extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-14 20:14:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

use openssl_random_pseudo_bytes, if available, to generate etemplate_exec_id, as it is used for CSRF protection too

Browse Source
This commit is contained in:
Ralf Becker 2016-11-17 11:08:54 +01:00
parent 519ce307e0
commit a135f7615d
4 changed files with 19 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
api/src/Etemplate/Request.php
View File

@ -350,6 +350,24 @@ class Request
return isset($this->data['to_process'][$form_name]); return isset($this->data['to_process'][$form_name]);
} }
/**
* creates a new unique request-id
*
* @return string
*/
static function request_id()
{
// As we replace spaces with + for those account ids which contain spaces, therefore we need to do the same for getting request id too.
$userID = str_replace(' ', '+', rawurldecode($GLOBALS['egw_info']['user']['account_lid']));
// generate random token (using oppenssl if available otherwise mt_rand based Auth::randomstring)
$token = function_exists('openssl_random_pseudo_bytes') ?
base64_encode(openssl_random_pseudo_bytes(32)) :
Auth::randomstring(44);
return $GLOBALS['egw_info']['flags']['currentapp'].'_'.$userID.'_'.$token;
}
/** /**
* magic function to set all request-vars, used eg. as $request->method = 'app.class.method'; * magic function to set all request-vars, used eg. as $request->method = 'app.class.method';
* *

12
api/src/Etemplate/Request/Cache.php
View File

@ -115,18 +115,6 @@ class Cache extends Etemplate\Request
return $request; return $request;
} }
/**
* creates a new unique request-id
*
* @return string
*/
static function request_id()
{
// As we replace spaces with + for those account ids which contain spaces, therefore we need to do the same for getting request id too.
$userID = str_replace(' ', '+', rawurldecode($GLOBALS['egw_info']['user']['account_lid']));
return uniqid($GLOBALS['egw_info']['flags']['currentapp'].'_'.$userID.'_',true);
}
/** /**
* saves content,readonlys,template-keys, ... via eGW's appsession function * saves content,readonlys,template-keys, ... via eGW's appsession function
* *

2
api/src/Etemplate/Request/Files.php
View File

@ -129,7 +129,7 @@ class Files extends Etemplate\Request
{ {
do do
{ {
$id = uniqid('etemplate_'.$GLOBALS['egw_info']['flags']['currentapp'].'_',true); $id = parent::request_id();
} }
while (file_exists(self::$directory.'/'.$id)); while (file_exists(self::$directory.'/'.$id));

13
api/src/Etemplate/Request/Session.php
View File

@ -104,19 +104,6 @@ class Session extends Etemplate\Request
return $request; return $request;
} }
/**
* creates a new request-id via microtime()
*
* @return string
*/
static function request_id()
{
$time = (int) (100 * microtime(true)); // gives precision of 1/100 sec
$id = $GLOBALS['egw_info']['flags']['currentapp'] .':'. $time;
return $id;
}
/** /**
* saves content,readonlys,template-keys, ... via eGW's appsession function * saves content,readonlys,template-keys, ... via eGW's appsession function
* *