29
29
* your application. It provides methods for various tasks like:
30
30
*
31
31
* - Restricting which HTTP methods your application accepts.
32
- * - CSRF protection.
33
32
* - Form tampering protection
34
33
* - Requiring that SSL be used.
35
34
* - Limiting cross controller communication.
@@ -90,7 +89,7 @@ class SecurityComponent extends Component {
90
89
public $ unlockedFields = array ();
91
90
92
91
/**
93
- * Actions to exclude from CSRF and POST validation checks.
92
+ * Actions to exclude from POST validation checks.
94
93
* Other checks like requireAuth(), requireSecure(),
95
94
* requirePost(), requireGet() etc. will still be applied.
96
95
*
@@ -106,47 +105,6 @@ class SecurityComponent extends Component {
106
105
*/
107
106
public $ validatePost = true ;
108
107
109
- /**
110
- * Whether to use CSRF protected forms. Set to false to disable CSRF protection on forms.
111
- *
112
- * @var boolean
113
- * @see http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
114
- * @see SecurityComponent::$csrfExpires
115
- */
116
- public $ csrfCheck = true ;
117
-
118
- /**
119
- * The duration from when a CSRF token is created that it will expire on.
120
- * Each form/page request will generate a new token that can only be submitted once unless
121
- * it expires. Can be any value compatible with strtotime()
122
- *
123
- * @var string
124
- */
125
- public $ csrfExpires = '+30 minutes ' ;
126
-
127
- /**
128
- * Controls whether or not CSRF tokens are use and burn. Set to false to not generate
129
- * new tokens on each request. One token will be reused until it expires. This reduces
130
- * the chances of users getting invalid requests because of token consumption.
131
- * It has the side effect of making CSRF less secure, as tokens are reusable.
132
- *
133
- * @var boolean
134
- */
135
- public $ csrfUseOnce = true ;
136
-
137
- /**
138
- * Control the number of tokens a user can keep open.
139
- * This is most useful with one-time use tokens. Since new tokens
140
- * are created on each request, having a hard limit on the number of open tokens
141
- * can be useful in controlling the size of the session file.
142
- *
143
- * When tokens are evicted, the oldest ones will be removed, as they are the most likely
144
- * to be dead/expired.
145
- *
146
- * @var integer
147
- */
148
- public $ csrfLimit = 100 ;
149
-
150
108
/**
151
109
* Other components used by the Security component
152
110
*
@@ -195,9 +153,6 @@ public function startup(Event $event) {
195
153
if ($ this ->validatePost && $ this ->_validatePost ($ controller ) === false ) {
196
154
return $ this ->blackHole ($ controller , 'auth ' );
197
155
}
198
- if ($ this ->csrfCheck && $ this ->_validateCsrf ($ controller ) === false ) {
199
- return $ this ->blackHole ($ controller , 'csrf ' );
200
- }
201
156
}
202
157
$ this ->generateToken ($ controller ->request );
203
158
if ($ isPost && is_array ($ controller ->request ->data )) {
@@ -422,22 +377,11 @@ public function generateToken(Request $request) {
422
377
'allowedControllers ' => $ this ->allowedControllers ,
423
378
'allowedActions ' => $ this ->allowedActions ,
424
379
'unlockedFields ' => $ this ->unlockedFields ,
425
- 'csrfTokens ' => array ()
426
380
);
427
381
428
382
$ tokenData = array ();
429
383
if ($ this ->Session ->check ('_Token ' )) {
430
384
$ tokenData = $ this ->Session ->read ('_Token ' );
431
- if (!empty ($ tokenData ['csrfTokens ' ]) && is_array ($ tokenData ['csrfTokens ' ])) {
432
- $ token ['csrfTokens ' ] = $ this ->_expireTokens ($ tokenData ['csrfTokens ' ]);
433
- }
434
- }
435
- if ($ this ->csrfUseOnce || empty ($ token ['csrfTokens ' ])) {
436
- $ token ['csrfTokens ' ][$ authKey ] = strtotime ($ this ->csrfExpires );
437
- }
438
- if (!$ this ->csrfUseOnce ) {
439
- $ csrfTokens = array_keys ($ token ['csrfTokens ' ]);
440
- $ token ['key ' ] = $ csrfTokens [0 ];
441
385
}
442
386
$ this ->Session ->write ('_Token ' , $ token );
443
387
$ request ->params ['_Token ' ] = array (
@@ -447,47 +391,6 @@ public function generateToken(Request $request) {
447
391
return true ;
448
392
}
449
393
450
- /**
451
- * Validate that the controller has a CSRF token in the POST data
452
- * and that the token is legit/not expired. If the token is valid
453
- * it will be removed from the list of valid tokens.
454
- *
455
- * @param Controller $controller A controller to check
456
- * @return boolean Valid csrf token.
457
- */
458
- protected function _validateCsrf (Controller $ controller ) {
459
- $ token = $ this ->Session ->read ('_Token ' );
460
- $ requestToken = $ controller ->request ->data ('_Token.key ' );
461
- if (isset ($ token ['csrfTokens ' ][$ requestToken ]) && $ token ['csrfTokens ' ][$ requestToken ] >= time ()) {
462
- if ($ this ->csrfUseOnce ) {
463
- $ this ->Session ->delete ('_Token.csrfTokens. ' . $ requestToken );
464
- }
465
- return true ;
466
- }
467
- return false ;
468
- }
469
-
470
- /**
471
- * Expire CSRF nonces and remove them from the valid tokens.
472
- * Uses a simple timeout to expire the tokens.
473
- *
474
- * @param array $tokens An array of nonce => expires.
475
- * @return array An array of nonce => expires.
476
- */
477
- protected function _expireTokens ($ tokens ) {
478
- $ now = time ();
479
- foreach ($ tokens as $ nonce => $ expires ) {
480
- if ($ expires < $ now ) {
481
- unset($ tokens [$ nonce ]);
482
- }
483
- }
484
- $ overflow = count ($ tokens ) - $ this ->csrfLimit ;
485
- if ($ overflow > 0 ) {
486
- $ tokens = array_slice ($ tokens , $ overflow + 1 , null , true );
487
- }
488
- return $ tokens ;
489
- }
490
-
491
394
/**
492
395
* Calls a controller callback method
493
396
*
0 commit comments