summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2017-01-04 15:01:27 +0100
committerAndrey Andreev <narf@devilix.net>2017-01-04 15:01:27 +0100
commit5a2390d4d6287f2ce35cadae4713b7dcd10fdc9b (patch)
tree8451e543979cded3be535dbd8d5aa92e0df5f3a0
parent2ab1c1902711c8b0caf5c3e8f2fa825d72f6755d (diff)
[ci skip] Protect CSRF verification from timing side-channel attacks
-rw-r--r--system/core/Security.php14
-rw-r--r--user_guide_src/source/changelog.rst1
2 files changed, 9 insertions, 6 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index d198b663b..585ed90ec 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -224,12 +224,9 @@ class CI_Security {
}
}
- // Do the tokens exist in both the _POST and _COOKIE arrays?
- if ( ! isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
- OR $_POST[$this->_csrf_token_name] !== $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match?
- {
- $this->csrf_show_error();
- }
+ // Check CSRF token validity, but don't error on mismatch just yet - we'll want to regenerate
+ $valid = isset($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name])
+ && hash_equals($_POST[$this->_csrf_token_name], $_COOKIE[$this->_csrf_cookie_name]);
// We kill this since we're done and we don't want to pollute the _POST array
unset($_POST[$this->_csrf_token_name]);
@@ -245,6 +242,11 @@ class CI_Security {
$this->_csrf_set_hash();
$this->csrf_set_cookie();
+ if ($valid !== TRUE)
+ {
+ $this->csrf_show_error();
+ }
+
log_message('info', 'CSRF token verified');
return $this;
}
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index ad7d6a4ed..7284d100c 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -10,6 +10,7 @@ Release Date: Not Released
- **Security**
- Fixed an XSS vulnerability in :doc:`Security Library <libraries/security>` method ``xss_clean()``.
+ - Added protection against timing side-channel attacks in :doc:`Security Library <libraries/security>` method ``csrf_verify()``.
- General Changes