summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--framework/Security/TSecurityManager.php6
-rw-r--r--framework/Web/THttpRequest.php39
-rw-r--r--framework/Web/THttpResponse.php12
-rw-r--r--framework/Web/UI/TPage.php10
-rw-r--r--framework/Web/UI/TPageStatePersister.php8
5 files changed, 58 insertions, 17 deletions
diff --git a/framework/Security/TSecurityManager.php b/framework/Security/TSecurityManager.php
index bc77c1b6..46ad4575 100644
--- a/framework/Security/TSecurityManager.php
+++ b/framework/Security/TSecurityManager.php
@@ -204,7 +204,7 @@ class TSecurityManager extends TModule
* Validates if data is tampered.
* @param string data to be validated. The data must be previously
* generated using {@link hashData()}.
- * @return string the real data with HMAC stripped off. Null if the data
+ * @return string the real data with HMAC stripped off. False if the data
* is tampered.
*/
public function validateData($data)
@@ -214,10 +214,10 @@ class TSecurityManager extends TModule
{
$hmac=substr($data,0,$len);
$data2=substr($data,$len);
- return $hmac===$this->computeHMAC($data2)?$data2:null;
+ return $hmac===$this->computeHMAC($data2)?$data2:false;
}
else
- return null;
+ return false;
}
/**
diff --git a/framework/Web/THttpRequest.php b/framework/Web/THttpRequest.php
index 12d1ccd6..26e57e5b 100644
--- a/framework/Web/THttpRequest.php
+++ b/framework/Web/THttpRequest.php
@@ -83,7 +83,7 @@ class THttpRequest extends TMap implements IModule
private $_urlFormat='Get';
private $_services;
private $_requestResolved=false;
-
+ private $_enableCookieValidation=true;
/**
* @var string request URL
*/
@@ -357,6 +357,22 @@ class THttpRequest extends TMap implements IModule
}
/**
+ * @return boolean whether cookies should be validated. Defaults to true.
+ */
+ public function getEnableCookieValidation()
+ {
+ return $this->_enableCookieValidation;
+ }
+
+ /**
+ * @param boolean whether cookies should be validated.
+ */
+ public function setEnableCookieValidation($value)
+ {
+ $this->_enableCookieValidation=TPropertyValue::ensureBoolean($value);
+ }
+
+ /**
* @return THttpCookieCollection list of cookies to be sent
*/
public function getCookies()
@@ -364,8 +380,25 @@ class THttpRequest extends TMap implements IModule
if($this->_cookies===null)
{
$this->_cookies=new THttpCookieCollection;
- foreach($_COOKIE as $key=>$value)
- $this->_cookies->add(new THttpCookie($key,$value));
+ if($this->getEnableCookieValidation())
+ {
+ $sig=$this->getUserHostAddress().$this->getUserAgent();
+ $sm=$this->getApplication()->getSecurityManager();
+ foreach($_COOKIE as $key=>$value)
+ {
+ if(($value=$sm->validateData($value))!==false)
+ {
+ $v=unserialize($value);
+ if(isset($v[0]) && isset($v[1]) && $v[0]===$sig)
+ $this->_cookies->add(new THttpCookie($key,$v[1]));
+ }
+ }
+ }
+ else
+ {
+ foreach($_COOKIE as $key=>$value)
+ $this->_cookies->add(new THttpCookie($key,$value));
+ }
}
return $this->_cookies;
}
diff --git a/framework/Web/THttpResponse.php b/framework/Web/THttpResponse.php
index a8c3777a..5fed2167 100644
--- a/framework/Web/THttpResponse.php
+++ b/framework/Web/THttpResponse.php
@@ -66,7 +66,6 @@ class THttpResponse extends TModule implements ITextWriter
* @var string content type
*/
private $_contentType='text/html';
-
/**
* @var string character set, e.g. UTF-8
*/
@@ -350,7 +349,16 @@ class THttpResponse extends TModule implements ITextWriter
*/
public function addCookie($cookie)
{
- setcookie($cookie->getName(),$cookie->getValue(),$cookie->getExpire(),$cookie->getPath(),$cookie->getDomain(),$cookie->getSecure());
+ $request=$this->getRequest();
+ if($request->getEnableCookieValidation())
+ {
+ $sig=$request->getUserHostAddress().$request->getUserAgent();
+ $data=serialize(array($sig,$cookie->getValue()));
+ $value=$this->getApplication()->getSecurityManager()->hashData($data);
+ setcookie($cookie->getName(),$value,$cookie->getExpire(),$cookie->getPath(),$cookie->getDomain(),$cookie->getSecure());
+ }
+ else
+ setcookie($cookie->getName(),$cookie->getValue(),$cookie->getExpire(),$cookie->getPath(),$cookie->getDomain(),$cookie->getSecure());
}
/**
diff --git a/framework/Web/UI/TPage.php b/framework/Web/UI/TPage.php
index 78d9115e..7a7cbce4 100644
--- a/framework/Web/UI/TPage.php
+++ b/framework/Web/UI/TPage.php
@@ -131,7 +131,7 @@ class TPage extends TTemplateControl
private $_statePersisterClass='System.Web.UI.TPageStatePersister';
private $_statePersister=null;
- private $_enableStateHMAC=true;
+ private $_enableStateValidation=true;
private $_enableStateEncryption=false;
/**
@@ -826,14 +826,14 @@ class TPage extends TTemplateControl
return $this->_statePersister;
}
- public function getEnableStateHMAC()
+ public function getEnableStateValidation()
{
- return $this->_enableStateHMAC;
+ return $this->_enableStateValidation;
}
- public function setEnableStateHMAC($value)
+ public function setEnableStateValidation($value)
{
- $this->_enableStateHMAC=TPropertyValue::ensureBoolean($value);
+ $this->_enableStateValidation=TPropertyValue::ensureBoolean($value);
}
public function getEnableStateEncryption()
diff --git a/framework/Web/UI/TPageStatePersister.php b/framework/Web/UI/TPageStatePersister.php
index 746d93c8..49321ff5 100644
--- a/framework/Web/UI/TPageStatePersister.php
+++ b/framework/Web/UI/TPageStatePersister.php
@@ -16,7 +16,7 @@
* TPageStatePersister implements a page state persistent method based on
* form hidden fields.
*
- * Depending on the {@link TPage::getEnableStateHMAC() EnableStateHMAC}
+ * Depending on the {@link TPage::getEnableStateValidation() EnableStateValidation}
* and {@link TPage::getEnableStateEncryption() EnableStateEncryption},
* TPageStatePersister may do HMAC validation and encryption to prevent
* the state data from being tampered or viewed.
@@ -55,7 +55,7 @@ class TPageStatePersister extends TComponent implements IPageStatePersister
public function save($state)
{
Prado::trace("Saving state",'System.Web.UI.TPageStatePersister');
- if($this->_page->getEnableStateHMAC())
+ if($this->_page->getEnableStateValidation())
$data=$this->getApplication()->getSecurityManager()->hashData(Prado::serialize($state));
else
$data=Prado::serialize($state);
@@ -85,9 +85,9 @@ class TPageStatePersister extends TComponent implements IPageStatePersister
{
if($this->_page->getEnableStateEncryption())
$data=$this->getApplication()->getSecurityManager()->decrypt($data);
- if($this->_page->getEnableStateHMAC())
+ if($this->_page->getEnableStateValidation())
{
- if(($data=$this->getApplication()->getSecurityManager()->validateData($data))!==null)
+ if(($data=$this->getApplication()->getSecurityManager()->validateData($data))!==false)
return Prado::unserialize($data);
}
else