diff options
author | Andrey Andreev <narf@devilix.net> | 2017-01-04 15:01:27 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2017-01-04 15:01:27 +0100 |
commit | 5a2390d4d6287f2ce35cadae4713b7dcd10fdc9b (patch) | |
tree | 8451e543979cded3be535dbd8d5aa92e0df5f3a0 | |
parent | 2ab1c1902711c8b0caf5c3e8f2fa825d72f6755d (diff) |
[ci skip] Protect CSRF verification from timing side-channel attacks
-rw-r--r-- | system/core/Security.php | 14 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 1 |
2 files changed, 9 insertions, 6 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index d198b663b..585ed90ec 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -224,12 +224,9 @@ class CI_Security { } } - // Do the tokens exist in both the _POST and _COOKIE arrays? - if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]) - OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match? - { - $this->csrf_show_error(); - } + // Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate + $valid = isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]) + && hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]); // We kill this since we're done and we don't want to pollute the _POST array unset($_POST[$this->_csrf_token_name]); @@ -245,6 +242,11 @@ class CI_Security { $this->_csrf_set_hash(); $this->csrf_set_cookie(); + if ($valid !== TRUE) + { + $this->csrf_show_error(); + } + log_message('info', 'CSRF token verified'); return $this; } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index ad7d6a4ed..7284d100c 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -10,6 +10,7 @@ Release Date: Not Released - **Security** - Fixed an XSS vulnerability in :doc:`Security Library <libraries/security>` method ``xss_clean()``. + - Added protection against timing side-channel attacks in :doc:`Security Library <libraries/security>` method ``csrf_verify()``. - General Changes |