From 4b8a9a5189a625bf99fedec7fd31f6e146410a14 Mon Sep 17 00:00:00 2001 From: emkael Date: Thu, 26 Apr 2018 01:00:12 +0200 Subject: Update FB API library --- .../src/Facebook/Helpers/FacebookCanvasHelper.php | 2 +- .../Facebook/Helpers/FacebookJavaScriptHelper.php | 2 +- .../src/Facebook/Helpers/FacebookPageTabHelper.php | 2 +- .../Helpers/FacebookRedirectLoginHelper.php | 81 ++++++++-------------- .../FacebookSignedRequestFromInputHelper.php | 2 +- 5 files changed, 31 insertions(+), 58 deletions(-) (limited to 'lib/facebook-graph-sdk/src/Facebook/Helpers') diff --git a/lib/facebook-graph-sdk/src/Facebook/Helpers/FacebookCanvasHelper.php b/lib/facebook-graph-sdk/src/Facebook/Helpers/FacebookCanvasHelper.php index 8068526..7f3466f 100644 --- a/lib/facebook-graph-sdk/src/Facebook/Helpers/FacebookCanvasHelper.php +++ b/lib/facebook-graph-sdk/src/Facebook/Helpers/FacebookCanvasHelper.php @@ -1,6 +1,6 @@ oAuth2Client = $oAuth2Client; $this->persistentDataHandler = $persistentDataHandler ?: new FacebookSessionPersistentDataHandler(); $this->urlDetectionHandler = $urlHandler ?: new FacebookUrlDetectionHandler(); - $this->pseudoRandomStringGenerator = $prsg ?: $this->detectPseudoRandomStringGenerator(); + $this->pseudoRandomStringGenerator = PseudoRandomStringGeneratorFactory::createPseudoRandomStringGenerator($prsg); } /** @@ -112,32 +110,6 @@ class FacebookRedirectLoginHelper return $this->pseudoRandomStringGenerator; } - /** - * Detects which pseudo-random string generator to use. - * - * @return PseudoRandomStringGeneratorInterface - * - * @throws FacebookSDKException - */ - public function detectPseudoRandomStringGenerator() - { - // Since openssl_random_pseudo_bytes() can sometimes return non-cryptographically - // secure pseudo-random strings (in rare cases), we check for mcrypt_create_iv() first. - if (function_exists('mcrypt_create_iv')) { - return new McryptPseudoRandomStringGenerator(); - } - - if (function_exists('openssl_random_pseudo_bytes')) { - return new OpenSslPseudoRandomStringGenerator(); - } - - if (!ini_get('open_basedir') && is_readable('/dev/urandom')) { - return new UrandomPseudoRandomStringGenerator(); - } - - throw new FacebookSDKException('Unable to detect a cryptographically secure pseudo-random string generator.'); - } - /** * Stores CSRF state and returns a URL to which the user should be sent to in order to continue the login process with Facebook. * @@ -150,7 +122,7 @@ class FacebookRedirectLoginHelper */ private function makeUrl($redirectUrl, array $scope, array $params = [], $separator = '&') { - $state = $this->pseudoRandomStringGenerator->getPseudoRandomString(static::CSRF_LENGTH); + $state = $this->persistentDataHandler->get('state') ?: $this->pseudoRandomStringGenerator->getPseudoRandomString(static::CSRF_LENGTH); $this->persistentDataHandler->set('state', $state); return $this->oAuth2Client->getAuthorizationUrl($redirectUrl, $state, $scope, $params, $separator); @@ -247,10 +219,11 @@ class FacebookRedirectLoginHelper } $this->validateCsrf(); + $this->resetCsrf(); $redirectUrl = $redirectUrl ?: $this->urlDetectionHandler->getCurrentUrl(); - // At minimum we need to remove the state param - $redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['state']); + // At minimum we need to remove the 'state' and 'code' params + $redirectUrl = FacebookUrlManipulator::removeParamsFromUrl($redirectUrl, ['code', 'state']); return $this->oAuth2Client->getAccessTokenFromCode($code, $redirectUrl); } @@ -263,27 +236,27 @@ class FacebookRedirectLoginHelper protected function validateCsrf() { $state = $this->getState(); + if (!$state) { + throw new FacebookSDKException('Cross-site request forgery validation failed. Required GET param "state" missing.'); + } $savedState = $this->persistentDataHandler->get('state'); - - if (!$state || !$savedState) { - throw new FacebookSDKException('Cross-site request forgery validation failed. Required param "state" missing.'); + if (!$savedState) { + throw new FacebookSDKException('Cross-site request forgery validation failed. Required param "state" missing from persistent data.'); } - $savedLen = strlen($savedState); - $givenLen = strlen($state); - - if ($savedLen !== $givenLen) { - throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.'); + if (\hash_equals($savedState, $state)) { + return; } - $result = 0; - for ($i = 0; $i < $savedLen; $i++) { - $result |= ord($state[$i]) ^ ord($savedState[$i]); - } + throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.'); + } - if ($result !== 0) { - throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.'); - } + /** + * Resets the CSRF so that it doesn't get reused. + */ + private function resetCsrf() + { + $this->persistentDataHandler->set('state', null); } /** diff --git a/lib/facebook-graph-sdk/src/Facebook/Helpers/FacebookSignedRequestFromInputHelper.php b/lib/facebook-graph-sdk/src/Facebook/Helpers/FacebookSignedRequestFromInputHelper.php index aafa246..4044da1 100644 --- a/lib/facebook-graph-sdk/src/Facebook/Helpers/FacebookSignedRequestFromInputHelper.php +++ b/lib/facebook-graph-sdk/src/Facebook/Helpers/FacebookSignedRequestFromInputHelper.php @@ -1,6 +1,6 @@