On June 8, 2012 04:42:22 PM Frank Karlitschek wrote: > Hi everybody, > > we have to do something in ownCloud against the CSRF thread. We have some > protection in some areas already but I think we need a general solution > here. We have to check if a GET request, form POST or Ajax request really > comes from the user and ownCloud itself or if it was triggered by an evil > JS script of flash applet from an remote site. > > Read here for more information: > http://en.wikipedia.org/wiki/Cross-site_request_forgery Sounds good! Remember though, CSRF's are blind (as mentioned in the wiki article) so it only matters for requests with side-effects (ie creating/modifying/deleting data). A simple request to get information isn't important.
> > I thought about simpler solutions but they all have problems so I think we > have to do the real thing which means a lot of changes in ownCloud. Well true, maybe there could be some generic measures taken to help protect against simple mistakes? Things like checking the Referrer header would help prevent several drive-by attacks (ie using images). Its not perfect, but it would be a good to have for "defence in depth". > > > We have to register every possible ajax call or form submit or button press > on the page where this call could happen with a special function. This > functions returns a token. This token has to be included in the GET or POST > request. <snip functions> Looks good. It would work for the base pieces. It might be nice to add one other function to easily output a hidden input element with the name/value set, to allow easy integration. > > Opinions? Does this make sense? I haven't looked at OwnCloud's ajax system, so I'm sorry if this isn't easily implemented, but the javascript double-cookie check (mentioned in the Wikipedia article) would be good to use too. If you can intercept the ajax outgoing calls, you can restash the PHP session id into the request as a get/post parameter, and then re-check that the session is correct. This could be largely automated, making the protection that much more effective. Matthew _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
