csrf, switch from token per request to token per session. solves issues when using multiple tabs.

f20640d0 · Ad Schellevis · 895e30d1 · f20640d0 · f20640d0
Commit f20640d0 authored Feb 02, 2017 by Ad Schellevis
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 19 deletions

ControllerBase.php ...ense/mvc/app/controllers/OPNsense/Base/ControllerBase.php +4 -5

csrf.inc src/www/csrf.inc +11 -14

No files found.
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
@@ -177,7 +177,7 @@ class ControllerBase extends ControllerRoot
            }

            // check for valid csrf on post requests
-            if ($this->request->isPost() && !$this->security->checkToken()) {
+            if ($this->request->isPost() && !$this->security->checkToken(null, null, false)) {
                // post without csrf, exit.
                $this->response->setStatusCode(403, "Forbidden");
                return false;
@@ -195,10 +195,9 @@ class ControllerBase extends ControllerRoot
        }

        // include csrf for volt view rendering.
-        $this->view->setVars([
-            'csrf_tokenKey' => $this->security->getTokenKey(),
-            'csrf_token' => $this->security->getToken()
-        ]);
+        $csrf_token = $this->session->get('$PHALCON/CSRF$');
+        $csrf_tokenKey = $this->session->get('$PHALCON/CSRF/KEY$');
+        $this->view->setVars(['csrf_tokenKey' => $csrf_tokenKey,'csrf_token' => $csrf_token]);

        // link menu system to view, append /ui in uri because of rewrite
        $menu = new Menu\MenuSystem();

--- a/src/www/csrf.inc
+++ b/src/www/csrf.inc
@@ -28,8 +28,6 @@

 class LegacyCSRF
 {
-    private $securityToken = null;
-    private $securityTokenKey = null;
    private $di = null;
    private $security = null;
    private $session = null;
@@ -58,16 +56,13 @@ class LegacyCSRF
    {
        $result = false; // default, not valid
        $this->Session();
-        // do not destroy token after successfull validation, some pages use ajax type requests
-        $this->securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$'];
-        $this->securityToken = !empty($_POST[$this->securityTokenKey]) ? $_POST[$this->securityTokenKey] : "";
-        if (empty($this->securityToken)) {
+        $securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$'];
+        if (empty($_POST[$securityTokenKey])) {
            if (!empty($_SERVER['HTTP_X_CSRFTOKEN'])) {
-                $this->securityToken = $_SERVER['HTTP_X_CSRFTOKEN'];
-                $result = $this->security->checkToken(null, $this->securityToken, false);
+                $result = $this->security->checkToken(null, $_SERVER['HTTP_X_CSRFTOKEN'], false);
            }
        } else {
-            $result = $this->security->checkToken($this->securityTokenKey, $this->securityToken, false);
+            $result = $this->security->checkToken($securityTokenKey, $_POST[$securityTokenKey], false);
        }
        // close session after validation
        session_write_close();
@@ -77,12 +72,14 @@ class LegacyCSRF
    private function newToken()
    {
        $this->Session();
-        // only request new token when checkToken() hasn't saved one
-        if ($this->securityToken == null) {
-            $this->securityToken = $this->security->getToken();
-            $this->securityTokenKey = $this->security->getTokenKey();
+        // only request new token when session has none
+        $securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$'];
+        $securityToken = $_SESSION['$PHALCON/CSRF$'];
+        if (empty($securityToken) || empty($securityTokenKey)) {
+            $securityToken = $this->security->getToken();
+            $securityTokenKey = $this->security->getTokenKey();
        }
-        return array('token'=>$this->securityToken, 'key' => $this->securityTokenKey);
+        return array('token'=>$securityToken, 'key' => $securityTokenKey);
    }

    public function csrfRewriteHandler($buffer)