From 6756ef2301a5f624941b947ec9effd34b467de9a Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sun, 25 Oct 2015 15:05:19 -0400
Subject: Move token generation to Security namespace

---
 app/Core/Request.php        |  5 +--
 app/Core/Response.php       |  2 +-
 app/Core/Security.php       | 86 ---------------------------------------------
 app/Core/Security/Token.php | 67 +++++++++++++++++++++++++++++++++++
 4 files changed, 71 insertions(+), 89 deletions(-)
 delete mode 100644 app/Core/Security.php
 create mode 100644 app/Core/Security/Token.php

(limited to 'app/Core')

diff --git a/app/Core/Request.php b/app/Core/Request.php
index 5eda2d02..0398760e 100644
--- a/app/Core/Request.php
+++ b/app/Core/Request.php
@@ -8,7 +8,7 @@ namespace Kanboard\Core;
  * @package  core
  * @author   Frederic Guillot
  */
-class Request
+class Request extends Base
 {
     /**
      * Get URL string parameter
@@ -57,7 +57,8 @@ class Request
      */
     public function getValues()
     {
-        if (! empty($_POST) && Security::validateCSRFFormToken($_POST)) {
+        if (! empty($_POST) && ! empty($_POST['csrf_token']) && $this->token->validateCSRFToken($_POST['csrf_token'])) {
+            unset($_POST['csrf_token']);
             return $_POST;
         }
 
diff --git a/app/Core/Response.php b/app/Core/Response.php
index 528a6302..6788473a 100644
--- a/app/Core/Response.php
+++ b/app/Core/Response.php
@@ -8,7 +8,7 @@ namespace Kanboard\Core;
  * @package  core
  * @author   Frederic Guillot
  */
-class Response
+class Response extends Base
 {
     /**
      * Send no cache headers
diff --git a/app/Core/Security.php b/app/Core/Security.php
deleted file mode 100644
index 54207ee1..00000000
--- a/app/Core/Security.php
+++ /dev/null
@@ -1,86 +0,0 @@
-<?php
-
-namespace Kanboard\Core;
-
-/**
- * Security class
- *
- * @package  core
- * @author   Frederic Guillot
- */
-class Security
-{
-    /**
-     * Generate a random token with different methods: openssl or /dev/urandom or fallback to uniqid()
-     *
-     * @static
-     * @access public
-     * @return string  Random token
-     */
-    public static function generateToken()
-    {
-        if (function_exists('openssl_random_pseudo_bytes')) {
-            return bin2hex(\openssl_random_pseudo_bytes(30));
-        } elseif (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
-            return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30));
-        }
-
-        return hash('sha256', uniqid(mt_rand(), true));
-    }
-
-    /**
-     * Generate and store a CSRF token in the current session
-     *
-     * @static
-     * @access public
-     * @return string  Random token
-     */
-    public static function getCSRFToken()
-    {
-        $nonce = self::generateToken();
-
-        if (empty($_SESSION['csrf_tokens'])) {
-            $_SESSION['csrf_tokens'] = array();
-        }
-
-        $_SESSION['csrf_tokens'][$nonce] = true;
-
-        return $nonce;
-    }
-
-    /**
-     * Check if the token exists for the current session (a token can be used only one time)
-     *
-     * @static
-     * @access public
-     * @param  string   $token   CSRF token
-     * @return bool
-     */
-    public static function validateCSRFToken($token)
-    {
-        if (isset($_SESSION['csrf_tokens'][$token])) {
-            unset($_SESSION['csrf_tokens'][$token]);
-            return true;
-        }
-
-        return false;
-    }
-
-    /**
-     * Check if the token used in a form is correct and then remove the value
-     *
-     * @static
-     * @access public
-     * @param  array    $values   Form values
-     * @return bool
-     */
-    public static function validateCSRFFormToken(array &$values)
-    {
-        if (! empty($values['csrf_token']) && self::validateCSRFToken($values['csrf_token'])) {
-            unset($values['csrf_token']);
-            return true;
-        }
-
-        return false;
-    }
-}
diff --git a/app/Core/Security/Token.php b/app/Core/Security/Token.php
new file mode 100644
index 00000000..7aca08af
--- /dev/null
+++ b/app/Core/Security/Token.php
@@ -0,0 +1,67 @@
+<?php
+
+namespace Kanboard\Core\Security;
+
+use Kanboard\Core\Base;
+
+/**
+ * Token Handler
+ *
+ * @package  security
+ * @author   Frederic Guillot
+ */
+class Token extends Base
+{
+    /**
+     * Generate a random token with different methods: openssl or /dev/urandom or fallback to uniqid()
+     *
+     * @static
+     * @access public
+     * @return string  Random token
+     */
+    public static function getToken()
+    {
+        if (function_exists('openssl_random_pseudo_bytes')) {
+            return bin2hex(\openssl_random_pseudo_bytes(30));
+        } elseif (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
+            return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30));
+        }
+
+        return hash('sha256', uniqid(mt_rand(), true));
+    }
+
+    /**
+     * Generate and store a CSRF token in the current session
+     *
+     * @access public
+     * @return string  Random token
+     */
+    public function getCSRFToken()
+    {
+        if (! isset($_SESSION['csrf_tokens'])) {
+            $_SESSION['csrf_tokens'] = array();
+        }
+
+        $nonce = self::getToken();
+        $_SESSION['csrf_tokens'][$nonce] = true;
+
+        return $nonce;
+    }
+
+    /**
+     * Check if the token exists for the current session (a token can be used only one time)
+     *
+     * @access public
+     * @param  string   $token   CSRF token
+     * @return bool
+     */
+    public function validateCSRFToken($token)
+    {
+        if (isset($_SESSION['csrf_tokens'][$token])) {
+            unset($_SESSION['csrf_tokens'][$token]);
+            return true;
+        }
+
+        return false;
+    }
+}
-- 
cgit v1.2.3