pictcode / lib / Cake / Controller / Component / SecurityComponent.php @ 48ae03cf
履歴 | 表示 | アノテート | ダウンロード (17.882 KB)
| 1 | 635eef61 | spyder1211 | <?php
|
|---|---|---|---|
| 2 | /**
|
||
| 3 | * Security Component
|
||
| 4 | *
|
||
| 5 | * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
|
||
| 6 | * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
||
| 7 | *
|
||
| 8 | * Licensed under The MIT License
|
||
| 9 | * For full copyright and license information, please see the LICENSE.txt
|
||
| 10 | * Redistributions of files must retain the above copyright notice.
|
||
| 11 | *
|
||
| 12 | * @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
||
| 13 | * @link http://cakephp.org CakePHP(tm) Project
|
||
| 14 | * @package Cake.Controller.Component
|
||
| 15 | * @since CakePHP(tm) v 0.10.8.2156
|
||
| 16 | * @license http://www.opensource.org/licenses/mit-license.php MIT License
|
||
| 17 | */
|
||
| 18 | |||
| 19 | App::uses('Component', 'Controller'); |
||
| 20 | App::uses('CakeText', 'Utility'); |
||
| 21 | App::uses('Hash', 'Utility'); |
||
| 22 | App::uses('Security', 'Utility'); |
||
| 23 | |||
| 24 | /**
|
||
| 25 | * The Security Component creates an easy way to integrate tighter security in
|
||
| 26 | * your application. It provides methods for various tasks like:
|
||
| 27 | *
|
||
| 28 | * - Restricting which HTTP methods your application accepts.
|
||
| 29 | * - CSRF protection.
|
||
| 30 | * - Form tampering protection
|
||
| 31 | * - Requiring that SSL be used.
|
||
| 32 | * - Limiting cross controller communication.
|
||
| 33 | *
|
||
| 34 | * @package Cake.Controller.Component
|
||
| 35 | * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html
|
||
| 36 | */
|
||
| 37 | class SecurityComponent extends Component { |
||
| 38 | |||
| 39 | /**
|
||
| 40 | * The controller method that will be called if this request is black-hole'd
|
||
| 41 | *
|
||
| 42 | * @var string
|
||
| 43 | */
|
||
| 44 | public $blackHoleCallback = null; |
||
| 45 | |||
| 46 | /**
|
||
| 47 | * List of controller actions for which a POST request is required
|
||
| 48 | *
|
||
| 49 | * @var array
|
||
| 50 | * @deprecated 3.0.0 Use CakeRequest::allowMethod() instead.
|
||
| 51 | * @see SecurityComponent::requirePost()
|
||
| 52 | */
|
||
| 53 | public $requirePost = array(); |
||
| 54 | |||
| 55 | /**
|
||
| 56 | * List of controller actions for which a GET request is required
|
||
| 57 | *
|
||
| 58 | * @var array
|
||
| 59 | * @deprecated 3.0.0 Use CakeRequest::allowMethod() instead.
|
||
| 60 | * @see SecurityComponent::requireGet()
|
||
| 61 | */
|
||
| 62 | public $requireGet = array(); |
||
| 63 | |||
| 64 | /**
|
||
| 65 | * List of controller actions for which a PUT request is required
|
||
| 66 | *
|
||
| 67 | * @var array
|
||
| 68 | * @deprecated 3.0.0 Use CakeRequest::allowMethod() instead.
|
||
| 69 | * @see SecurityComponent::requirePut()
|
||
| 70 | */
|
||
| 71 | public $requirePut = array(); |
||
| 72 | |||
| 73 | /**
|
||
| 74 | * List of controller actions for which a DELETE request is required
|
||
| 75 | *
|
||
| 76 | * @var array
|
||
| 77 | * @deprecated 3.0.0 Use CakeRequest::allowMethod() instead.
|
||
| 78 | * @see SecurityComponent::requireDelete()
|
||
| 79 | */
|
||
| 80 | public $requireDelete = array(); |
||
| 81 | |||
| 82 | /**
|
||
| 83 | * List of actions that require an SSL-secured connection
|
||
| 84 | *
|
||
| 85 | * @var array
|
||
| 86 | * @see SecurityComponent::requireSecure()
|
||
| 87 | */
|
||
| 88 | public $requireSecure = array(); |
||
| 89 | |||
| 90 | /**
|
||
| 91 | * List of actions that require a valid authentication key
|
||
| 92 | *
|
||
| 93 | * @var array
|
||
| 94 | * @see SecurityComponent::requireAuth()
|
||
| 95 | */
|
||
| 96 | public $requireAuth = array(); |
||
| 97 | |||
| 98 | /**
|
||
| 99 | * Controllers from which actions of the current controller are allowed to receive
|
||
| 100 | * requests.
|
||
| 101 | *
|
||
| 102 | * @var array
|
||
| 103 | * @see SecurityComponent::requireAuth()
|
||
| 104 | */
|
||
| 105 | public $allowedControllers = array(); |
||
| 106 | |||
| 107 | /**
|
||
| 108 | * Actions from which actions of the current controller are allowed to receive
|
||
| 109 | * requests.
|
||
| 110 | *
|
||
| 111 | * @var array
|
||
| 112 | * @see SecurityComponent::requireAuth()
|
||
| 113 | */
|
||
| 114 | public $allowedActions = array(); |
||
| 115 | |||
| 116 | /**
|
||
| 117 | * Deprecated property, superseded by unlockedFields.
|
||
| 118 | *
|
||
| 119 | * @var array
|
||
| 120 | * @deprecated 3.0.0 Superseded by unlockedFields.
|
||
| 121 | * @see SecurityComponent::$unlockedFields
|
||
| 122 | */
|
||
| 123 | public $disabledFields = array(); |
||
| 124 | |||
| 125 | /**
|
||
| 126 | * Form fields to exclude from POST validation. Fields can be unlocked
|
||
| 127 | * either in the Component, or with FormHelper::unlockField().
|
||
| 128 | * Fields that have been unlocked are not required to be part of the POST
|
||
| 129 | * and hidden unlocked fields do not have their values checked.
|
||
| 130 | *
|
||
| 131 | * @var array
|
||
| 132 | */
|
||
| 133 | public $unlockedFields = array(); |
||
| 134 | |||
| 135 | /**
|
||
| 136 | * Actions to exclude from CSRF and POST validation checks.
|
||
| 137 | * Other checks like requireAuth(), requireSecure(),
|
||
| 138 | * requirePost(), requireGet() etc. will still be applied.
|
||
| 139 | *
|
||
| 140 | * @var array
|
||
| 141 | */
|
||
| 142 | public $unlockedActions = array(); |
||
| 143 | |||
| 144 | /**
|
||
| 145 | * Whether to validate POST data. Set to false to disable for data coming from 3rd party
|
||
| 146 | * services, etc.
|
||
| 147 | *
|
||
| 148 | * @var bool
|
||
| 149 | */
|
||
| 150 | public $validatePost = true; |
||
| 151 | |||
| 152 | /**
|
||
| 153 | * Whether to use CSRF protected forms. Set to false to disable CSRF protection on forms.
|
||
| 154 | *
|
||
| 155 | * @var bool
|
||
| 156 | * @see http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
|
||
| 157 | * @see SecurityComponent::$csrfExpires
|
||
| 158 | */
|
||
| 159 | public $csrfCheck = true; |
||
| 160 | |||
| 161 | /**
|
||
| 162 | * The duration from when a CSRF token is created that it will expire on.
|
||
| 163 | * Each form/page request will generate a new token that can only be submitted once unless
|
||
| 164 | * it expires. Can be any value compatible with strtotime()
|
||
| 165 | *
|
||
| 166 | * @var string
|
||
| 167 | */
|
||
| 168 | public $csrfExpires = '+30 minutes'; |
||
| 169 | |||
| 170 | /**
|
||
| 171 | * Controls whether or not CSRF tokens are use and burn. Set to false to not generate
|
||
| 172 | * new tokens on each request. One token will be reused until it expires. This reduces
|
||
| 173 | * the chances of users getting invalid requests because of token consumption.
|
||
| 174 | * It has the side effect of making CSRF less secure, as tokens are reusable.
|
||
| 175 | *
|
||
| 176 | * @var bool
|
||
| 177 | */
|
||
| 178 | public $csrfUseOnce = true; |
||
| 179 | |||
| 180 | /**
|
||
| 181 | * Control the number of tokens a user can keep open.
|
||
| 182 | * This is most useful with one-time use tokens. Since new tokens
|
||
| 183 | * are created on each request, having a hard limit on the number of open tokens
|
||
| 184 | * can be useful in controlling the size of the session file.
|
||
| 185 | *
|
||
| 186 | * When tokens are evicted, the oldest ones will be removed, as they are the most likely
|
||
| 187 | * to be dead/expired.
|
||
| 188 | *
|
||
| 189 | * @var int
|
||
| 190 | */
|
||
| 191 | public $csrfLimit = 100; |
||
| 192 | |||
| 193 | /**
|
||
| 194 | * Other components used by the Security component
|
||
| 195 | *
|
||
| 196 | * @var array
|
||
| 197 | */
|
||
| 198 | public $components = array('Session'); |
||
| 199 | |||
| 200 | /**
|
||
| 201 | * Holds the current action of the controller
|
||
| 202 | *
|
||
| 203 | * @var string
|
||
| 204 | */
|
||
| 205 | protected $_action = null; |
||
| 206 | |||
| 207 | /**
|
||
| 208 | * Request object
|
||
| 209 | *
|
||
| 210 | * @var CakeRequest
|
||
| 211 | */
|
||
| 212 | public $request; |
||
| 213 | |||
| 214 | /**
|
||
| 215 | * Component startup. All security checking happens here.
|
||
| 216 | *
|
||
| 217 | * @param Controller $controller Instantiating controller
|
||
| 218 | * @return void
|
||
| 219 | */
|
||
| 220 | public function startup(Controller $controller) { |
||
| 221 | $this->request = $controller->request; |
||
| 222 | $this->_action = $this->request->params['action']; |
||
| 223 | $this->_methodsRequired($controller); |
||
| 224 | $this->_secureRequired($controller); |
||
| 225 | $this->_authRequired($controller); |
||
| 226 | |||
| 227 | $hasData = !empty($this->request->data); |
||
| 228 | $isNotRequestAction = (
|
||
| 229 | !isset($controller->request->params['requested']) || |
||
| 230 | $controller->request->params['requested'] != 1 |
||
| 231 | ); |
||
| 232 | |||
| 233 | if ($this->_action === $this->blackHoleCallback) { |
||
| 234 | return $this->blackHole($controller, 'auth'); |
||
| 235 | } |
||
| 236 | |||
| 237 | if (!in_array($this->_action, (array)$this->unlockedActions) && $hasData && $isNotRequestAction) { |
||
| 238 | if ($this->validatePost && $this->_validatePost($controller) === false) { |
||
| 239 | return $this->blackHole($controller, 'auth'); |
||
| 240 | } |
||
| 241 | if ($this->csrfCheck && $this->_validateCsrf($controller) === false) { |
||
| 242 | return $this->blackHole($controller, 'csrf'); |
||
| 243 | } |
||
| 244 | } |
||
| 245 | $this->generateToken($controller->request); |
||
| 246 | if ($hasData && is_array($controller->request->data)) { |
||
| 247 | unset($controller->request->data['_Token']); |
||
| 248 | } |
||
| 249 | } |
||
| 250 | |||
| 251 | /**
|
||
| 252 | * Sets the actions that require a POST request, or empty for all actions
|
||
| 253 | *
|
||
| 254 | * @return void
|
||
| 255 | * @deprecated 3.0.0 Use CakeRequest::onlyAllow() instead.
|
||
| 256 | * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::requirePost
|
||
| 257 | */
|
||
| 258 | public function requirePost() { |
||
| 259 | $args = func_get_args(); |
||
| 260 | $this->_requireMethod('Post', $args); |
||
| 261 | } |
||
| 262 | |||
| 263 | /**
|
||
| 264 | * Sets the actions that require a GET request, or empty for all actions
|
||
| 265 | *
|
||
| 266 | * @deprecated 3.0.0 Use CakeRequest::onlyAllow() instead.
|
||
| 267 | * @return void
|
||
| 268 | */
|
||
| 269 | public function requireGet() { |
||
| 270 | $args = func_get_args(); |
||
| 271 | $this->_requireMethod('Get', $args); |
||
| 272 | } |
||
| 273 | |||
| 274 | /**
|
||
| 275 | * Sets the actions that require a PUT request, or empty for all actions
|
||
| 276 | *
|
||
| 277 | * @deprecated 3.0.0 Use CakeRequest::onlyAllow() instead.
|
||
| 278 | * @return void
|
||
| 279 | */
|
||
| 280 | public function requirePut() { |
||
| 281 | $args = func_get_args(); |
||
| 282 | $this->_requireMethod('Put', $args); |
||
| 283 | } |
||
| 284 | |||
| 285 | /**
|
||
| 286 | * Sets the actions that require a DELETE request, or empty for all actions
|
||
| 287 | *
|
||
| 288 | * @deprecated 3.0.0 Use CakeRequest::onlyAllow() instead.
|
||
| 289 | * @return void
|
||
| 290 | */
|
||
| 291 | public function requireDelete() { |
||
| 292 | $args = func_get_args(); |
||
| 293 | $this->_requireMethod('Delete', $args); |
||
| 294 | } |
||
| 295 | |||
| 296 | /**
|
||
| 297 | * Sets the actions that require a request that is SSL-secured, or empty for all actions
|
||
| 298 | *
|
||
| 299 | * @return void
|
||
| 300 | * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::requireSecure
|
||
| 301 | */
|
||
| 302 | public function requireSecure() { |
||
| 303 | $args = func_get_args(); |
||
| 304 | $this->_requireMethod('Secure', $args); |
||
| 305 | } |
||
| 306 | |||
| 307 | /**
|
||
| 308 | * Sets the actions that require whitelisted form submissions.
|
||
| 309 | *
|
||
| 310 | * Adding actions with this method will enforce the restrictions
|
||
| 311 | * set in SecurityComponent::$allowedControllers and
|
||
| 312 | * SecurityComponent::$allowedActions.
|
||
| 313 | *
|
||
| 314 | * @return void
|
||
| 315 | * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::requireAuth
|
||
| 316 | */
|
||
| 317 | public function requireAuth() { |
||
| 318 | $args = func_get_args(); |
||
| 319 | $this->_requireMethod('Auth', $args); |
||
| 320 | } |
||
| 321 | |||
| 322 | /**
|
||
| 323 | * Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback
|
||
| 324 | * is specified, it will use this callback by executing the method indicated in $error
|
||
| 325 | *
|
||
| 326 | * @param Controller $controller Instantiating controller
|
||
| 327 | * @param string $error Error method
|
||
| 328 | * @return mixed If specified, controller blackHoleCallback's response, or no return otherwise
|
||
| 329 | * @see SecurityComponent::$blackHoleCallback
|
||
| 330 | * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#handling-blackhole-callbacks
|
||
| 331 | * @throws BadRequestException
|
||
| 332 | */
|
||
| 333 | public function blackHole(Controller $controller, $error = '') { |
||
| 334 | if (!$this->blackHoleCallback) { |
||
| 335 | throw new BadRequestException(__d('cake_dev', 'The request has been black-holed')); |
||
| 336 | } |
||
| 337 | return $this->_callback($controller, $this->blackHoleCallback, array($error)); |
||
| 338 | } |
||
| 339 | |||
| 340 | /**
|
||
| 341 | * Sets the actions that require a $method HTTP request, or empty for all actions
|
||
| 342 | *
|
||
| 343 | * @param string $method The HTTP method to assign controller actions to
|
||
| 344 | * @param array $actions Controller actions to set the required HTTP method to.
|
||
| 345 | * @return void
|
||
| 346 | */
|
||
| 347 | protected function _requireMethod($method, $actions = array()) { |
||
| 348 | if (isset($actions[0]) && is_array($actions[0])) { |
||
| 349 | $actions = $actions[0]; |
||
| 350 | } |
||
| 351 | $this->{'require' . $method} = (empty($actions)) ? array('*') : $actions; |
||
| 352 | } |
||
| 353 | |||
| 354 | /**
|
||
| 355 | * Check if HTTP methods are required
|
||
| 356 | *
|
||
| 357 | * @param Controller $controller Instantiating controller
|
||
| 358 | * @return bool True if $method is required
|
||
| 359 | */
|
||
| 360 | protected function _methodsRequired(Controller $controller) { |
||
| 361 | foreach (array('Post', 'Get', 'Put', 'Delete') as $method) { |
||
| 362 | $property = 'require' . $method; |
||
| 363 | if (is_array($this->$property) && !empty($this->$property)) { |
||
| 364 | $require = $this->$property; |
||
| 365 | if (in_array($this->_action, $require) || $this->$property === array('*')) { |
||
| 366 | if (!$this->request->is($method)) { |
||
| 367 | if (!$this->blackHole($controller, $method)) { |
||
| 368 | return false; |
||
| 369 | } |
||
| 370 | } |
||
| 371 | } |
||
| 372 | } |
||
| 373 | } |
||
| 374 | return true; |
||
| 375 | } |
||
| 376 | |||
| 377 | /**
|
||
| 378 | * Check if access requires secure connection
|
||
| 379 | *
|
||
| 380 | * @param Controller $controller Instantiating controller
|
||
| 381 | * @return bool True if secure connection required
|
||
| 382 | */
|
||
| 383 | protected function _secureRequired(Controller $controller) { |
||
| 384 | if (is_array($this->requireSecure) && !empty($this->requireSecure)) { |
||
| 385 | $requireSecure = $this->requireSecure; |
||
| 386 | |||
| 387 | if (in_array($this->_action, $requireSecure) || $this->requireSecure === array('*')) { |
||
| 388 | if (!$this->request->is('ssl')) { |
||
| 389 | if (!$this->blackHole($controller, 'secure')) { |
||
| 390 | return false; |
||
| 391 | } |
||
| 392 | } |
||
| 393 | } |
||
| 394 | } |
||
| 395 | return true; |
||
| 396 | } |
||
| 397 | |||
| 398 | /**
|
||
| 399 | * Check if authentication is required
|
||
| 400 | *
|
||
| 401 | * @param Controller $controller Instantiating controller
|
||
| 402 | * @return bool|null True if authentication required
|
||
| 403 | */
|
||
| 404 | protected function _authRequired(Controller $controller) { |
||
| 405 | if (is_array($this->requireAuth) && !empty($this->requireAuth) && !empty($this->request->data)) { |
||
| 406 | $requireAuth = $this->requireAuth; |
||
| 407 | |||
| 408 | if (in_array($this->request->params['action'], $requireAuth) || $this->requireAuth === array('*')) { |
||
| 409 | if (!isset($controller->request->data['_Token'])) { |
||
| 410 | if (!$this->blackHole($controller, 'auth')) { |
||
| 411 | return null; |
||
| 412 | } |
||
| 413 | } |
||
| 414 | |||
| 415 | if ($this->Session->check('_Token')) { |
||
| 416 | $tData = $this->Session->read('_Token'); |
||
| 417 | |||
| 418 | if (!empty($tData['allowedControllers']) && |
||
| 419 | !in_array($this->request->params['controller'], $tData['allowedControllers']) || |
||
| 420 | !empty($tData['allowedActions']) && |
||
| 421 | !in_array($this->request->params['action'], $tData['allowedActions']) |
||
| 422 | ) {
|
||
| 423 | if (!$this->blackHole($controller, 'auth')) { |
||
| 424 | return null; |
||
| 425 | } |
||
| 426 | } |
||
| 427 | } else {
|
||
| 428 | if (!$this->blackHole($controller, 'auth')) { |
||
| 429 | return null; |
||
| 430 | } |
||
| 431 | } |
||
| 432 | } |
||
| 433 | } |
||
| 434 | return true; |
||
| 435 | } |
||
| 436 | |||
| 437 | /**
|
||
| 438 | * Validate submitted form
|
||
| 439 | *
|
||
| 440 | * @param Controller $controller Instantiating controller
|
||
| 441 | * @return bool true if submitted form is valid
|
||
| 442 | */
|
||
| 443 | protected function _validatePost(Controller $controller) { |
||
| 444 | if (empty($controller->request->data)) { |
||
| 445 | return true; |
||
| 446 | } |
||
| 447 | $data = $controller->request->data; |
||
| 448 | |||
| 449 | if (!isset($data['_Token']) || !isset($data['_Token']['fields']) || !isset($data['_Token']['unlocked'])) { |
||
| 450 | return false; |
||
| 451 | } |
||
| 452 | |||
| 453 | $locked = ''; |
||
| 454 | $check = $controller->request->data; |
||
| 455 | $token = urldecode($check['_Token']['fields']); |
||
| 456 | $unlocked = urldecode($check['_Token']['unlocked']); |
||
| 457 | |||
| 458 | if (strpos($token, ':')) { |
||
| 459 | list($token, $locked) = explode(':', $token, 2); |
||
| 460 | } |
||
| 461 | unset($check['_Token']); |
||
| 462 | |||
| 463 | $locked = explode('|', $locked); |
||
| 464 | $unlocked = explode('|', $unlocked); |
||
| 465 | |||
| 466 | $lockedFields = array(); |
||
| 467 | $fields = Hash::flatten($check); |
||
| 468 | $fieldList = array_keys($fields); |
||
| 469 | $multi = array(); |
||
| 470 | |||
| 471 | foreach ($fieldList as $i => $key) { |
||
| 472 | if (preg_match('/(\.\d+){1,10}$/', $key)) { |
||
| 473 | $multi[$i] = preg_replace('/(\.\d+){1,10}$/', '', $key); |
||
| 474 | unset($fieldList[$i]); |
||
| 475 | } |
||
| 476 | } |
||
| 477 | if (!empty($multi)) { |
||
| 478 | $fieldList += array_unique($multi); |
||
| 479 | } |
||
| 480 | |||
| 481 | $unlockedFields = array_unique( |
||
| 482 | array_merge((array)$this->disabledFields, (array)$this->unlockedFields, $unlocked) |
||
| 483 | ); |
||
| 484 | |||
| 485 | foreach ($fieldList as $i => $key) { |
||
| 486 | $isLocked = (is_array($locked) && in_array($key, $locked)); |
||
| 487 | |||
| 488 | if (!empty($unlockedFields)) { |
||
| 489 | foreach ($unlockedFields as $off) { |
||
| 490 | $off = explode('.', $off); |
||
| 491 | $field = array_values(array_intersect(explode('.', $key), $off)); |
||
| 492 | $isUnlocked = ($field === $off); |
||
| 493 | if ($isUnlocked) { |
||
| 494 | break;
|
||
| 495 | } |
||
| 496 | } |
||
| 497 | } |
||
| 498 | |||
| 499 | if ($isUnlocked || $isLocked) { |
||
| 500 | unset($fieldList[$i]); |
||
| 501 | if ($isLocked) { |
||
| 502 | $lockedFields[$key] = $fields[$key]; |
||
| 503 | } |
||
| 504 | } |
||
| 505 | } |
||
| 506 | sort($unlocked, SORT_STRING); |
||
| 507 | sort($fieldList, SORT_STRING); |
||
| 508 | ksort($lockedFields, SORT_STRING); |
||
| 509 | |||
| 510 | $fieldList += $lockedFields; |
||
| 511 | $unlocked = implode('|', $unlocked); |
||
| 512 | $hashParts = array( |
||
| 513 | $this->request->here(),
|
||
| 514 | serialize($fieldList), |
||
| 515 | $unlocked,
|
||
| 516 | Configure::read('Security.salt') |
||
| 517 | ); |
||
| 518 | $check = Security::hash(implode('', $hashParts), 'sha1'); |
||
| 519 | return ($token === $check); |
||
| 520 | } |
||
| 521 | |||
| 522 | /**
|
||
| 523 | * Manually add CSRF token information into the provided request object.
|
||
| 524 | *
|
||
| 525 | * @param CakeRequest $request The request object to add into.
|
||
| 526 | * @return bool
|
||
| 527 | */
|
||
| 528 | public function generateToken(CakeRequest $request) { |
||
| 529 | if (isset($request->params['requested']) && $request->params['requested'] === 1) { |
||
| 530 | if ($this->Session->check('_Token')) { |
||
| 531 | $request->params['_Token'] = $this->Session->read('_Token'); |
||
| 532 | } |
||
| 533 | return false; |
||
| 534 | } |
||
| 535 | $authKey = Security::generateAuthKey(); |
||
| 536 | $token = array( |
||
| 537 | 'key' => $authKey, |
||
| 538 | 'allowedControllers' => $this->allowedControllers, |
||
| 539 | 'allowedActions' => $this->allowedActions, |
||
| 540 | 'unlockedFields' => array_merge($this->disabledFields, $this->unlockedFields), |
||
| 541 | 'csrfTokens' => array() |
||
| 542 | ); |
||
| 543 | |||
| 544 | $tokenData = array(); |
||
| 545 | if ($this->Session->check('_Token')) { |
||
| 546 | $tokenData = $this->Session->read('_Token'); |
||
| 547 | if (!empty($tokenData['csrfTokens']) && is_array($tokenData['csrfTokens'])) { |
||
| 548 | $token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']); |
||
| 549 | } |
||
| 550 | } |
||
| 551 | if ($this->csrfUseOnce || empty($token['csrfTokens'])) { |
||
| 552 | $token['csrfTokens'][$authKey] = strtotime($this->csrfExpires); |
||
| 553 | } |
||
| 554 | if (!$this->csrfUseOnce) { |
||
| 555 | $csrfTokens = array_keys($token['csrfTokens']); |
||
| 556 | $authKey = $csrfTokens[0]; |
||
| 557 | $token['key'] = $authKey; |
||
| 558 | $token['csrfTokens'][$authKey] = strtotime($this->csrfExpires); |
||
| 559 | } |
||
| 560 | $this->Session->write('_Token', $token); |
||
| 561 | $request->params['_Token'] = array( |
||
| 562 | 'key' => $token['key'], |
||
| 563 | 'unlockedFields' => $token['unlockedFields'] |
||
| 564 | ); |
||
| 565 | return true; |
||
| 566 | } |
||
| 567 | |||
| 568 | /**
|
||
| 569 | * Validate that the controller has a CSRF token in the POST data
|
||
| 570 | * and that the token is legit/not expired. If the token is valid
|
||
| 571 | * it will be removed from the list of valid tokens.
|
||
| 572 | *
|
||
| 573 | * @param Controller $controller A controller to check
|
||
| 574 | * @return bool Valid csrf token.
|
||
| 575 | */
|
||
| 576 | protected function _validateCsrf(Controller $controller) { |
||
| 577 | $token = $this->Session->read('_Token'); |
||
| 578 | $requestToken = $controller->request->data('_Token.key'); |
||
| 579 | if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) { |
||
| 580 | if ($this->csrfUseOnce) { |
||
| 581 | $this->Session->delete('_Token.csrfTokens.' . $requestToken); |
||
| 582 | } |
||
| 583 | return true; |
||
| 584 | } |
||
| 585 | return false; |
||
| 586 | } |
||
| 587 | |||
| 588 | /**
|
||
| 589 | * Expire CSRF nonces and remove them from the valid tokens.
|
||
| 590 | * Uses a simple timeout to expire the tokens.
|
||
| 591 | *
|
||
| 592 | * @param array $tokens An array of nonce => expires.
|
||
| 593 | * @return array An array of nonce => expires.
|
||
| 594 | */
|
||
| 595 | protected function _expireTokens($tokens) { |
||
| 596 | $now = time(); |
||
| 597 | foreach ($tokens as $nonce => $expires) { |
||
| 598 | if ($expires < $now) { |
||
| 599 | unset($tokens[$nonce]); |
||
| 600 | } |
||
| 601 | } |
||
| 602 | $overflow = count($tokens) - $this->csrfLimit; |
||
| 603 | if ($overflow > 0) { |
||
| 604 | $tokens = array_slice($tokens, $overflow + 1, null, true); |
||
| 605 | } |
||
| 606 | return $tokens; |
||
| 607 | } |
||
| 608 | |||
| 609 | /**
|
||
| 610 | * Calls a controller callback method
|
||
| 611 | *
|
||
| 612 | * @param Controller $controller Controller to run callback on
|
||
| 613 | * @param string $method Method to execute
|
||
| 614 | * @param array $params Parameters to send to method
|
||
| 615 | * @return mixed Controller callback method's response
|
||
| 616 | * @throws BadRequestException When a the blackholeCallback is not callable.
|
||
| 617 | */
|
||
| 618 | protected function _callback(Controller $controller, $method, $params = array()) { |
||
| 619 | if (!is_callable(array($controller, $method))) { |
||
| 620 | throw new BadRequestException(__d('cake_dev', 'The request has been black-holed')); |
||
| 621 | } |
||
| 622 | return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params); |
||
| 623 | } |
||
| 624 | |||
| 625 | } |