Makes a lot of sense IMHO. :-)
Frank On 12.06.2012, at 14:16, Thomas Tanghus <[email protected]> wrote: > On Friday 08 June 2012 16:42 Frank Karlitschek wrote: > >> /** >> * Register an get/post call >> */ >> public static function callRegister(){ >> // generate a random token. >> // store the token together with a timestamp in the session. >> // return the token >> } >> >> >> /** >> * Check an ajax get/post call >> */ >> public static function callCheck(){ >> // searches in the get and post arrays for the token. >> // check if the token is in the user session and if the timestamp is >> from >> the last hour. // exit if not found and return of found. >> } >> > > I just tested this, and we need some extra methods. Something like: > > lib/util.php: > > public static function isCalledRegistered(){ > $maxtime=(60*60); // 1 hour > if(isset($_GET['requesttoken'])) { > $token=$_GET['requesttoken']; > }elseif(isset($_POST['requesttoken'])){ > $token=$_POST['requesttoken']; > }else{ > return false; > } > if(isset($_SESSION['requesttoken-'.$token])) { > $timestamp=$_SESSION['requesttoken-'.$token]; > if($timestamp+$maxtime<time){ > return false; > }else{ > //token valid > return true; > } > }else{ > return false; > } > } > > public static function callCheck(){ > if(!OC_Util::isCalledRegistered() { > exit; > } > } > > lib/json.php: > > public static function callCheck(){ > if( !OC_Util::isCallRegistered()){ > $l = OC_L10N::get('core'); > self::error(array( 'data' => array( 'message' => > $l->t('Token expired') ))); > exit(); > } > } > > And then the public methods. > > -- > Med venlig hilsen / Best Regards > > Thomas Tanghus _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
