Browse Source

implement form tokens

main 1.9.1
ghost 9 months ago
parent
commit
be100a1420
  1. 43
      src/Controller/ModuleController.php
  2. 43
      src/Controller/RoomController.php
  3. 76
      src/Controller/UserController.php
  4. 1
      templates/default/module/post.html.twig
  5. 1
      templates/default/module/room.html.twig
  6. 1
      templates/default/user/join.html.twig
  7. 1
      templates/default/user/login.html.twig

43
src/Controller/ModuleController.php

@ -129,18 +129,28 @@ class ModuleController extends AbstractController
Request $request Request $request
): Response ): Response
{ {
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
// Check user session exist // Check user session exist
$username = false; $username = false;
if (!empty($request->cookies->get('KEVACHAT_SESSION')) && preg_match('/[A-z0-9]{32}/', $request->cookies->get('KEVACHAT_SESSION'))) if (!empty($request->cookies->get('KEVACHAT_SESSION')) && preg_match('/[A-z0-9]{32}/', $request->cookies->get('KEVACHAT_SESSION')))
{ {
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Check username exist for this session // Check username exist for this session
if ($value = $memcached->get($request->cookies->get('KEVACHAT_SESSION'))) if ($value = $memcached->get($request->cookies->get('KEVACHAT_SESSION')))
{ {
@ -203,6 +213,7 @@ class ModuleController extends AbstractController
'error' => $request->get('error'), 'error' => $request->get('error'),
'warning' => $request->get('warning'), 'warning' => $request->get('warning'),
'sign' => $sign, 'sign' => $sign,
'token' => $token,
'message' => $message, 'message' => $message,
'username' => $username, 'username' => $username,
'cost' => $this->getParameter('app.add.post.cost.kva'), 'cost' => $this->getParameter('app.add.post.cost.kva'),
@ -223,10 +234,28 @@ class ModuleController extends AbstractController
Request $request Request $request
): Response ): Response
{ {
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
return $this->render( return $this->render(
'default/module/room.html.twig', 'default/module/room.html.twig',
[ [
'request' => $request, 'request' => $request,
'token' => $token,
'cost' => $this->getParameter('app.add.room.cost.kva') 'cost' => $this->getParameter('app.add.room.cost.kva')
] ]
); );

43
src/Controller/RoomController.php

@ -442,6 +442,29 @@ class RoomController extends AbstractController
} }
*/ */
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'room_namespace',
[
'mode' => $request->get('mode'),
'namespace' => $request->get('namespace'),
'message' => $request->get('message'),
'sign' => $request->get('sign'),
'error' => $translator->trans('Session token expired'),
'_fragment' => 'latest'
]
);
}
// Validate access to the room namespace // Validate access to the room namespace
if if
( (
@ -794,6 +817,26 @@ class RoomController extends AbstractController
$request->get('name') $request->get('name')
); );
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'room_list',
[
'mode' => $request->get('mode'),
'name' => $name,
'error' => $translator->trans('Session token expired')
]
);
}
// Validate kevacoin key requirements // Validate kevacoin key requirements
if (mb_strlen($name) < 1 || mb_strlen($name) > 520) if (mb_strlen($name) < 1 || mb_strlen($name) > 520)
{ {

76
src/Controller/UserController.php

@ -159,6 +159,23 @@ class UserController extends AbstractController
?Request $request ?Request $request
): Response ): Response
{ {
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
// Check user session does not exist to continue // Check user session does not exist to continue
if (!empty($request->cookies->get('KEVACHAT_SESSION'))) if (!empty($request->cookies->get('KEVACHAT_SESSION')))
{ {
@ -172,6 +189,7 @@ class UserController extends AbstractController
'default/user/join.html.twig', 'default/user/join.html.twig',
[ [
'request' => $request, 'request' => $request,
'token' => $token,
'cost' => $this->getParameter('app.add.user.cost.kva') 'cost' => $this->getParameter('app.add.user.cost.kva')
] ]
); );
@ -189,6 +207,23 @@ class UserController extends AbstractController
?Request $request ?Request $request
): Response ): Response
{ {
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
// Check user session does not exist to continue // Check user session does not exist to continue
if (!empty($request->cookies->get('KEVACHAT_SESSION'))) if (!empty($request->cookies->get('KEVACHAT_SESSION')))
{ {
@ -201,7 +236,8 @@ class UserController extends AbstractController
return $this->render( return $this->render(
'default/user/login.html.twig', 'default/user/login.html.twig',
[ [
'request' => $request 'request' => $request,
'token' => $token
] ]
); );
} }
@ -298,6 +334,25 @@ class UserController extends AbstractController
), ),
); );
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'user_add',
[
'username' => $request->get('username'),
'error' => $translator->trans('Session token expired')
]
);
}
// Validate remote IP limits // Validate remote IP limits
if ($delay = (int) $memcached->get($memory)) if ($delay = (int) $memcached->get($memory))
{ {
@ -629,6 +684,25 @@ class UserController extends AbstractController
$this->getParameter('app.memcached.port') $this->getParameter('app.memcached.port')
); );
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'user_login',
[
'username' => $request->get('username'),
'error' => $translator->trans('Session token expired')
]
);
}
// Check client connection // Check client connection
if (!$client = $this->_client()) if (!$client = $this->_client())
{ {

1
templates/default/module/post.html.twig

@ -34,5 +34,6 @@
{% if cost %} {% if cost %}
<span>{{ 'cost: %s KVA' | format(cost) | trans }}</span> <span>{{ 'cost: %s KVA' | format(cost) | trans }}</span>
{% endif %} {% endif %}
<input type="hidden" name="token" value="{{ token }}" />
</form> </form>
{% endif %} {% endif %}

1
templates/default/module/room.html.twig

@ -10,4 +10,5 @@
{% if cost %} {% if cost %}
<span>{{ 'cost: %s KVA' | format(cost) | trans }}</span> <span>{{ 'cost: %s KVA' | format(cost) | trans }}</span>
{% endif %} {% endif %}
<input type="hidden" name="token" value="{{ token }}" />
</form> </form>

1
templates/default/user/join.html.twig

@ -19,5 +19,6 @@
{% if cost %} {% if cost %}
<span>{{ 'cost: %s KVA' | format(cost) | trans }}</span> <span>{{ 'cost: %s KVA' | format(cost) | trans }}</span>
{% endif %} {% endif %}
<input type="hidden" name="token" value="{{ token }}" />
</form> </form>
{% endblock %} {% endblock %}

1
templates/default/user/login.html.twig

@ -11,5 +11,6 @@
<input type="password" name="password" id="password" value="" /> <input type="password" name="password" id="password" value="" />
<a href="{{ path('user_join') }}">{{ 'Create account' | trans }}</a> <a href="{{ path('user_join') }}">{{ 'Create account' | trans }}</a>
<button type="submit">{{ 'login' | trans }}</button> <button type="submit">{{ 'login' | trans }}</button>
<input type="hidden" name="token" value="{{ token }}" />
</form> </form>
{% endblock %} {% endblock %}
Loading…
Cancel
Save