public/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/git/tt-rss.git synced 2025-12-13 14:15:56 +00:00
Code Issues Releases Wiki Activity

* use get_random_bytes() for CSRF token

Browse Source 
* get_random_bytes: use PHP7 random_bytes() if it is available
* validate CSRF token using hash_equals
This commit is contained in:
Andrew Dolgov
2020-09-17 08:59:18 +03:00
parent 0757ad0406
commit a817d3794d
2 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
include/functions.php
View File

@@ -581,7 +581,7 @@
$_SESSION["name"] = $row["login"];
$_SESSION["access_level"] = $row["access_level"];
$_SESSION["csrf_token"] = uniqid_short();
$_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
$usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?");
$usth->execute([$user_id]);
@@ -608,9 +608,8 @@
$_SESSION["auth_module"] = false;
if (!$_SESSION["csrf_token"]) {
$_SESSION["csrf_token"] = uniqid_short();
}
if (!$_SESSION["csrf_token"])
$_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
@@ -680,7 +679,7 @@
}
function validate_csrf($csrf_token) {
return $csrf_token === $_SESSION['csrf_token'];
return hash_equals($csrf_token, $_SESSION['csrf_token']);
}
function load_user_plugins($owner_uid, $pluginhost = false) {
@@ -1669,7 +1668,9 @@
}
function get_random_bytes($length) {
if (function_exists('openssl_random_pseudo_bytes')) {
if (function_exists('random_bytes')) {
return random_bytes($length);
} else if (function_exists('openssl_random_pseudo_bytes')) {
return openssl_random_pseudo_bytes($length);
} else {
$output = "";