From 42126e88ba1e3508e2c5a36e49c23bfaf4a4262c Mon Sep 17 00:00:00 2001 From: xue <> Date: Sun, 12 Feb 2006 01:44:52 +0000 Subject: Implemented cookie HMAC check. --- framework/Security/TSecurityManager.php | 6 ++--- framework/Web/THttpRequest.php | 39 +++++++++++++++++++++++++++++--- framework/Web/THttpResponse.php | 12 ++++++++-- framework/Web/UI/TPage.php | 10 ++++---- framework/Web/UI/TPageStatePersister.php | 8 +++---- 5 files changed, 58 insertions(+), 17 deletions(-) (limited to 'framework') diff --git a/framework/Security/TSecurityManager.php b/framework/Security/TSecurityManager.php index bc77c1b6..46ad4575 100644 --- a/framework/Security/TSecurityManager.php +++ b/framework/Security/TSecurityManager.php @@ -204,7 +204,7 @@ class TSecurityManager extends TModule * Validates if data is tampered. * @param string data to be validated. The data must be previously * generated using {@link hashData()}. - * @return string the real data with HMAC stripped off. Null if the data + * @return string the real data with HMAC stripped off. False if the data * is tampered. */ public function validateData($data) @@ -214,10 +214,10 @@ class TSecurityManager extends TModule { $hmac=substr($data,0,$len); $data2=substr($data,$len); - return $hmac===$this->computeHMAC($data2)?$data2:null; + return $hmac===$this->computeHMAC($data2)?$data2:false; } else - return null; + return false; } /** diff --git a/framework/Web/THttpRequest.php b/framework/Web/THttpRequest.php index 12d1ccd6..26e57e5b 100644 --- a/framework/Web/THttpRequest.php +++ b/framework/Web/THttpRequest.php @@ -83,7 +83,7 @@ class THttpRequest extends TMap implements IModule private $_urlFormat='Get'; private $_services; private $_requestResolved=false; - + private $_enableCookieValidation=true; /** * @var string request URL */ @@ -356,6 +356,22 @@ class THttpRequest extends TMap implements IModule return Prado::getUserLanguages(); } + /** + * @return boolean whether cookies should be validated. Defaults to true. + */ + public function getEnableCookieValidation() + { + return $this->_enableCookieValidation; + } + + /** + * @param boolean whether cookies should be validated. + */ + public function setEnableCookieValidation($value) + { + $this->_enableCookieValidation=TPropertyValue::ensureBoolean($value); + } + /** * @return THttpCookieCollection list of cookies to be sent */ @@ -364,8 +380,25 @@ class THttpRequest extends TMap implements IModule if($this->_cookies===null) { $this->_cookies=new THttpCookieCollection; - foreach($_COOKIE as $key=>$value) - $this->_cookies->add(new THttpCookie($key,$value)); + if($this->getEnableCookieValidation()) + { + $sig=$this->getUserHostAddress().$this->getUserAgent(); + $sm=$this->getApplication()->getSecurityManager(); + foreach($_COOKIE as $key=>$value) + { + if(($value=$sm->validateData($value))!==false) + { + $v=unserialize($value); + if(isset($v[0]) && isset($v[1]) && $v[0]===$sig) + $this->_cookies->add(new THttpCookie($key,$v[1])); + } + } + } + else + { + foreach($_COOKIE as $key=>$value) + $this->_cookies->add(new THttpCookie($key,$value)); + } } return $this->_cookies; } diff --git a/framework/Web/THttpResponse.php b/framework/Web/THttpResponse.php index a8c3777a..5fed2167 100644 --- a/framework/Web/THttpResponse.php +++ b/framework/Web/THttpResponse.php @@ -66,7 +66,6 @@ class THttpResponse extends TModule implements ITextWriter * @var string content type */ private $_contentType='text/html'; - /** * @var string character set, e.g. UTF-8 */ @@ -350,7 +349,16 @@ class THttpResponse extends TModule implements ITextWriter */ public function addCookie($cookie) { - setcookie($cookie->getName(),$cookie->getValue(),$cookie->getExpire(),$cookie->getPath(),$cookie->getDomain(),$cookie->getSecure()); + $request=$this->getRequest(); + if($request->getEnableCookieValidation()) + { + $sig=$request->getUserHostAddress().$request->getUserAgent(); + $data=serialize(array($sig,$cookie->getValue())); + $value=$this->getApplication()->getSecurityManager()->hashData($data); + setcookie($cookie->getName(),$value,$cookie->getExpire(),$cookie->getPath(),$cookie->getDomain(),$cookie->getSecure()); + } + else + setcookie($cookie->getName(),$cookie->getValue(),$cookie->getExpire(),$cookie->getPath(),$cookie->getDomain(),$cookie->getSecure()); } /** diff --git a/framework/Web/UI/TPage.php b/framework/Web/UI/TPage.php index 78d9115e..7a7cbce4 100644 --- a/framework/Web/UI/TPage.php +++ b/framework/Web/UI/TPage.php @@ -131,7 +131,7 @@ class TPage extends TTemplateControl private $_statePersisterClass='System.Web.UI.TPageStatePersister'; private $_statePersister=null; - private $_enableStateHMAC=true; + private $_enableStateValidation=true; private $_enableStateEncryption=false; /** @@ -826,14 +826,14 @@ class TPage extends TTemplateControl return $this->_statePersister; } - public function getEnableStateHMAC() + public function getEnableStateValidation() { - return $this->_enableStateHMAC; + return $this->_enableStateValidation; } - public function setEnableStateHMAC($value) + public function setEnableStateValidation($value) { - $this->_enableStateHMAC=TPropertyValue::ensureBoolean($value); + $this->_enableStateValidation=TPropertyValue::ensureBoolean($value); } public function getEnableStateEncryption() diff --git a/framework/Web/UI/TPageStatePersister.php b/framework/Web/UI/TPageStatePersister.php index 746d93c8..49321ff5 100644 --- a/framework/Web/UI/TPageStatePersister.php +++ b/framework/Web/UI/TPageStatePersister.php @@ -16,7 +16,7 @@ * TPageStatePersister implements a page state persistent method based on * form hidden fields. * - * Depending on the {@link TPage::getEnableStateHMAC() EnableStateHMAC} + * Depending on the {@link TPage::getEnableStateValidation() EnableStateValidation} * and {@link TPage::getEnableStateEncryption() EnableStateEncryption}, * TPageStatePersister may do HMAC validation and encryption to prevent * the state data from being tampered or viewed. @@ -55,7 +55,7 @@ class TPageStatePersister extends TComponent implements IPageStatePersister public function save($state) { Prado::trace("Saving state",'System.Web.UI.TPageStatePersister'); - if($this->_page->getEnableStateHMAC()) + if($this->_page->getEnableStateValidation()) $data=$this->getApplication()->getSecurityManager()->hashData(Prado::serialize($state)); else $data=Prado::serialize($state); @@ -85,9 +85,9 @@ class TPageStatePersister extends TComponent implements IPageStatePersister { if($this->_page->getEnableStateEncryption()) $data=$this->getApplication()->getSecurityManager()->decrypt($data); - if($this->_page->getEnableStateHMAC()) + if($this->_page->getEnableStateValidation()) { - if(($data=$this->getApplication()->getSecurityManager()->validateData($data))!==null) + if(($data=$this->getApplication()->getSecurityManager()->validateData($data))!==false) return Prado::unserialize($data); } else -- cgit v1.2.3