search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug grabbing wrong secret, thanks sparticvs for reporting.
[csrf-magic.git] / csrf-magic.php
blob16550c3e2fc75dcaa0296bb0b09d5bbc8a4eee39
1 <?php
2
3 /**
4 * @file
5 *
6 * csrf-magic is a PHP library that makes adding CSRF-protection to your
7 * web applications a snap. No need to modify every form or create a database
8 * of valid nonces; just include this file at the top of every
9 * web-accessible page (or even better, your common include file included
10 * in every page), and forget about it! (There are, of course, configuration
11 * options for advanced users).
12 *
13 * This library is PHP4 and PHP5 compatible.
14 */
15
16 // CONFIGURATION:
17
18 /**
19 * By default, when you include this file csrf-magic will automatically check
20 * and exit if the CSRF token is invalid. This will defer executing
21 * csrf_check() until you're ready. You can also pass false as a parameter to
22 * that function, in which case the function will not exit but instead return
23 * a boolean false if the CSRF check failed. This allows for tighter integration
24 * with your system.
25 */
26 $GLOBALS['csrf']['defer'] = false;
27
28 /**
29 * This is the amount of seconds you wish to allow before any token becomes
30 * invalid; the default is two hours, which should be more than enough for
31 * most websites.
32 */
33 $GLOBALS['csrf']['expires'] = 7200;
34
35 /**
36 * Callback function to execute when there's the CSRF check fails and
37 * $fatal == true (see csrf_check). This will usually output an error message
38 * about the failure.
39 */
40 $GLOBALS['csrf']['callback'] = 'csrf_callback';
41
42 /**
43 * Whether or not to include our JavaScript library which also rewrites
44 * AJAX requests on this domain. Set this to the web path. This setting only works
45 * with supported JavaScript libraries in Internet Explorer; see README.txt for
46 * a list of supported libraries.
47 */
48 $GLOBALS['csrf']['rewrite-js'] = false;
49
50 /**
51 * A secret key used when hashing items. Please generate a random string and
52 * place it here. If you change this value, all previously generated tokens
53 * will become invalid.
54 */
55 $GLOBALS['csrf']['secret'] = '';
56 // nota bene: library code should use csrf_get_secret() and not access
57 // this global directly
58
59 /**
60 * Set this to false to disable csrf-magic's output handler, and therefore,
61 * its rewriting capabilities. If you're serving non HTML content, you should
62 * definitely set this false.
63 */
64 $GLOBALS['csrf']['rewrite'] = true;
65
66 /**
67 * Whether or not to use IP addresses when binding a user to a token. This is
68 * less reliable and less secure than sessions, but is useful when you need
69 * to give facilities to anonymous users and do not wish to maintain a database
70 * of valid keys.
71 */
72 $GLOBALS['csrf']['allow-ip'] = true;
73
74 /**
75 * If this information is available, use the cookie by this name to determine
76 * whether or not to allow the request. This is a shortcut implementation
77 * very similar to 'key', but we randomly set the cookie ourselves.
78 */
79 $GLOBALS['csrf']['cookie'] = '__csrf_cookie';
80
81 /**
82 * If this information is available, set this to a unique identifier (it
83 * can be an integer or a unique username) for the current "user" of this
84 * application. The token will then be globally valid for all of that user's
85 * operations, but no one else. This requires that 'secret' be set.
86 */
87 $GLOBALS['csrf']['user'] = false;
88
89 /**
90 * This is an arbitrary secret value associated with the user's session. This
91 * will most probably be the contents of a cookie, as an attacker cannot easily
92 * determine this information. Warning: If the attacker knows this value, they
93 * can easily spoof a token. This is a generic implementation; sessions should
94 * work in most cases.
95 *
96 * Why would you want to use this? Lets suppose you have a squid cache for your
97 * website, and the presence of a session cookie bypasses it. Let's also say
98 * you allow anonymous users to interact with the website; submitting forms
99 * and AJAX. Previously, you didn't have any CSRF protection for anonymous users
100 * and so they never got sessions; you don't want to start using sessions either,
101 * otherwise you'll bypass the Squid cache. Setup a different cookie for CSRF
102 * tokens, and have Squid ignore that cookie for get requests, for anonymous
103 * users. (If you haven't guessed, this scheme was(?) used for MediaWiki).
104 */
105 $GLOBALS['csrf']['key'] = false;
106
107 /**
108 * The name of the magic CSRF token that will be placed in all forms, i.e.
109 * the contents of <input type="hidden" name="$name" value="CSRF-TOKEN" />
110 */
111 $GLOBALS['csrf']['input-name'] = '__csrf_magic';
112
113 /**
114 * Set this to false if your site must work inside of frame/iframe elements,
115 * but do so at your own risk: this configuration protects you against CSS
116 * overlay attacks that defeat tokens.
117 */
118 $GLOBALS['csrf']['frame-breaker'] = true;
119
120 /**
121 * Whether or not CSRF Magic should be allowed to start a new session in order
122 * to determine the key.
123 */
124 $GLOBALS['csrf']['auto-session'] = true;
125
126 /**
127 * Whether or not csrf-magic should produce XHTML style tags.
128 */
129 $GLOBALS['csrf']['xhtml'] = true;
130
131 // FUNCTIONS:
132
133 // Don't edit this!
134 $GLOBALS['csrf']['version'] = '1.0.1';
135
136 /**
137 * Rewrites <form> on the fly to add CSRF tokens to them. This can also
138 * inject our JavaScript library.
139 */
140 function csrf_ob_handler($buffer, $flags) {
141 // Even though the user told us to rewrite, we should do a quick heuristic
142 // to check if the page is *actually* HTML. We don't begin rewriting until
143 // we hit the first <html tag.
144 static $is_html = false;
145 if (!$is_html) {
146 // not HTML until proven otherwise
147 if (stripos($buffer, '<html') !== false) {
148 $is_html = true;
149 } else {
150 return $buffer;
151 }
152 }
153 $tokens = csrf_get_tokens();
154 $name = $GLOBALS['csrf']['input-name'];
155 $endslash = $GLOBALS['csrf']['xhtml'] ? ' /' : '';
156 $input = "<input type='hidden' name='$name' value=\"$tokens\"$endslash>";
157 $buffer = preg_replace('#(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)#i', '$1' . $input, $buffer);
158 if ($GLOBALS['csrf']['frame-breaker']) {
159 $buffer = str_ireplace('</head>', '<script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script></head>', $buffer);
160 }
161 if ($js = $GLOBALS['csrf']['rewrite-js']) {
162 $buffer = str_ireplace(
163 '</head>',
164 '<script type="text/javascript">'.
165 'var csrfMagicToken = "'.$tokens.'";'.
166 'var csrfMagicName = "'.$name.'";</script>'.
167 '<script src="'.$js.'" type="text/javascript"></script></head>',
168 $buffer
169 );
170 $script = '<script type="text/javascript">CsrfMagic.end();</script>';
171 $buffer = str_ireplace('</body>', $script . '</body>', $buffer, $count);
172 if (!$count) {
173 $buffer .= $script;
174 }
175 }
176 return $buffer;
177 }
178
179 /**
180 * Checks if this is a post request, and if it is, checks if the nonce is valid.
181 * @param bool $fatal Whether or not to fatally error out if there is a problem.
182 * @return True if check passes or is not necessary, false if failure.
183 */
184 function csrf_check($fatal = true) {
185 if ($_SERVER['REQUEST_METHOD'] !== 'POST') return true;
186 csrf_start();
187 $name = $GLOBALS['csrf']['input-name'];
188 $ok = false;
189 $tokens = '';
190 do {
191 if (!isset($_POST[$name])) break;
192 // we don't regenerate a token and check it because some token creation
193 // schemes are volatile.
194 $tokens = $_POST[$name];
195 if (!csrf_check_tokens($tokens)) break;
196 $ok = true;
197 } while (false);
198 if ($fatal && !$ok) {
199 $callback = $GLOBALS['csrf']['callback'];
200 if (trim($tokens, 'A..Za..z0..9:;,') !== '') $tokens = 'hidden';
201 $callback($tokens);
202 exit;
203 }
204 return $ok;
205 }
206
207 /**
208 * Retrieves a valid token(s) for a particular context. Tokens are separated
209 * by semicolons.
210 */
211 function csrf_get_tokens() {
212 $has_cookies = !empty($_COOKIE);
213
214 // $ip implements a composite key, which is sent if the user hasn't sent
215 // any cookies. It may or may not be used, depending on whether or not
216 // the cookies "stick"
217 $secret = csrf_get_secret();
218 if (!$has_cookies && $secret) {
219 // :TODO: Harden this against proxy-spoofing attacks
220 $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
221 } else {
222 $ip = '';
223 }
224 csrf_start();
225
226 // These are "strong" algorithms that don't require per se a secret
227 if (session_id()) return 'sid:' . csrf_hash(session_id()) . $ip;
228 if ($GLOBALS['csrf']['cookie']) {
229 $val = csrf_generate_secret();
230 setcookie($GLOBALS['csrf']['cookie'], $val);
231 return 'cookie:' . csrf_hash($val) . $ip;
232 }
233 if ($GLOBALS['csrf']['key']) return 'key:' . csrf_hash($GLOBALS['csrf']['key']) . $ip;
234 // These further algorithms require a server-side secret
235 if (!$secret) return 'invalid';
236 if ($GLOBALS['csrf']['user'] !== false) {
237 return 'user:' . csrf_hash($GLOBALS['csrf']['user']);
238 }
239 if ($GLOBALS['csrf']['allow-ip']) {
240 return ltrim($ip, ';');
241 }
242 return 'invalid';
243 }
244
245 /**
246 * @param $tokens is safe for HTML consumption
247 */
248 function csrf_callback($tokens) {
249 header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
250 echo "<html><head><title>CSRF check failed</title></head><body>CSRF check failed. Please enable cookies.<br />Debug: ".$tokens."</body></html>
251 ";
252 }
253
254 /**
255 * Checks if a composite token is valid. Outward facing code should use this
256 * instead of csrf_check_token()
257 */
258 function csrf_check_tokens($tokens) {
259 if (is_string($tokens)) $tokens = explode(';', $tokens);
260 foreach ($tokens as $token) {
261 if (csrf_check_token($token)) return true;
262 }
263 return false;
264 }
265
266 /**
267 * Checks if a token is valid.
268 */
269 function csrf_check_token($token) {
270 if (strpos($token, ':') === false) return false;
271 list($type, $value) = explode(':', $token, 2);
272 if (strpos($value, ',') === false) return false;
273 list($x, $time) = explode(',', $token, 2);
274 if ($GLOBALS['csrf']['expires']) {
275 if (time() > $time + $GLOBALS['csrf']['expires']) return false;
276 }
277 switch ($type) {
278 case 'sid':
279 return $value === csrf_hash(session_id(), $time);
280 case 'cookie':
281 $n = $GLOBALS['csrf']['cookie'];
282 if (!$n) return false;
283 if (!isset($_COOKIE[$n])) return false;
284 return $value === csrf_hash($_COOKIE[$n], $time);
285 case 'key':
286 if (!$GLOBALS['csrf']['key']) return false;
287 return $value === csrf_hash($GLOBALS['csrf']['key'], $time);
288 // We could disable these 'weaker' checks if 'key' was set, but
289 // that doesn't make me feel good then about the cookie-based
290 // implementation.
291 case 'user':
292 if (!csrf_get_secret()) return false;
293 if ($GLOBALS['csrf']['user'] === false) return false;
294 return $value === csrf_hash($GLOBALS['csrf']['user'], $time);
295 case 'ip':
296 if (!csrf_get_secret()) return false;
297 // do not allow IP-based checks if the username is set, or if
298 // the browser sent cookies
299 if ($GLOBALS['csrf']['user'] !== false) return false;
300 if (!empty($_COOKIE)) return false;
301 if (!$GLOBALS['csrf']['allow-ip']) return false;
302 return $value === csrf_hash($_SERVER['IP_ADDRESS'], $time);
303 }
304 return false;
305 }
306
307 /**
308 * Sets a configuration value.
309 */
310 function csrf_conf($key, $val) {
311 if (!isset($GLOBALS['csrf'][$key])) {
312 trigger_error('No such configuration ' . $key, E_USER_WARNING);
313 return;
314 }
315 $GLOBALS['csrf'][$key] = $val;
316 }
317
318 /**
319 * Starts a session if we're allowed to.
320 */
321 function csrf_start() {
322 if ($GLOBALS['csrf']['auto-session'] && !session_id()) {
323 session_start();
324 }
325 }
326
327 /**
328 * Retrieves the secret, and generates one if necessary.
329 */
330 function csrf_get_secret() {
331 if ($GLOBALS['csrf']['secret']) return $GLOBALS['csrf']['secret'];
332 $dir = dirname(__FILE__);
333 $file = $dir . '/csrf-secret.php';
334 $secret = '';
335 if (file_exists($file)) {
336 include $file;
337 return $secret;
338 }
339 if (is_writable($dir)) {
340 $secret = csrf_generate_secret();
341 $fh = fopen($file, 'w');
342 fwrite($fh, '<?php $secret = "'.$secret.'";' . PHP_EOL);
343 fclose($fh);
344 return $secret;
345 }
346 return '';
347 }
348
349 /**
350 * Generates a random string as the hash of time, microtime, and mt_rand.
351 */
352 function csrf_generate_secret($len = 32) {
353 $r = '';
354 for ($i = 0; $i < 32; $i++) {
355 $r .= chr(mt_rand(0, 255));
356 }
357 $r .= time() . microtime();
358 return sha1($r);
359 }
360
361 /**
362 * Generates a hash/expiry double. If time isn't set it will be calculated
363 * from the current time.
364 */
365 function csrf_hash($value, $time = null) {
366 if (!$time) $time = time();
367 return sha1(csrf_get_secret() . $value . $time) . ',' . $time;
368 }
369
370 // Load user configuration
371 if (function_exists('csrf_startup')) csrf_startup();
372 // Initialize our handler
373 if ($GLOBALS['csrf']['rewrite']) ob_start('csrf_ob_handler');
374 // Perform check
375 if (!$GLOBALS['csrf']['defer']) csrf_check();
Wizard CSRF protection for PHP