Skip to content

Commit c92ae61

Browse files
committed
Remove most of the CSRF code from SecurityComponent.
The _Token.key data is still around until FormHelper can be updated.
1 parent b9113aa commit c92ae61

File tree

2 files changed

+2
-361
lines changed

2 files changed

+2
-361
lines changed

Cake/Controller/Component/SecurityComponent.php

Lines changed: 1 addition & 98 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,6 @@
2929
* your application. It provides methods for various tasks like:
3030
*
3131
* - Restricting which HTTP methods your application accepts.
32-
* - CSRF protection.
3332
* - Form tampering protection
3433
* - Requiring that SSL be used.
3534
* - Limiting cross controller communication.
@@ -90,7 +89,7 @@ class SecurityComponent extends Component {
9089
public $unlockedFields = array();
9190

9291
/**
93-
* Actions to exclude from CSRF and POST validation checks.
92+
* Actions to exclude from POST validation checks.
9493
* Other checks like requireAuth(), requireSecure(),
9594
* requirePost(), requireGet() etc. will still be applied.
9695
*
@@ -106,47 +105,6 @@ class SecurityComponent extends Component {
106105
*/
107106
public $validatePost = true;
108107

109-
/**
110-
* Whether to use CSRF protected forms. Set to false to disable CSRF protection on forms.
111-
*
112-
* @var boolean
113-
* @see http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
114-
* @see SecurityComponent::$csrfExpires
115-
*/
116-
public $csrfCheck = true;
117-
118-
/**
119-
* The duration from when a CSRF token is created that it will expire on.
120-
* Each form/page request will generate a new token that can only be submitted once unless
121-
* it expires. Can be any value compatible with strtotime()
122-
*
123-
* @var string
124-
*/
125-
public $csrfExpires = '+30 minutes';
126-
127-
/**
128-
* Controls whether or not CSRF tokens are use and burn. Set to false to not generate
129-
* new tokens on each request. One token will be reused until it expires. This reduces
130-
* the chances of users getting invalid requests because of token consumption.
131-
* It has the side effect of making CSRF less secure, as tokens are reusable.
132-
*
133-
* @var boolean
134-
*/
135-
public $csrfUseOnce = true;
136-
137-
/**
138-
* Control the number of tokens a user can keep open.
139-
* This is most useful with one-time use tokens. Since new tokens
140-
* are created on each request, having a hard limit on the number of open tokens
141-
* can be useful in controlling the size of the session file.
142-
*
143-
* When tokens are evicted, the oldest ones will be removed, as they are the most likely
144-
* to be dead/expired.
145-
*
146-
* @var integer
147-
*/
148-
public $csrfLimit = 100;
149-
150108
/**
151109
* Other components used by the Security component
152110
*
@@ -195,9 +153,6 @@ public function startup(Event $event) {
195153
if ($this->validatePost && $this->_validatePost($controller) === false) {
196154
return $this->blackHole($controller, 'auth');
197155
}
198-
if ($this->csrfCheck && $this->_validateCsrf($controller) === false) {
199-
return $this->blackHole($controller, 'csrf');
200-
}
201156
}
202157
$this->generateToken($controller->request);
203158
if ($isPost && is_array($controller->request->data)) {
@@ -422,22 +377,11 @@ public function generateToken(Request $request) {
422377
'allowedControllers' => $this->allowedControllers,
423378
'allowedActions' => $this->allowedActions,
424379
'unlockedFields' => $this->unlockedFields,
425-
'csrfTokens' => array()
426380
);
427381

428382
$tokenData = array();
429383
if ($this->Session->check('_Token')) {
430384
$tokenData = $this->Session->read('_Token');
431-
if (!empty($tokenData['csrfTokens']) && is_array($tokenData['csrfTokens'])) {
432-
$token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']);
433-
}
434-
}
435-
if ($this->csrfUseOnce || empty($token['csrfTokens'])) {
436-
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
437-
}
438-
if (!$this->csrfUseOnce) {
439-
$csrfTokens = array_keys($token['csrfTokens']);
440-
$token['key'] = $csrfTokens[0];
441385
}
442386
$this->Session->write('_Token', $token);
443387
$request->params['_Token'] = array(
@@ -447,47 +391,6 @@ public function generateToken(Request $request) {
447391
return true;
448392
}
449393

450-
/**
451-
* Validate that the controller has a CSRF token in the POST data
452-
* and that the token is legit/not expired. If the token is valid
453-
* it will be removed from the list of valid tokens.
454-
*
455-
* @param Controller $controller A controller to check
456-
* @return boolean Valid csrf token.
457-
*/
458-
protected function _validateCsrf(Controller $controller) {
459-
$token = $this->Session->read('_Token');
460-
$requestToken = $controller->request->data('_Token.key');
461-
if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) {
462-
if ($this->csrfUseOnce) {
463-
$this->Session->delete('_Token.csrfTokens.' . $requestToken);
464-
}
465-
return true;
466-
}
467-
return false;
468-
}
469-
470-
/**
471-
* Expire CSRF nonces and remove them from the valid tokens.
472-
* Uses a simple timeout to expire the tokens.
473-
*
474-
* @param array $tokens An array of nonce => expires.
475-
* @return array An array of nonce => expires.
476-
*/
477-
protected function _expireTokens($tokens) {
478-
$now = time();
479-
foreach ($tokens as $nonce => $expires) {
480-
if ($expires < $now) {
481-
unset($tokens[$nonce]);
482-
}
483-
}
484-
$overflow = count($tokens) - $this->csrfLimit;
485-
if ($overflow > 0) {
486-
$tokens = array_slice($tokens, $overflow + 1, null, true);
487-
}
488-
return $tokens;
489-
}
490-
491394
/**
492395
* Calls a controller callback method
493396
*

0 commit comments

Comments
 (0)