Browse Source

implement form tokens

main 1.9.1
ghost 9 months ago
parent
commit
be100a1420
  1. 39
      src/Controller/ModuleController.php
  2. 43
      src/Controller/RoomController.php
  3. 76
      src/Controller/UserController.php
  4. 1
      templates/default/module/post.html.twig
  5. 1
      templates/default/module/room.html.twig
  6. 1
      templates/default/user/join.html.twig
  7. 1
      templates/default/user/login.html.twig

39
src/Controller/ModuleController.php

@ -128,11 +128,6 @@ class ModuleController extends AbstractController @@ -128,11 +128,6 @@ class ModuleController extends AbstractController
public function post(
Request $request
): Response
{
// Check user session exist
$username = false;
if (!empty($request->cookies->get('KEVACHAT_SESSION')) && preg_match('/[A-z0-9]{32}/', $request->cookies->get('KEVACHAT_SESSION')))
{
// Connect memcached
$memcached = new \Memcached();
@ -141,6 +136,21 @@ class ModuleController extends AbstractController @@ -141,6 +136,21 @@ class ModuleController extends AbstractController
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
// Check user session exist
$username = false;
if (!empty($request->cookies->get('KEVACHAT_SESSION')) && preg_match('/[A-z0-9]{32}/', $request->cookies->get('KEVACHAT_SESSION')))
{
// Check username exist for this session
if ($value = $memcached->get($request->cookies->get('KEVACHAT_SESSION')))
{
@ -203,6 +213,7 @@ class ModuleController extends AbstractController @@ -203,6 +213,7 @@ class ModuleController extends AbstractController
'error' => $request->get('error'),
'warning' => $request->get('warning'),
'sign' => $sign,
'token' => $token,
'message' => $message,
'username' => $username,
'cost' => $this->getParameter('app.add.post.cost.kva'),
@ -223,10 +234,28 @@ class ModuleController extends AbstractController @@ -223,10 +234,28 @@ class ModuleController extends AbstractController
Request $request
): Response
{
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
return $this->render(
'default/module/room.html.twig',
[
'request' => $request,
'token' => $token,
'cost' => $this->getParameter('app.add.room.cost.kva')
]
);

43
src/Controller/RoomController.php

@ -442,6 +442,29 @@ class RoomController extends AbstractController @@ -442,6 +442,29 @@ class RoomController extends AbstractController
}
*/
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'room_namespace',
[
'mode' => $request->get('mode'),
'namespace' => $request->get('namespace'),
'message' => $request->get('message'),
'sign' => $request->get('sign'),
'error' => $translator->trans('Session token expired'),
'_fragment' => 'latest'
]
);
}
// Validate access to the room namespace
if
(
@ -794,6 +817,26 @@ class RoomController extends AbstractController @@ -794,6 +817,26 @@ class RoomController extends AbstractController
$request->get('name')
);
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'room_list',
[
'mode' => $request->get('mode'),
'name' => $name,
'error' => $translator->trans('Session token expired')
]
);
}
// Validate kevacoin key requirements
if (mb_strlen($name) < 1 || mb_strlen($name) > 520)
{

76
src/Controller/UserController.php

@ -159,6 +159,23 @@ class UserController extends AbstractController @@ -159,6 +159,23 @@ class UserController extends AbstractController
?Request $request
): Response
{
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
// Check user session does not exist to continue
if (!empty($request->cookies->get('KEVACHAT_SESSION')))
{
@ -172,6 +189,7 @@ class UserController extends AbstractController @@ -172,6 +189,7 @@ class UserController extends AbstractController
'default/user/join.html.twig',
[
'request' => $request,
'token' => $token,
'cost' => $this->getParameter('app.add.user.cost.kva')
]
);
@ -189,6 +207,23 @@ class UserController extends AbstractController @@ -189,6 +207,23 @@ class UserController extends AbstractController
?Request $request
): Response
{
// Connect memcached
$memcached = new \Memcached();
$memcached->addServer(
$this->getParameter('app.memcached.host'),
$this->getParameter('app.memcached.port')
);
// Create token
$token = crc32(
microtime(true) + rand()
);
$memcached->add(
$token,
time()
);
// Check user session does not exist to continue
if (!empty($request->cookies->get('KEVACHAT_SESSION')))
{
@ -201,7 +236,8 @@ class UserController extends AbstractController @@ -201,7 +236,8 @@ class UserController extends AbstractController
return $this->render(
'default/user/login.html.twig',
[
'request' => $request
'request' => $request,
'token' => $token
]
);
}
@ -298,6 +334,25 @@ class UserController extends AbstractController @@ -298,6 +334,25 @@ class UserController extends AbstractController
),
);
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'user_add',
[
'username' => $request->get('username'),
'error' => $translator->trans('Session token expired')
]
);
}
// Validate remote IP limits
if ($delay = (int) $memcached->get($memory))
{
@ -629,6 +684,25 @@ class UserController extends AbstractController @@ -629,6 +684,25 @@ class UserController extends AbstractController
$this->getParameter('app.memcached.port')
);
// Validate form token
if ($memcached->get($request->get('token')))
{
$memcached->delete(
$request->get('token')
);
}
else
{
return $this->redirectToRoute(
'user_login',
[
'username' => $request->get('username'),
'error' => $translator->trans('Session token expired')
]
);
}
// Check client connection
if (!$client = $this->_client())
{

1
templates/default/module/post.html.twig

@ -34,5 +34,6 @@ @@ -34,5 +34,6 @@
{% if cost %}
<span>{{ 'cost: %s KVA' | format(cost) | trans }}</span>
{% endif %}
<input type="hidden" name="token" value="{{ token }}" />
</form>
{% endif %}

1
templates/default/module/room.html.twig

@ -10,4 +10,5 @@ @@ -10,4 +10,5 @@
{% if cost %}
<span>{{ 'cost: %s KVA' | format(cost) | trans }}</span>
{% endif %}
<input type="hidden" name="token" value="{{ token }}" />
</form>

1
templates/default/user/join.html.twig

@ -19,5 +19,6 @@ @@ -19,5 +19,6 @@
{% if cost %}
<span>{{ 'cost: %s KVA' | format(cost) | trans }}</span>
{% endif %}
<input type="hidden" name="token" value="{{ token }}" />
</form>
{% endblock %}

1
templates/default/user/login.html.twig

@ -11,5 +11,6 @@ @@ -11,5 +11,6 @@
<input type="password" name="password" id="password" value="" />
<a href="{{ path('user_join') }}">{{ 'Create account' | trans }}</a>
<button type="submit">{{ 'login' | trans }}</button>
<input type="hidden" name="token" value="{{ token }}" />
</form>
{% endblock %}
Loading…
Cancel
Save