diff options
author | mattab <matthieu.aubry@gmail.com> | 2013-03-28 03:42:39 +0400 |
---|---|---|
committer | mattab <matthieu.aubry@gmail.com> | 2013-03-28 03:42:40 +0400 |
commit | ae4b03163792f0b6e933933e5d37df87dc3fd566 (patch) | |
tree | d1d7510a9728f587d3d63ebd03e4ecf3d904838b /core/Nonce.php | |
parent | 158c2150f5f2e13ece459b8d131244c11b763997 (diff) |
Mass conversion of all files to the newly agreed coding standard: PSR 1/2
Converting Piwik core source files, PHP, JS, TPL, CSS
More info: http://piwik.org/participate/coding-standards/
Diffstat (limited to 'core/Nonce.php')
-rw-r--r-- | core/Nonce.php | 241 |
1 files changed, 117 insertions, 124 deletions
diff --git a/core/Nonce.php b/core/Nonce.php index b76cbd16e9..f7763ee15b 100644 --- a/core/Nonce.php +++ b/core/Nonce.php @@ -24,128 +24,121 @@ */ class Piwik_Nonce { - /** - * Generate nonce - * - * @param string $id Unique id to avoid namespace conflicts, e.g., ModuleName.ActionName - * @param int $ttl Optional time-to-live in seconds; default is 5 minutes - * @return string Nonce - */ - static public function getNonce($id, $ttl = 300) - { - // save session-dependent nonce - $ns = new Piwik_Session_Namespace($id); - $nonce = $ns->nonce; - - // re-use an unexpired nonce (a small deviation from the "used only once" principle, so long as we do not reset the expiration) - // to handle browser pre-fetch or double fetch caused by some browser add-ons/extensions - if(empty($nonce)) - { - // generate a new nonce - $nonce = md5(Piwik_Common::getSalt() . time() . Piwik_Common::generateUniqId()); - $ns->nonce = $nonce; - $ns->setExpirationSeconds($ttl, 'nonce'); - } - - return $nonce; - } - - /** - * Verify nonce and check referrer (if present, i.e., it may be suppressed by the browser or a proxy/network). - * - * @param string $id Unique id - * @param string $cnonce Nonce sent to client - * @return bool true if valid; false otherwise - */ - static public function verifyNonce($id, $cnonce) - { - $ns = new Piwik_Session_Namespace($id); - $nonce = $ns->nonce; - - // validate token - if(empty($cnonce) || $cnonce !== $nonce) - { - return false; - } - - // validate referer - $referer = Piwik_Url::getReferer(); - if(!empty($referer) && !Piwik_Url::isLocalUrl($referer)) - { - return false; - } - - // validate origin - $origin = self::getOrigin(); - if(!empty($origin) && - ($origin == 'null' - || !in_array($origin, self::getAcceptableOrigins()))) - { - return false; - } - - return true; - } - - /** - * Discard nonce ("now" as opposed to waiting for garbage collection) - * - * @param string $id Unique id - */ - static public function discardNonce($id) - { - $ns = new Piwik_Session_Namespace($id); - $ns->unsetAll(); - } - - /** - * Get ORIGIN header, false if not found - * - * @return string|false - */ - static public function getOrigin() - { - if(!empty($_SERVER['HTTP_ORIGIN'])) - { - return $_SERVER['HTTP_ORIGIN']; - } - return false; - } - - /** - * Returns acceptable origins (not simply scheme://host) that - * should handle a variety of proxy and web server (mis)configurations,. - * - * @return array - */ - static public function getAcceptableOrigins() - { - $host = Piwik_Url::getCurrentHost(null); - $port = ''; - - // parse host:port - if(preg_match('/^([^:]+):([0-9]+)$/D', $host, $matches)) - { - $host = $matches[1]; - $port = $matches[2]; - } - - if(empty($host)) - { - return array(); - } - - // standard ports - $origins[] = 'http://'.$host; - $origins[] = 'https://'.$host; - - // non-standard ports - if(!empty($port) && $port != 80 && $port != 443) - { - $origins[] = 'http://'.$host.':'.$port; - $origins[] = 'https://'.$host.':'.$port; - } - - return $origins; - } + /** + * Generate nonce + * + * @param string $id Unique id to avoid namespace conflicts, e.g., ModuleName.ActionName + * @param int $ttl Optional time-to-live in seconds; default is 5 minutes + * @return string Nonce + */ + static public function getNonce($id, $ttl = 300) + { + // save session-dependent nonce + $ns = new Piwik_Session_Namespace($id); + $nonce = $ns->nonce; + + // re-use an unexpired nonce (a small deviation from the "used only once" principle, so long as we do not reset the expiration) + // to handle browser pre-fetch or double fetch caused by some browser add-ons/extensions + if (empty($nonce)) { + // generate a new nonce + $nonce = md5(Piwik_Common::getSalt() . time() . Piwik_Common::generateUniqId()); + $ns->nonce = $nonce; + $ns->setExpirationSeconds($ttl, 'nonce'); + } + + return $nonce; + } + + /** + * Verify nonce and check referrer (if present, i.e., it may be suppressed by the browser or a proxy/network). + * + * @param string $id Unique id + * @param string $cnonce Nonce sent to client + * @return bool true if valid; false otherwise + */ + static public function verifyNonce($id, $cnonce) + { + $ns = new Piwik_Session_Namespace($id); + $nonce = $ns->nonce; + + // validate token + if (empty($cnonce) || $cnonce !== $nonce) { + return false; + } + + // validate referer + $referer = Piwik_Url::getReferer(); + if (!empty($referer) && !Piwik_Url::isLocalUrl($referer)) { + return false; + } + + // validate origin + $origin = self::getOrigin(); + if (!empty($origin) && + ($origin == 'null' + || !in_array($origin, self::getAcceptableOrigins())) + ) { + return false; + } + + return true; + } + + /** + * Discard nonce ("now" as opposed to waiting for garbage collection) + * + * @param string $id Unique id + */ + static public function discardNonce($id) + { + $ns = new Piwik_Session_Namespace($id); + $ns->unsetAll(); + } + + /** + * Get ORIGIN header, false if not found + * + * @return string|false + */ + static public function getOrigin() + { + if (!empty($_SERVER['HTTP_ORIGIN'])) { + return $_SERVER['HTTP_ORIGIN']; + } + return false; + } + + /** + * Returns acceptable origins (not simply scheme://host) that + * should handle a variety of proxy and web server (mis)configurations,. + * + * @return array + */ + static public function getAcceptableOrigins() + { + $host = Piwik_Url::getCurrentHost(null); + $port = ''; + + // parse host:port + if (preg_match('/^([^:]+):([0-9]+)$/D', $host, $matches)) { + $host = $matches[1]; + $port = $matches[2]; + } + + if (empty($host)) { + return array(); + } + + // standard ports + $origins[] = 'http://' . $host; + $origins[] = 'https://' . $host; + + // non-standard ports + if (!empty($port) && $port != 80 && $port != 443) { + $origins[] = 'http://' . $host . ':' . $port; + $origins[] = 'https://' . $host . ':' . $port; + } + + return $origins; + } } |