diff options
| author | Andrew Dolgov <[email protected]> | 2020-09-17 08:59:18 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2020-09-17 08:59:18 +0300 |
| commit | a817d3794d920f4f9280820beea746ab072830cd (patch) | |
| tree | 67755df7626389cd5ad3c3dc96cb104cc738db54 | |
| parent | 0757ad04066019ec670ef97c07462ef02331cf45 (diff) | |
* use get_random_bytes() for CSRF token
* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
| -rw-r--r-- | include/functions.php | 13 | ||||
| -rw-r--r-- | plugins/af_proxy_http/init.php | 4 |
2 files changed, 9 insertions, 8 deletions
diff --git a/include/functions.php b/include/functions.php index 9989d7ecf..4209cf6fa 100644 --- a/include/functions.php +++ b/include/functions.php @@ -581,7 +581,7 @@ $_SESSION["name"] = $row["login"]; $_SESSION["access_level"] = $row["access_level"]; - $_SESSION["csrf_token"] = uniqid_short(); + $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16)); $usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?"); $usth->execute([$user_id]); @@ -608,9 +608,8 @@ $_SESSION["auth_module"] = false; - if (!$_SESSION["csrf_token"]) { - $_SESSION["csrf_token"] = uniqid_short(); - } + if (!$_SESSION["csrf_token"]) + $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16)); $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"]; @@ -680,7 +679,7 @@ } function validate_csrf($csrf_token) { - return $csrf_token === $_SESSION['csrf_token']; + return hash_equals($csrf_token, $_SESSION['csrf_token']); } function load_user_plugins($owner_uid, $pluginhost = false) { @@ -1669,7 +1668,9 @@ } function get_random_bytes($length) { - if (function_exists('openssl_random_pseudo_bytes')) { + if (function_exists('random_bytes')) { + return random_bytes($length); + } else if (function_exists('openssl_random_pseudo_bytes')) { return openssl_random_pseudo_bytes($length); } else { $output = ""; diff --git a/plugins/af_proxy_http/init.php b/plugins/af_proxy_http/init.php index 0a8e88677..7cb9355f3 100644 --- a/plugins/af_proxy_http/init.php +++ b/plugins/af_proxy_http/init.php @@ -30,7 +30,7 @@ class Af_Proxy_Http extends Plugin { $host->add_hook($host::HOOK_PREFS_TAB, $this); if (!$_SESSION['af_proxy_http_token']) - $_SESSION['af_proxy_http_token'] = uniqid_short(); + $_SESSION['af_proxy_http_token'] = bin2hex(get_random_bytes(16)); } function hook_enclosure_entry($enc) { @@ -202,7 +202,7 @@ class Af_Proxy_Http extends Plugin { function hook_prefs_tab($args) { if ($args != "prefFeeds") return; - print "<div dojoType=\"dijit.layout.AccordionPane\" + print "<div dojoType=\"dijit.layout.AccordionPane\" title=\"<i class='material-icons'>extension</i> ".__('Image proxy settings (af_proxy_http)')."\">"; print "<form dojoType=\"dijit.form.Form\">"; |