Example #1
0
	/**
	 * Checks if the CSRF check was correct
	 * @return bool true if CSRF check passed
	 * @see OC_Util::callRegister()
	 */
	public function passesCSRFCheck() {
		if($this->items['requesttoken'] === false) {
			return false;
		}

		if (isset($this->items['get']['requesttoken'])) {
			$token = $this->items['get']['requesttoken'];
		} elseif (isset($this->items['post']['requesttoken'])) {
			$token = $this->items['post']['requesttoken'];
		} elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
			$token = $this->items['server']['HTTP_REQUESTTOKEN'];
		} else {
			//no token found.
			return false;
		}

		// Deobfuscate token to prevent BREACH like attacks
		$token = explode(':', $token);
		if (count($token) !== 2) {
			return false;
		}

		$obfuscatedToken = $token[0];
		$secret = $token[1];
		$deobfuscatedToken = base64_decode($obfuscatedToken) ^ $secret;

		// Check if the token is valid
		if(\OCP\Security\StringUtils::equals($deobfuscatedToken, $this->items['requesttoken'])) {
			return true;
		} else {
			return false;
		}
	}
Example #2
0
 /**
  * Checks if the CSRF check was correct
  * @return bool true if CSRF check passed
  * @see OC_Util::callRegister()
  */
 public function passesCSRFCheck()
 {
     if ($this->items['requesttoken'] === false) {
         return false;
     }
     if (isset($this->items['get']['requesttoken'])) {
         $token = $this->items['get']['requesttoken'];
     } elseif (isset($this->items['post']['requesttoken'])) {
         $token = $this->items['post']['requesttoken'];
     } elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
         $token = $this->items['server']['HTTP_REQUESTTOKEN'];
     } else {
         //no token found.
         return false;
     }
     // Decrypt token to prevent BREACH like attacks
     $token = explode(':', $token);
     if (count($token) !== 2) {
         return false;
     }
     $encryptedToken = $token[0];
     $secret = $token[1];
     try {
         $decryptedToken = $this->crypto->decrypt($encryptedToken, $secret);
     } catch (\Exception $e) {
         return false;
     }
     // Check if the token is valid
     if (\OCP\Security\StringUtils::equals($decryptedToken, $this->items['requesttoken'])) {
         return true;
     } else {
         return false;
     }
 }
Example #3
0
 /**
  * Decrypts a value and verifies the HMAC (Encrypt-Then-Mac)
  * @param string $authenticatedCiphertext
  * @param string $password Password to encrypt, if not specified the secret from config.php will be taken
  * @return string plaintext
  * @throws \Exception If the HMAC does not match
  */
 public function decrypt($authenticatedCiphertext, $password = '')
 {
     if ($password === '') {
         $password = $this->config->getSystemValue('secret');
     }
     $this->cipher->setPassword($password);
     $parts = explode('|', $authenticatedCiphertext);
     if (sizeof($parts) !== 3) {
         throw new \Exception('Authenticated ciphertext could not be decoded.');
     }
     $ciphertext = hex2bin($parts[0]);
     $iv = $parts[1];
     $hmac = hex2bin($parts[2]);
     $this->cipher->setIV($iv);
     if (!StringUtils::equals($this->calculateHMAC($parts[0] . $parts[1], $password), $hmac)) {
         throw new \Exception('HMAC does not match.');
     }
     return $this->cipher->decrypt($ciphertext);
 }
Example #4
0
 /**
  * @PublicPage
  * @param string $token
  * @param string $userId
  * @param string $password
  * @param boolean $proceed
  * @return array
  */
 public function setPassword($token, $userId, $password, $proceed)
 {
     if ($this->isDataEncrypted && !$proceed) {
         return $this->error('', array('encryption' => true));
     }
     try {
         $user = $this->userManager->get($userId);
         if (!StringUtils::equals($this->config->getUserValue($userId, 'owncloud', 'lostpassword', null), $token)) {
             throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
         }
         if (!$user->setPassword($password)) {
             throw new \Exception();
         }
         \OC_Hook::emit('\\OC\\Core\\LostPassword\\Controller\\LostController', 'post_passwordReset', array('uid' => $userId, 'password' => $password));
         $this->config->deleteUserValue($userId, 'owncloud', 'lostpassword');
         @\OC_User::unsetMagicInCookie();
     } catch (\Exception $e) {
         return $this->error($e->getMessage());
     }
     return $this->success();
 }
Example #5
0
 /**
  * Checks if the CSRF check was correct
  * @return bool true if CSRF check passed
  * @see OC_Util::callRegister()
  */
 public function passesCSRFCheck()
 {
     if ($this->items['requesttoken'] === false) {
         return false;
     }
     if (isset($this->items['get']['requesttoken'])) {
         $token = $this->items['get']['requesttoken'];
     } elseif (isset($this->items['post']['requesttoken'])) {
         $token = $this->items['post']['requesttoken'];
     } elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
         $token = $this->items['server']['HTTP_REQUESTTOKEN'];
     } else {
         //no token found.
         return false;
     }
     // Check if the token is valid
     if (\OCP\Security\StringUtils::equals($token, $this->items['requesttoken'])) {
         return true;
     } else {
         return false;
     }
 }
 /**
  * @param string $userId
  * @param string $userId
  * @throws \Exception
  */
 private function checkPasswordResetToken($token, $userId)
 {
     $user = $this->userManager->get($userId);
     $splittedToken = explode(':', $this->config->getUserValue($userId, 'owncloud', 'lostpassword', null));
     if (count($splittedToken) !== 2) {
         throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
     }
     if ($splittedToken[0] < $this->timeFactory->getTime() - 60 * 60 * 12 || $user->getLastLogin() > $splittedToken[0]) {
         throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is expired'));
     }
     if (!StringUtils::equals($splittedToken[1], $token)) {
         throw new \Exception($this->l10n->t('Couldn\'t reset password because the token is invalid'));
     }
 }
Example #7
0
 /**
  * Logs with an arbitrary level.
  *
  * @param mixed $level
  * @param string $message
  * @param array $context
  */
 public function log($level, $message, array $context = array())
 {
     $minLevel = min($this->config->getValue('loglevel', \OC_Log::WARN), \OC_Log::ERROR);
     $logCondition = $this->config->getValue('log.condition', []);
     if (isset($context['app'])) {
         $app = $context['app'];
         /**
          * check log condition based on the context of each log message
          * once this is met -> change the required log level to debug
          */
         if (!empty($logCondition) && isset($logCondition['apps']) && in_array($app, $logCondition['apps'], true)) {
             $minLevel = \OC_Log::DEBUG;
         }
     } else {
         $app = 'no app in context';
     }
     // interpolate $message as defined in PSR-3
     $replace = array();
     foreach ($context as $key => $val) {
         $replace['{' . $key . '}'] = $val;
     }
     // interpolate replacement values into the message and return
     $message = strtr($message, $replace);
     /**
      * check for a special log condition - this enables an increased log on
      * a per request/user base
      */
     if ($this->logConditionSatisfied === null) {
         // default to false to just process this once per request
         $this->logConditionSatisfied = false;
         if (!empty($logCondition)) {
             // check for secret token in the request
             if (isset($logCondition['shared_secret'])) {
                 $request = \OC::$server->getRequest();
                 // if token is found in the request change set the log condition to satisfied
                 if ($request && StringUtils::equals($request->getParam('log_secret'), $logCondition['shared_secret'])) {
                     $this->logConditionSatisfied = true;
                 }
             }
             // check for user
             if (isset($logCondition['users'])) {
                 $user = \OC::$server->getUserSession()->getUser();
                 // if the user matches set the log condition to satisfied
                 if ($user !== null && in_array($user->getUID(), $logCondition['users'], true)) {
                     $this->logConditionSatisfied = true;
                 }
             }
         }
     }
     // if log condition is satisfied change the required log level to DEBUG
     if ($this->logConditionSatisfied) {
         $minLevel = \OC_Log::DEBUG;
     }
     if ($level >= $minLevel) {
         $logger = $this->logger;
         call_user_func(array($logger, 'write'), $app, $message, $level);
     }
 }
Example #8
0
 protected function isValidToken($url, $token)
 {
     $storedToken = $this->dbHandler->getToken($url);
     return StringUtils::equals($storedToken, $token);
 }