Skip to content

Commit

Permalink
phalcon 4 migration - first batch for #4012
Browse files Browse the repository at this point in the history 
o replace Phalcon\Session\Adapter\Files with new Phalcon\Session\Adapter\Stream adapter
o replace router->setUriSource() with handle() parameter
o combining sessions between phalcon and legacy php seems to be a bit problematic, first issue seems to be the legacy csrf check. refactor to use phalcon's method and legacy session
o Fix Phalcon Syslog usage in ControllerRoot (wrap in Logger class)
  • Loading branch information
@AdSchellevis
AdSchellevis committed Apr 13, 2021
1 parent a08b8ec commit 54e05c2
Show file tree
Hide file tree
Showing 6 changed files with 61 additions and 48 deletions.
19 changes: 9 additions & 10 deletions src/etc/inc/authgui.inc
View file
Expand Up @@ -72,17 +72,16 @@ function session_auth(&$Login_Error)
closelog();
}

// Handle HTTPS httponly and secure flags
$currentCookieParams = session_get_cookie_params();
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
null,
($config['system']['webgui']['protocol'] == "https"),
true
);

if (session_status() == PHP_SESSION_NONE) {
// Handle HTTPS httponly and secure flags
$currentCookieParams = session_get_cookie_params();
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
null,
($config['system']['webgui']['protocol'] == "https"),
true
);
session_start();
}

Expand Down
9 changes: 6 additions & 3 deletions src/opnsense/mvc/app/config/services.php
View file
Expand Up @@ -5,7 +5,8 @@
use Phalcon\Mvc\Url as UrlResolver;
use Phalcon\Mvc\View\Engine\Volt as VoltEngine;
use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter;
use Phalcon\Session\Adapter\Files as SessionAdapter;
use Phalcon\Session\Manager;
use Phalcon\Session\Adapter\Stream;
use OPNsense\Core\Config;
use OPNsense\Core\Routing;

Expand Down Expand Up @@ -75,7 +76,9 @@
* Start the session the first time some component request the session service
*/
$di->setShared('session', function () {
$session = new SessionAdapter();
$session = new Manager();
$files = new Stream();
$session->setAdapter($files);
$session->start();
// Set session response cookie, unfortunalty we need to read the config here to determine if secure option is
// a valid choice.
Expand All @@ -97,6 +100,6 @@
*/
$di->set('router', function () use ($config) {
$routing = new Routing($config->application->controllersDir, "ui");
$routing->getRouter()->handle();
$routing->getRouter()->handle($_SERVER['REQUEST_URI']);
return $routing->getRouter();
});
9 changes: 6 additions & 3 deletions src/opnsense/mvc/app/config/services_api.php
View file
Expand Up @@ -31,7 +31,8 @@
use Phalcon\Mvc\Url as UrlResolver;
use Phalcon\Mvc\View;
use Phalcon\Mvc\Model\Metadata\Memory as MetaDataAdapter;
use Phalcon\Session\Adapter\Files as SessionAdapter;
use Phalcon\Session\Manager;
use Phalcon\Session\Adapter\Stream;
use OPNsense\Core\Config;
use OPNsense\Core\Routing;

Expand Down Expand Up @@ -63,7 +64,9 @@
* Start the session the first time some component request the session service
*/
$di->setShared('session', function () {
$session = new SessionAdapter();
$session = new Manager();
$files = new Stream();
$session->setAdapter($files);
$session->start();
// Set session response cookie, unfortunalty we need to read the config here to determine if secure option is
// a valid choice.
Expand All @@ -84,7 +87,7 @@
*/
$di->set('router', function () use ($config) {
$routing = new Routing($config->application->controllersDir, "api");
$routing->getRouter()->handle();
$routing->getRouter()->handle($_SERVER['REQUEST_URI']);
return $routing->getRouter();
});

Expand Down
25 changes: 19 additions & 6 deletions src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerRoot.php
View file
Expand Up @@ -30,6 +30,7 @@

use OPNsense\Core\Config;
use Phalcon\Mvc\Controller;
use Phalcon\Logger;
use Phalcon\Logger\Adapter\Syslog;
use OPNsense\Core\ACL;

Expand All @@ -44,6 +45,12 @@ class ControllerRoot extends Controller
*/
public $translator;


/**
* log handle
*/
protected $logger = null;

/**
* @var null|string logged in username, populated during authentication
*/
Expand Down Expand Up @@ -98,12 +105,18 @@ protected function setLang()
*/
protected function getLogger($ident = "api")
{
$logger = new Syslog($ident, array(
'option' => LOG_PID,
'facility' => LOG_LOCAL4
));

return $logger;
if ($this->logger == null) {
$this->logger = new Logger(
'messages',
[
'main' => new Syslog($ident, array(
'option' => LOG_PID,
'facility' => LOG_LOCAL4
))
]
);
}
return $this->logger;
}

/**
Expand Down
3 changes: 0 additions & 3 deletions src/opnsense/mvc/app/library/OPNsense/Core/Routing.php
View file
Expand Up @@ -173,9 +173,6 @@ private function setup()
}
}
}
$this->router->setUriSource(
Router::URI_SOURCE_SERVER_REQUEST_URI
);
$this->router->removeExtraSlashes(true);
}
}
Expand Down
44 changes: 21 additions & 23 deletions src/www/csrf.inc
View file
Expand Up @@ -33,37 +33,36 @@ class LegacyCSRF
private $session = null;
private $is_html_output = false;
public function __construct()
{
$this->di = new \Phalcon\DI\FactoryDefault();
$this->security = new Phalcon\Security();
$this->security->setDi($this->di);
// register rewrite handler
ob_start(array($this,'csrfRewriteHandler'), 5242880);
}

private function Session()
{
global $config;
if ($this->session == null) {
$this->session = new Phalcon\Session\Adapter\Files();
$this->session->start();
// register rewrite handler
if (session_status() == PHP_SESSION_NONE) {
// Handle HTTPS httponly and secure flags
$currentCookieParams = session_get_cookie_params();
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
null,
($config['system']['webgui']['protocol'] == "https"),
true
);
session_start();
$secure = $config['system']['webgui']['protocol'] == 'https';
setcookie(session_name(), session_id(), null, '/', null, $secure, true);
$this->di->setShared('session', $this->session);
}
ob_start(array($this,'csrfRewriteHandler'), 5242880);
}

public function checkToken()
{
$result = false; // default, not valid
$this->Session();
$securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$'];
if (empty($_POST[$securityTokenKey])) {
if (!empty($_SERVER['HTTP_X_CSRFTOKEN'])) {
$result = $this->security->checkToken(null, $_SERVER['HTTP_X_CSRFTOKEN'], false);
$result = $_SERVER['HTTP_X_CSRFTOKEN'] == $_SESSION['$PHALCON/CSRF$'];
}
} else {
$result = $this->security->checkToken($securityTokenKey, $_POST[$securityTokenKey], false);
$result = $_POST[$securityTokenKey] == $_SESSION['$PHALCON/CSRF$'];
}
// close session after validation
session_write_close();
Expand All @@ -72,15 +71,13 @@ class LegacyCSRF

private function newToken()
{
$this->Session();
$random = new \Phalcon\Security\Random();
// only request new token when session has none
$securityTokenKey = $_SESSION['$PHALCON/CSRF/KEY$'];
$securityToken = $_SESSION['$PHALCON/CSRF$'];
if (empty($securityToken) || empty($securityTokenKey)) {
$securityToken = $this->security->getToken();
$securityTokenKey = $this->security->getTokenKey();
if (empty($_SESSION['$PHALCON/CSRF/KEY$']) || empty($_SESSION['$PHALCON/CSRF$'])) {
$_SESSION['$PHALCON/CSRF$'] = $random->base64Safe(16);
$_SESSION['$PHALCON/CSRF/KEY$'] = $random->base64Safe(16);
}
return array('token'=>$securityToken, 'key' => $securityTokenKey);
return array('token' => $_SESSION['$PHALCON/CSRF$'], 'key' => $_SESSION['$PHALCON/CSRF/KEY$']);
}

public function csrfRewriteHandler($buffer)
Expand Down Expand Up @@ -113,6 +110,7 @@ class LegacyCSRF

$LegacyCSRFObject = new LegacyCSRF();


if ($_SERVER['REQUEST_METHOD'] !== 'GET' && !$LegacyCSRFObject->checkToken()) {
header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
echo sprintf("<html><head><title>%s</title></head>
Expand Down

0 comments on commit 54e05c2

Please sign in to comment.