Core/Request.php b/app/Core/Request.php
index 7e9f24ac..6bc738be 100644
--- a/app/Core/Request.php
+++ b/app/Core/Request.php
@@ -2,6 +2,8 @@
 
 namespace Core;
 
+use Core\Security;
+
 /**
  * Request class
  *
@@ -58,7 +60,12 @@ class Request
     public function getValues()
     {
         if (! empty($_POST)) {
-            return $_POST;
+
+            if (Security::validateCSRFFormToken($_POST)) {
+                return $_POST;
+            }
+
+            return array();
         }
 
         $result = json_decode($this->getBody(), true);
@@ -116,6 +123,19 @@ class Request
      */
     public function isAjax()
     {
-        return isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest';
+        return $this->getHeader('X-Requested-With') === 'XMLHttpRequest';
+    }
+
+    /**
+     * Return a HTTP header value
+     *
+     * @access public
+     * @param  string   $name   Header name
+     * @return string
+     */
+    public function getHeader($name)
+    {
+        $name = 'HTTP_'.str_replace('-', '_', strtoupper($name));
+        return isset($_SERVER[$name]) ? $_SERVER[$name] : '';
     }
 }
diff --git a/app/Core/Response.php b/app/Core/Response.php
index 11d7567a..aee029af 100644
--- a/app/Core/Response.php
+++ b/app/Core/Response.php
@@ -18,8 +18,10 @@ class Response
     public function nocache()
     {
         header('Pragma: no-cache');
-        header('Cache-Control: no-cache, must-revalidate');
         header('Expires: Sat, 26 Jul 1997 05:00:00 GMT');
+
+        // Use no-store due to a Chrome bug: https://code.google.com/p/chromium/issues/detail?id=28035
+        header('Cache-Control: no-store, must-revalidate');
     }
 
     /**
diff --git a/app/Core/Security.php b/app/Core/Security.php
new file mode 100644
index 00000000..0bd7c991
--- /dev/null
+++ b/app/Core/Security.php
@@ -0,0 +1,87 @@
+<?php
+
+namespace Core;
+
+/**
+ * Security class
+ *
+ * @package  core
+ * @author   Frederic Guillot
+ */
+class Security
+{
+     /**
+     * Generate a random token with different methods: openssl or /dev/urandom or fallback to uniqid()
+     *
+     * @static
+     * @access public
+     * @return string  Random token
+     */
+    public static function generateToken()
+    {
+        if (function_exists('openssl_random_pseudo_bytes')) {
+            return bin2hex(\openssl_random_pseudo_bytes(30));
+        }
+        else if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
+            return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30));
+        }
+
+        return hash('sha256', uniqid(mt_rand(), true));
+    }
+
+    /**
+     * Generate and store a CSRF token in the current session
+     *
+     * @static
+     * @access public
+     * @return string  Random token
+     */
+    public static function getCSRFToken()
+    {
+        $nonce = self::generateToken();
+
+        if (empty($_SESSION['csrf_tokens'])) {
+            $_SESSION['csrf_tokens'] = array();
+        }
+
+        $_SESSION['csrf_tokens'][$nonce] = true;
+
+        return $nonce;
+    }
+
+    /**
+     * Check if the token exists for the current session (a token can be used only one time)
+     *
+     * @static
+     * @access public
+     * @param  string   $token   CSRF token
+     * @return bool
+     */
+    public static function validateCSRFToken($token)
+    {
+        if (isset($_SESSION['csrf_tokens'][$token])) {
+            unset($_SESSION['csrf_tokens'][$token]);
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Check if the token used in a form is correct and then remove the value
+     *
+     * @static
+     * @access public
+     * @param  array    $values   Form values
+     * @return bool
+     */
+    public static function validateCSRFFormToken(array &$values)
+    {
+        if (! empty($values['csrf_token']) && self::validateCSRFToken($values['csrf_token'])) {
+            unset($values['csrf_token']);
+            return true;
+        }
+
+        return false;
+    }
+}
-- 
cgit v1.2.3