From bc959df0c9df3fdf250fb93ef30dbb81cbd848c7 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 19 May 2016 15:46:30 +0200
Subject: Fix CSRF token checking; improve token/sid generation

---
 inc/session.inc.php | 10 +++++-----
 inc/user.inc.php    | 12 ++++++++++--
 inc/util.inc.php    |  6 +++---
 3 files changed, 18 insertions(+), 10 deletions(-)

(limited to 'inc')

diff --git a/inc/session.inc.php b/inc/session.inc.php
index b4299e06..26effa3f 100644
--- a/inc/session.inc.php
+++ b/inc/session.inc.php
@@ -11,11 +11,11 @@ class Session
 	private static $sid = false;
 	private static $data = false;
 	
-	private static function generateSessionId()
+	private static function generateSessionId($salt)
 	{
 		if (self::$sid !== false) Util::traceError('Error: Asked to generate session id when already set.');
-		self::$sid = sha1(
-			mt_rand(0, 65535)
+		self::$sid = sha1($salt . ','
+			. mt_rand(0, 65535)
 			. $_SERVER['REMOTE_ADDR']
 			. mt_rand(0, 65535)
 			. $_SERVER['REMOTE_PORT']
@@ -27,9 +27,9 @@ class Session
 		);
 	}
 
-	public static function create()
+	public static function create($salt = '')
 	{
-		self::generateSessionId();
+		self::generateSessionId($salt);
 		self::$data = array();
 	}
 
diff --git a/inc/user.inc.php b/inc/user.inc.php
index 595f4745..49500aa2 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -56,9 +56,17 @@ class User
 			return false;
 		if (!Crypto::verify($pass, $ret['passwd']))
 			return false;
-		Session::create();
+		Session::create($ret['passwd']);
 		Session::set('uid', $ret['userid']);
-		Session::set('token', md5(rand() . time() . rand() . $_SERVER['REMOTE_ADDR'] . rand() . $_SERVER['REMOTE_PORT'] . rand() . $_SERVER['HTTP_USER_AGENT']));
+		Session::set('token', md5($ret['passwd'] . ','
+			. rand() . ','
+			. time() . ','
+			. rand() . ','
+			. $_SERVER['REMOTE_ADDR'] . ','
+			. rand() . ','
+			. $_SERVER['REMOTE_PORT'] . ','
+			. rand() . ','
+			. $_SERVER['HTTP_USER_AGENT']));
 		Session::save();
 		return true;
 	}
diff --git a/inc/util.inc.php b/inc/util.inc.php
index c0b77f96..1b29aa39 100644
--- a/inc/util.inc.php
+++ b/inc/util.inc.php
@@ -103,7 +103,7 @@ SADFACE;
 	}
 
 	/**
-	 * Verify the user's token that protects agains CSRF.
+	 * Verify the user's token that protects against CSRF.
 	 * If the user is logged in and there is no token variable set in
 	 * the request, or the submitted token does not match the user's
 	 * token, this function will return false and display an error.
@@ -111,9 +111,9 @@ SADFACE;
 	 */
 	public static function verifyToken()
 	{
-		if (Session::get('main.token') === false)
+		if (!User::isLoggedIn() && Session::get('token') === false)
 			return true;
-		if (isset($_REQUEST['main.token']) && Session::get('main.token') === $_REQUEST['main.token'])
+		if (isset($_REQUEST['token']) && Session::get('token') === $_REQUEST['token'])
 			return true;
 		Message::addError('main.token');
 		return false;
-- 
cgit v1.2.3-55-g7522