preserving session ID before renewal for CSRF check (bug 458763, r=laura)

git-svn-id: http://svn.mozilla.org/addons/trunk@18942 4eb1ac78-321c-0410-a911-ec516a8615a5
author: fwenzel@mozilla.com <fwenzel@mozilla.com@4eb1ac78-321c-0410-a911-ec516a8615a5> 2008-10-08 20:21:24 (GMT)
committer: fwenzel@mozilla.com <fwenzel@mozilla.com@4eb1ac78-321c-0410-a911-ec516a8615a5> 2008-10-08 20:21:24 (GMT)
commit: 3637c0d944bcaab46cefc4b332c186b3e684116f (patch)
tree: bb0341c858f318b183c3d8a799abedaef05a1fa0 /site/app/app_controller.php
parent: fd826cebf26d1d08b54b43d71e6e8349e923db7b (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/site/app/app_controller.php b/site/app/app_controller.php
index d424285..9b88e42 100644
--- a/site/app/app_controller.php
+++ b/site/app/app_controller.php
@@ -220,6 +220,8 @@ class AppController extends Controller
      * URLs which you do not want checkCSRF to apply to.    
      */
     function checkCSRF() {
+        global $csrf_old_session_id;
+        
         if ($_SERVER['REQUEST_METHOD'] != 'POST') return;
         
         if (isset($this->exceptionCSRF)) {
@@ -235,8 +237,15 @@ class AppController extends Controller
         // this is to mitigate against where a session starts at an epoch boundary:
         $previous_epoch = $current_epoch - 1;
         
-        $currentMd5 = md5(session_id().$id.$current_epoch);
-        $previousMd5 = md5(session_id().$id.$previous_epoch);
+        // if our ID was regenerated during session spin-up, we check against the previous value
+        // see bug 458763
+        if (!empty($csrf_old_session_id))
+            $session_id = $csrf_old_session_id;
+        else
+            $session_id = session_id();
+        
+        $currentMd5 = md5($session_id.$id.$current_epoch);
+        $previousMd5 = md5($session_id.$id.$previous_epoch);
         
         if (!isset($_POST['sessionCheck']) ||
             ($_POST['sessionCheck'] != $currentMd5 && $_POST['sessionCheck'] != $previousMd5)) {
author	fwenzel@mozilla.com <fwenzel@mozilla.com@4eb1ac78-321c-0410-a911-ec516a8615a5>	2008-10-08 20:21:24 (GMT)
committer	fwenzel@mozilla.com <fwenzel@mozilla.com@4eb1ac78-321c-0410-a911-ec516a8615a5>	2008-10-08 20:21:24 (GMT)
commit	3637c0d944bcaab46cefc4b332c186b3e684116f (patch)
tree	bb0341c858f318b183c3d8a799abedaef05a1fa0 /site/app/app_controller.php
parent	fd826cebf26d1d08b54b43d71e6e8349e923db7b (diff)