diff options
author | fwenzel@mozilla.com <fwenzel@mozilla.com@4eb1ac78-321c-0410-a911-ec516a8615a5> | 2008-10-08 20:21:24 (GMT) |
---|---|---|
committer | fwenzel@mozilla.com <fwenzel@mozilla.com@4eb1ac78-321c-0410-a911-ec516a8615a5> | 2008-10-08 20:21:24 (GMT) |
commit | 3637c0d944bcaab46cefc4b332c186b3e684116f (patch) | |
tree | bb0341c858f318b183c3d8a799abedaef05a1fa0 /site/app/app_controller.php | |
parent | fd826cebf26d1d08b54b43d71e6e8349e923db7b (diff) |
preserving session ID before renewal for CSRF check (bug 458763, r=laura)
git-svn-id: http://svn.mozilla.org/addons/trunk@18942 4eb1ac78-321c-0410-a911-ec516a8615a5
Diffstat (limited to 'site/app/app_controller.php')
-rw-r--r-- | site/app/app_controller.php | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/site/app/app_controller.php b/site/app/app_controller.php index d424285..9b88e42 100644 --- a/site/app/app_controller.php +++ b/site/app/app_controller.php @@ -220,6 +220,8 @@ class AppController extends Controller * URLs which you do not want checkCSRF to apply to. */ function checkCSRF() { + global $csrf_old_session_id; + if ($_SERVER['REQUEST_METHOD'] != 'POST') return; if (isset($this->exceptionCSRF)) { @@ -235,8 +237,15 @@ class AppController extends Controller // this is to mitigate against where a session starts at an epoch boundary: $previous_epoch = $current_epoch - 1; - $currentMd5 = md5(session_id().$id.$current_epoch); - $previousMd5 = md5(session_id().$id.$previous_epoch); + // if our ID was regenerated during session spin-up, we check against the previous value + // see bug 458763 + if (!empty($csrf_old_session_id)) + $session_id = $csrf_old_session_id; + else + $session_id = session_id(); + + $currentMd5 = md5($session_id.$id.$current_epoch); + $previousMd5 = md5($session_id.$id.$previous_epoch); if (!isset($_POST['sessionCheck']) || ($_POST['sessionCheck'] != $currentMd5 && $_POST['sessionCheck'] != $previousMd5)) { |