Implemented cookie HMAC check.

5 files changed, 58 insertions, 17 deletions

diff --git a/framework/Security/TSecurityManager.php b/framework/Security/TSecurityManager.php
index bc77c1b6..46ad4575 100644
--- a/framework/Security/TSecurityManager.php
+++ b/framework/Security/TSecurityManager.php
@@ -204,7 +204,7 @@ class TSecurityManager extends TModule
 	 * Validates if data is tampered.

 	 * @param string data to be validated. The data must be previously

 	 * generated using {@link hashData()}.

-	 * @return string the real data with HMAC stripped off. Null if the data

+	 * @return string the real data with HMAC stripped off. False if the data

 	 * is tampered.

 	 */

 	public function validateData($data)

@@ -214,10 +214,10 @@ class TSecurityManager extends TModule
 		{

 			$hmac=substr($data,0,$len);

 			$data2=substr($data,$len);

-			return $hmac===$this->computeHMAC($data2)?$data2:null;

+			return $hmac===$this->computeHMAC($data2)?$data2:false;

 		}

 		else

-			return null;

+			return false;

 	}

 

 	/**

diff --git a/framework/Web/THttpRequest.php b/framework/Web/THttpRequest.php
index 12d1ccd6..26e57e5b 100644
--- a/framework/Web/THttpRequest.php
+++ b/framework/Web/THttpRequest.php
@@ -83,7 +83,7 @@ class THttpRequest extends TMap implements IModule
 	private $_urlFormat='Get';

 	private $_services;

 	private $_requestResolved=false;

-

+	private $_enableCookieValidation=true;

 	/**

 	 * @var string request URL

 	 */

@@ -357,6 +357,22 @@ class THttpRequest extends TMap implements IModule
 	}

 

 	/**

+	 * @return boolean whether cookies should be validated. Defaults to true.

+	 */

+	public function getEnableCookieValidation()

+	{

+		return $this->_enableCookieValidation;

+	}

+

+	/**

+	 * @param boolean whether cookies should be validated.

+	 */

+	public function setEnableCookieValidation($value)

+	{

+		$this->_enableCookieValidation=TPropertyValue::ensureBoolean($value);

+	}

+

+	/**

 	 * @return THttpCookieCollection list of cookies to be sent

 	 */

 	public function getCookies()

@@ -364,8 +380,25 @@ class THttpRequest extends TMap implements IModule
 		if($this->_cookies===null)

 		{

 			$this->_cookies=new THttpCookieCollection;

-			foreach($_COOKIE as $key=>$value)

-				$this->_cookies->add(new THttpCookie($key,$value));

+			if($this->getEnableCookieValidation())

+			{

+				$sig=$this->getUserHostAddress().$this->getUserAgent();

+				$sm=$this->getApplication()->getSecurityManager();

+				foreach($_COOKIE as $key=>$value)

+				{

+					if(($value=$sm->validateData($value))!==false)

+					{

+						$v=unserialize($value);

+						if(isset($v[0]) && isset($v[1]) && $v[0]===$sig)

+							$this->_cookies->add(new THttpCookie($key,$v[1]));

+					}

+				}

+			}

+			else

+			{

+				foreach($_COOKIE as $key=>$value)

+					$this->_cookies->add(new THttpCookie($key,$value));

+			}

 		}

 		return $this->_cookies;

 	}

diff --git a/framework/Web/THttpResponse.php b/framework/Web/THttpResponse.php
index a8c3777a..5fed2167 100644
--- a/framework/Web/THttpResponse.php
+++ b/framework/Web/THttpResponse.php
@@ -66,7 +66,6 @@ class THttpResponse extends TModule implements ITextWriter
 	 * @var string content type

 	 */

 	private $_contentType='text/html';

-

 	/**

 	 * @var string character set, e.g. UTF-8

 	 */

@@ -350,7 +349,16 @@ class THttpResponse extends TModule implements ITextWriter
 	 */

 	public function addCookie($cookie)

 	{

-		setcookie($cookie->getName(),$cookie->getValue(),$cookie->getExpire(),$cookie->getPath(),$cookie->getDomain(),$cookie->getSecure());

+		$request=$this->getRequest();

+		if($request->getEnableCookieValidation())

+		{

+			$sig=$request->getUserHostAddress().$request->getUserAgent();

+			$data=serialize(array($sig,$cookie->getValue()));

+			$value=$this->getApplication()->getSecurityManager()->hashData($data);

+			setcookie($cookie->getName(),$value,$cookie->getExpire(),$cookie->getPath(),$cookie->getDomain(),$cookie->getSecure());

+		}

+		else

+			setcookie($cookie->getName(),$cookie->getValue(),$cookie->getExpire(),$cookie->getPath(),$cookie->getDomain(),$cookie->getSecure());

 	}

 

 	/**

diff --git a/framework/Web/UI/TPage.php b/framework/Web/UI/TPage.php
index 78d9115e..7a7cbce4 100644
--- a/framework/Web/UI/TPage.php
+++ b/framework/Web/UI/TPage.php
@@ -131,7 +131,7 @@ class TPage extends TTemplateControl
 

 	private $_statePersisterClass='System.Web.UI.TPageStatePersister';

 	private $_statePersister=null;

-	private $_enableStateHMAC=true;

+	private $_enableStateValidation=true;

 	private $_enableStateEncryption=false;

 

 	/**

@@ -826,14 +826,14 @@ class TPage extends TTemplateControl
 		return $this->_statePersister;

 	}

 

-	public function getEnableStateHMAC()

+	public function getEnableStateValidation()

 	{

-		return $this->_enableStateHMAC;

+		return $this->_enableStateValidation;

 	}

 

-	public function setEnableStateHMAC($value)

+	public function setEnableStateValidation($value)

 	{

-		$this->_enableStateHMAC=TPropertyValue::ensureBoolean($value);

+		$this->_enableStateValidation=TPropertyValue::ensureBoolean($value);

 	}

 

 	public function getEnableStateEncryption()

diff --git a/framework/Web/UI/TPageStatePersister.php b/framework/Web/UI/TPageStatePersister.php
index 746d93c8..49321ff5 100644
--- a/framework/Web/UI/TPageStatePersister.php
+++ b/framework/Web/UI/TPageStatePersister.php
@@ -16,7 +16,7 @@
  * TPageStatePersister implements a page state persistent method based on

  * form hidden fields.

  *

- * Depending on the {@link TPage::getEnableStateHMAC() EnableStateHMAC}

+ * Depending on the {@link TPage::getEnableStateValidation() EnableStateValidation}

  * and {@link TPage::getEnableStateEncryption() EnableStateEncryption},

  * TPageStatePersister may do HMAC validation and encryption to prevent

  * the state data from being tampered or viewed.

@@ -55,7 +55,7 @@ class TPageStatePersister extends TComponent implements IPageStatePersister
 	public function save($state)

 	{

 		Prado::trace("Saving state",'System.Web.UI.TPageStatePersister');

-		if($this->_page->getEnableStateHMAC())

+		if($this->_page->getEnableStateValidation())

 			$data=$this->getApplication()->getSecurityManager()->hashData(Prado::serialize($state));

 		else

 			$data=Prado::serialize($state);

@@ -85,9 +85,9 @@ class TPageStatePersister extends TComponent implements IPageStatePersister
 		{

 			if($this->_page->getEnableStateEncryption())

 				$data=$this->getApplication()->getSecurityManager()->decrypt($data);

-			if($this->_page->getEnableStateHMAC())

+			if($this->_page->getEnableStateValidation())

 			{

-				if(($data=$this->getApplication()->getSecurityManager()->validateData($data))!==null)

+				if(($data=$this->getApplication()->getSecurityManager()->validateData($data))!==false)

 					return Prado::unserialize($data);

 			}

 			else