diff options
| author | Andrew Dolgov <[email protected]> | 2020-09-17 08:59:18 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2020-09-17 08:59:18 +0300 |
| commit | a817d3794d920f4f9280820beea746ab072830cd (patch) | |
| tree | 67755df7626389cd5ad3c3dc96cb104cc738db54 /include | |
| parent | 0757ad04066019ec670ef97c07462ef02331cf45 (diff) | |
* use get_random_bytes() for CSRF token
* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
Diffstat (limited to 'include')
| -rw-r--r-- | include/functions.php | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/include/functions.php b/include/functions.php index 9989d7ecf..4209cf6fa 100644 --- a/include/functions.php +++ b/include/functions.php @@ -581,7 +581,7 @@ $_SESSION["name"] = $row["login"]; $_SESSION["access_level"] = $row["access_level"]; - $_SESSION["csrf_token"] = uniqid_short(); + $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16)); $usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?"); $usth->execute([$user_id]); @@ -608,9 +608,8 @@ $_SESSION["auth_module"] = false; - if (!$_SESSION["csrf_token"]) { - $_SESSION["csrf_token"] = uniqid_short(); - } + if (!$_SESSION["csrf_token"]) + $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16)); $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"]; @@ -680,7 +679,7 @@ } function validate_csrf($csrf_token) { - return $csrf_token === $_SESSION['csrf_token']; + return hash_equals($csrf_token, $_SESSION['csrf_token']); } function load_user_plugins($owner_uid, $pluginhost = false) { @@ -1669,7 +1668,9 @@ } function get_random_bytes($length) { - if (function_exists('openssl_random_pseudo_bytes')) { + if (function_exists('random_bytes')) { + return random_bytes($length); + } else if (function_exists('openssl_random_pseudo_bytes')) { return openssl_random_pseudo_bytes($length); } else { $output = ""; |