/**
* Checks if the CSRF check was correct
* @return bool true if CSRF check passed
* @see OC_Util::callRegister()
*/
public function passesCSRFCheck() {
if($this->items['requesttoken'] === false) {
return false;
}
if (isset($this->items['get']['requesttoken'])) {
$token = $this->items['get']['requesttoken'];
} elseif (isset($this->items['post']['requesttoken'])) {
$token = $this->items['post']['requesttoken'];
} elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
$token = $this->items['server']['HTTP_REQUESTTOKEN'];
} else {
//no token found.
return false;
}
// Deobfuscate token to prevent BREACH like attacks
$token = explode(':', $token);
if (count($token) !== 2) {
return false;
}
$obfuscatedToken = $token[0];
$secret = $token[1];
$deobfuscatedToken = base64_decode($obfuscatedToken) ^ $secret;
// Check if the token is valid
if(\OCP\Security\StringUtils::equals($deobfuscatedToken, $this->items['requesttoken'])) {
return true;
} else {
return false;
}
}
/**
* Checks if the CSRF check was correct
* @return bool true if CSRF check passed
* @see OC_Util::callRegister()
*/
public function passesCSRFCheck()
{
if ($this->items['requesttoken'] === false) {
return false;
}
if (isset($this->items['get']['requesttoken'])) {
$token = $this->items['get']['requesttoken'];
} elseif (isset($this->items['post']['requesttoken'])) {
$token = $this->items['post']['requesttoken'];
} elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
$token = $this->items['server']['HTTP_REQUESTTOKEN'];
} else {
//no token found.
return false;
}
// Decrypt token to prevent BREACH like attacks
$token = explode(':', $token);
if (count($token) !== 2) {
return false;
}
$encryptedToken = $token[0];
$secret = $token[1];
try {
$decryptedToken = $this->crypto->decrypt($encryptedToken, $secret);
} catch (\Exception $e) {
return false;
}
// Check if the token is valid
if (\OCP\Security\StringUtils::equals($decryptedToken, $this->items['requesttoken'])) {
return true;
} else {
return false;
}
}
/**
* Decrypts a value and verifies the HMAC (Encrypt-Then-Mac)
* @param string $authenticatedCiphertext
* @param string $password Password to encrypt, if not specified the secret from config.php will be taken
* @return string plaintext
* @throws \Exception If the HMAC does not match
*/
public function decrypt($authenticatedCiphertext, $password = '')
{
if ($password === '') {
$password = $this->config->getSystemValue('secret');
}
$this->cipher->setPassword($password);
$parts = explode('|', $authenticatedCiphertext);
if (sizeof($parts) !== 3) {
throw new \Exception('Authenticated ciphertext could not be decoded.');
}
$ciphertext = hex2bin($parts[0]);
$iv = $parts[1];
$hmac = hex2bin($parts[2]);
$this->cipher->setIV($iv);
if (!StringUtils::equals($this->calculateHMAC($parts[0] . $parts[1], $password), $hmac)) {
throw new \Exception('HMAC does not match.');
}
return $this->cipher->decrypt($ciphertext);
}
/**
* @PublicPage
* @param string $token
* @param string $userId
* @param string $password
* @param boolean $proceed
* @return array
*/
public function setPassword($token, $userId, $password, $proceed)
{
if ($this->isDataEncrypted && !$proceed) {
return $this->error('', array('encryption' => true));
}
try {
$user = $this->userManager->get($userId);
if (!StringUtils::equals($this->config->getUserValue($userId, 'owncloud', 'lostpassword', null), $token)) {
throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
}
if (!$user->setPassword($password)) {
throw new \Exception();
}
\OC_Hook::emit('\\OC\\Core\\LostPassword\\Controller\\LostController', 'post_passwordReset', array('uid' => $userId, 'password' => $password));
$this->config->deleteUserValue($userId, 'owncloud', 'lostpassword');
@\OC_User::unsetMagicInCookie();
} catch (\Exception $e) {
return $this->error($e->getMessage());
}
return $this->success();
}
/**
* Checks if the CSRF check was correct
* @return bool true if CSRF check passed
* @see OC_Util::callRegister()
*/
public function passesCSRFCheck()
{
if ($this->items['requesttoken'] === false) {
return false;
}
if (isset($this->items['get']['requesttoken'])) {
$token = $this->items['get']['requesttoken'];
} elseif (isset($this->items['post']['requesttoken'])) {
$token = $this->items['post']['requesttoken'];
} elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
$token = $this->items['server']['HTTP_REQUESTTOKEN'];
} else {
//no token found.
return false;
}
// Check if the token is valid
if (\OCP\Security\StringUtils::equals($token, $this->items['requesttoken'])) {
return true;
} else {
return false;
}
}
/**
* @param string $userId
* @param string $userId
* @throws \Exception
*/
private function checkPasswordResetToken($token, $userId)
{
$user = $this->userManager->get($userId);
$splittedToken = explode(':', $this->config->getUserValue($userId, 'owncloud', 'lostpassword', null));
if (count($splittedToken) !== 2) {
throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
}
if ($splittedToken[0] < $this->timeFactory->getTime() - 60 * 60 * 12 || $user->getLastLogin() > $splittedToken[0]) {
throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is expired'));
}
if (!StringUtils::equals($splittedToken[1], $token)) {
throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
}
}
/**
* Logs with an arbitrary level.
*
* @param mixed $level
* @param string $message
* @param array $context
*/
public function log($level, $message, array $context = array())
{
$minLevel = min($this->config->getValue('loglevel', \OC_Log::WARN), \OC_Log::ERROR);
$logCondition = $this->config->getValue('log.condition', []);
if (isset($context['app'])) {
$app = $context['app'];
/**
* check log condition based on the context of each log message
* once this is met -> change the required log level to debug
*/
if (!empty($logCondition) && isset($logCondition['apps']) && in_array($app, $logCondition['apps'], true)) {
$minLevel = \OC_Log::DEBUG;
}
} else {
$app = 'no app in context';
}
// interpolate $message as defined in PSR-3
$replace = array();
foreach ($context as $key => $val) {
$replace['{' . $key . '}'] = $val;
}
// interpolate replacement values into the message and return
$message = strtr($message, $replace);
/**
* check for a special log condition - this enables an increased log on
* a per request/user base
*/
if ($this->logConditionSatisfied === null) {
// default to false to just process this once per request
$this->logConditionSatisfied = false;
if (!empty($logCondition)) {
// check for secret token in the request
if (isset($logCondition['shared_secret'])) {
$request = \OC::$server->getRequest();
// if token is found in the request change set the log condition to satisfied
if ($request && StringUtils::equals($request->getParam('log_secret'), $logCondition['shared_secret'])) {
$this->logConditionSatisfied = true;
}
}
// check for user
if (isset($logCondition['users'])) {
$user = \OC::$server->getUserSession()->getUser();
// if the user matches set the log condition to satisfied
if ($user !== null && in_array($user->getUID(), $logCondition['users'], true)) {
$this->logConditionSatisfied = true;
}
}
}
}
// if log condition is satisfied change the required log level to DEBUG
if ($this->logConditionSatisfied) {
$minLevel = \OC_Log::DEBUG;
}
if ($level >= $minLevel) {
$logger = $this->logger;
call_user_func(array($logger, 'write'), $app, $message, $level);
}
}
protected function isValidToken($url, $token)
{
$storedToken = $this->dbHandler->getToken($url);
return StringUtils::equals($storedToken, $token);
}
