215 lines
7.1 KiB
PHP
215 lines
7.1 KiB
PHP
<?php
|
|
/**
|
|
* Copyright © 2010
|
|
* http://www.mediawiki.org/
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
* http://www.gnu.org/copyleft/gpl.html
|
|
*
|
|
* @file
|
|
*/
|
|
|
|
/**
|
|
* CSRF attacks (where a malicious website uses frames, <img> tags, or
|
|
* similar, to prompt a wiki user to open a wiki page or submit a form,
|
|
* without being aware of doing so) are most easily countered by using
|
|
* tokens. For normal browsing, loading the form for a protected action
|
|
* sets two copies of a random string: one in the $_SESSION, and one as
|
|
* a hidden field in the form. When the form is submitted, it checks
|
|
* that a) the set of cookies submitted with the form *has* a copy of
|
|
* the session cookie, and b) that it matches. Since malicious websites
|
|
* don't have control over the session cookies, they can't craft a form
|
|
* that can be instantly submitted which will have the appropriate tokens.
|
|
*
|
|
* Note that these tokens are distinct from those in User::setToken(), which
|
|
* are used for persistent session authentication and are retained for as
|
|
* long as the user is logged in to the wiki. These tokens are to protect
|
|
* one individual action, and should ideally be cleared once the action is over.
|
|
*/
|
|
class Token {
|
|
|
|
/*
|
|
* Some punctuation to prevent editing from broken
|
|
* text-mangling proxies.
|
|
*/
|
|
const TOKEN_SUFFIX = '+\\';
|
|
|
|
/**
|
|
* Different tokens for different types of action.
|
|
*
|
|
* We don't store tokens for some actions for anons
|
|
* so they can still do things when they have cookies disabled.
|
|
* So either use this for actions which anons can't access, or
|
|
* where you don't mind an attacker being able to trigger the action
|
|
* anonymously from the user's IP. However, the token is still
|
|
* useful because it fails with some broken proxies.
|
|
*/
|
|
const ANONYMOUS = 'Edit';
|
|
|
|
/**
|
|
* For actions requiring a medium level of protection, or where the
|
|
* user will be making repeated actions: this token should not be
|
|
* cleared once the action is completed. For instance, a user might
|
|
* revert mass vandalism from a user by loading their contribs and
|
|
* ctrl+clicking each rollback link. If we cleared the Token from
|
|
* session after each rollback, they'd have to reload the contribs
|
|
* page each time, which would be annoying.
|
|
*/
|
|
const PERSISTENT = 'Action';
|
|
|
|
/**
|
|
* For actions requiring a high level of protection, and where the user
|
|
* will not be performing multiple sequential actions without reloading
|
|
* the form or link. Eg login, block/protect/delete, userrights, etc.
|
|
* Callers should clear these tokens upon completion of the action, and
|
|
* other callers should expect that they will be cleared.
|
|
*/
|
|
const UNIQUE = 'Unique';
|
|
|
|
/**
|
|
* String the action which is being protected by the token
|
|
* ('edit', 'login', 'rollback', etc)
|
|
*/
|
|
protected $type = self::ANONYMOUS;
|
|
|
|
/**
|
|
* An instance-specific salt. So if you want to generate a hundred rollback
|
|
* tokens for the watchlist, pass a $salt which is unique
|
|
* to each revision. Only one token is stored in the session, but it is munged
|
|
* with a different salt for each revision, so the required value in the HTML
|
|
* is different for each case.
|
|
*/
|
|
protected $salt = '';
|
|
|
|
protected $request;
|
|
|
|
/**
|
|
* Constructor
|
|
* @param $salt String an instance-specific salt. @see Token::$salt
|
|
* @param $type Token class constant identifier
|
|
* @param $request WebRequest most of the time you'll want to get/store
|
|
* the tokens in $wgRequest, which is the default.
|
|
*/
|
|
public function __construct( $salt, $type = self::PERSISTENT, WebRequest $request = null ){
|
|
global $wgRequest;
|
|
$this->type = $type;
|
|
|
|
if( is_array( $this->salt ) ) {
|
|
$this->salt = implode( '|', $this->salt );
|
|
} else {
|
|
$this->salt = strval( $salt );
|
|
}
|
|
|
|
$this->request = $request instanceof WebRequest
|
|
? $request
|
|
: $wgRequest;
|
|
}
|
|
|
|
/**
|
|
* Ensure that a token is set in cookies, by setting a new one
|
|
* if necessary.
|
|
* @param $purge Bool whether to overwrite an existing token in
|
|
* session if there is one. This is more secure, but will
|
|
* only allow one Token of a particular $action to be used on
|
|
* the page (which may itself be a good thing).
|
|
* @return String The version of the token which should be included
|
|
* in the HTML form/link.
|
|
*/
|
|
public function set( $purge = false ) {
|
|
global $wgUser;
|
|
if ( $this->type == self::ANONYMOUS && $wgUser->isAnon() ) {
|
|
return self::TOKEN_SUFFIX;
|
|
}
|
|
|
|
if( $purge || $this->get() === null ){
|
|
$token = self::generate();
|
|
if( session_id() == '' ) {
|
|
wfSetupSession();
|
|
}
|
|
$this->store( $token );
|
|
} else {
|
|
$token = $this->get();
|
|
}
|
|
|
|
return md5( $token . $this->salt ) . self::TOKEN_SUFFIX;
|
|
}
|
|
|
|
/**
|
|
* Check whether the copy of the token submitted with a form
|
|
* matches the version stored in session
|
|
* @param $val String version submitted with the form.
|
|
* @return Mixed null if no session token was set, Bool false if there
|
|
* was a token but it didn't match, Bool true if it matched correctly
|
|
*/
|
|
public function match( $val ){
|
|
global $wgUser;
|
|
if( $this->type == self::ANONYMOUS && $wgUser->isAnon() ){
|
|
return $val === self::TOKEN_SUFFIX;
|
|
}
|
|
|
|
if( $this->get() === null ){
|
|
return null;
|
|
}
|
|
|
|
return md5( $this->get() . $this->salt ) . self::TOKEN_SUFFIX === $val;
|
|
}
|
|
|
|
/**
|
|
* Delete the token after use, so it can't be used again. This will
|
|
* invalidate all tokens for this Token's action type.
|
|
*/
|
|
public function clear(){
|
|
$this->store( null );
|
|
}
|
|
|
|
/**
|
|
* Prepare a new Token for a given action, set it in session, and
|
|
* return the value we need to pass in the HTML
|
|
* @param $salt String
|
|
* @param $type Token class constant identifier
|
|
* @return String token string to store in HTML
|
|
*/
|
|
public static function prepare( $salt, $type = self::PERSISTENT ){
|
|
$t = new Token( $salt, $type );
|
|
return $t->set( false );
|
|
}
|
|
|
|
/**
|
|
* Generate a random token
|
|
* @param $salt String Optional salt value
|
|
* @return String 32-char random token
|
|
*/
|
|
protected static function generate( $salt = '' ) {
|
|
$rand = dechex( mt_rand() ) . dechex( mt_rand() );
|
|
return md5( $rand . $salt );
|
|
}
|
|
|
|
/**
|
|
* Set the given token for the given action in the session
|
|
* @param $token String
|
|
* @param $action String
|
|
*/
|
|
protected function store( $token ){
|
|
$this->request->setSessionData( "ws{$this->type}Token", $token );
|
|
}
|
|
|
|
/**
|
|
* Get the token set for a given action
|
|
* @return String or null if no token was stored in the session
|
|
*/
|
|
protected function get(){
|
|
return $this->request->getSessionData( "ws{$this->type}Token" );
|
|
}
|
|
}
|