CSRFå¯¾ç–ç”¨ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¨ãƒ˜ãƒ«ãƒ‘ãƒ¼

CSRFå¯¾ç–ã®ãƒˆãƒ¼ã‚¯ãƒ³ãƒã‚§ãƒƒã‚¯ã¯ã€çµå±€è‡ªä½œã§å…¥ã‚Œã‚‹äº‹ã«ã—ã¦ã€
Tokenä½œæˆãŠã‚ˆã³ãƒã‚§ãƒƒã‚¯ã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¨ãƒ˜ãƒ«ãƒ‘ãƒ¼ã‚’ä½œæˆã—ã¾ã—ãŸã€‚

ãƒ—ãƒ©ã‚°ã‚¤ãƒ³ã«ã¾ã¨ã‚ã¦ã‚‚è‰¯ã•ãã†ãªã®ã§ã™ãŒã€è‰¯ã„åç§°ãŒæ€ã„æµ®ã‹ã°ãªã„ã®ã§ä¿ç•™ *1

(2011/2/10 ã‚³ãƒ¡ãƒ³ãƒˆæŒ‡æ‘˜ã‚’å—ã‘ã¦ä¿®æ£ã—ã¾ã—ãŸï¼‰

ä½œæˆã—ãŸã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã¨ãƒ˜ãƒ«ãƒ‘ãƒ¼ã®ã‚½ãƒ¼ã‚¹ã¯æœ«å°¾ã€‚

Tokenã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆ

Authã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã®$ActionMapã‚’è¦‹ã¦ã€æœªè¨å®š/readä»¥å¤–ï¼ˆcreate, delete, updateï¼‰ã®ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã§ã‚ã‚Œã°ã€POSTãŒã‚ã‚‹å ´åˆTokenãƒã‚§ãƒƒã‚¯ã‚’è¡Œãªã†ã€‚
TokenãŒãªã„ã€ã‚ã‚‹ã„ã¯æ£ã—ããªã„å ´åˆã€å‡¦ç†åœæ¢ã€‚

Tokenãƒ˜ãƒ«ãƒ‘ãƒ¼

value=ã‚»ãƒƒã‚·ãƒ§ãƒ³IDã®ãƒãƒƒã‚·ãƒ¥ ã§ã‚ã‚‹hiddenã‚¿ã‚°ã‚’å‡ºåŠ›
æš—å·åŒ–ã¯ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆmd5

ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ©ãƒ»ãƒ“ãƒ¥ãƒ¼å´ã®å¯¾å¿œ

Tokenãƒã‚§ãƒƒã‚¯ã¯app_controllerã®beforeFilterã§å®Ÿæ–½ã€‚

// å¯¾CSRF:Tokenãƒã‚§ãƒƒã‚¯
$this->Token->checkToken();

TokenãŒå¿…è¦ãªviewã«ã¯formã‚¿ã‚°å†…ã«ä»¥ä¸‹ã®é€šã‚Šè¿½è¨˜ã€‚

echo $token->create();

create/delete/updateã®ã„ãšã‚Œã‹ã ã‘ã©ã€Tokenãƒã‚§ãƒƒã‚¯ã‚’ã•ã›ãªã„ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ãŒã‚ã‚‹å ´åˆã¯ã€å€‹ã€…ã®ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ©ã«ä»¥ä¸‹ã®å¤‰æ•°ã‚’è¨å®šã€‚

var $disableTokenActions = array('add','mobile_add');

* ã§å…¨ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ã§ä¸ä½¿ç”¨ã€‚

é•·æ™‚é–“åŒã˜ã‚»ãƒƒã‚·ãƒ§ãƒ³IDã ã¨ç„¡ç”¨å¿ƒãªã®ã§ã€æœ‰åŠ¹æœŸé™ã‚‚ã¡ã‚‡ã£ã¨å¤‰ãˆã¾ã—ãŸ*2

-       Configure::write('Session.timeout', '3600');
+       Configure::write('Session.timeout', '432');

è‡ªå‰ã®èªè¨¼ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆä»•æ§˜ã«ãªã£ã¦ã„ã¾ã™ãŒã€AuthPlusã‚’Authã«ç½®æ›ã™ã‚Œã°CakePHPãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã®Authã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆå¯¾å¿œã§ä½¿ç”¨ã§ãã‚‹ã¯ãšã§ã™ã€‚

å…¨å·®åˆ†

Index: controllers/components/token.php
===================================================================
--- controllers/components/token.php    (revision 0)
+++ controllers/components/token.php    (revision 0)
@@ -0,0 +1,111 @@
+<?php
+/**
+ * CSRFå¯¾ç–ç”¨Tokenãƒã‚§ãƒƒã‚«ãƒ¼
+ * Security.level = medium ã¾ãŸã¯ low ã®ã¿
+ */
+
+class TokenComponent extends Object
+{
+
+/**
+ * Components used by TokenHelper
+ *
+ * @var array
+ * @access public
+ */
+       var $components = array('Session');
+
+       var $_modelClass;
+       var $_data = array();
+       var $_action;
+       var $_actionMap = array();
+       var $type;
+       var $useToken = false;
+       var $disableActions = array();
+
+       function initialize(&$controller)
+       {
+               $this->_modelClass = $controller->modelClass;
+               $this->_action = $controller->action;
+               if (isset($controller->params['data'])) {
+                       $this->_data = $controller->params['data'];
+               }
+
+               if (isset($controller->AuthPlus)) {
+                       $this->_actionMap = $controller->AuthPlus->actionMap;
+               } else {
+                       return ;
+               }
+
+               if (isset($this->_actionMap[$this->_action])) {
+                       $this->type = $this->_actionMap[$this->_action];
+               }
+
+               if (!isset($controller->disableTokenActions)) {
+                       $this->useToken = false;
+               } else {
+                       $this->useToken = $this->isUseToken($controller->disableTokenActions);
+               }
+
+               $this->Session->startup($controller);
+       }
+
+       /* true: Token OK */
+       function checkToken($tag_name = '__Token', $hash_type = 'md5')
+       {
+               if ($this->useToken === false) {
+                       return ;
+               }
+               $hashed_session_id = $this->get_hashed_session_id();
+
+               if ($this->_data) {
+                       if (!isset($this->_data[$this->_modelClass][$tag_name])) {
+                               $this->_blackHole();
+                       }
+                       if ($this->_data[$this->_modelClass][$tag_name] != $hashed_session_id) {
+                               $this->_blackHole();
+                       }
+               } else {
+                       return ;
+               }
+       }
+
+       /* true:Tokenä½¿ç”¨ */
+       function isUseToken($disableTokenActions)
+       {
+               if ($disableTokenActions == '*') {
+                       return false;
+               }
+               if (!$this->type || $this->type == 'read') {
+                       return false;
+               }
+               if (in_array($this->_action, (array)$disableTokenActions)) {
+                       return false;
+               }
+
+               return true;
+       }
+
+       function _blackHole($msg='')
+       {
+               if (!$msg) {
+                       $msg = _('ILLEGAL POST!');
+               }
+
+               die($msg);
+       }
+
+       /* ç¾åœ¨ã®ã‚»ãƒƒã‚·ãƒ§ãƒ³IDã‚’æš—å·åŒ–ã—ã¦å–å¾— */
+       function get_hashed_session_id($hash_type = 'md5')
+       {
+               $session_id = $this->Session->id(null);
+
+               if (!$session_id) {
+                       $this->_blackHole('No Session.');
+               }
+
+               return Security::hash($session_id. Configure::read('Security.salt'), $hash_type);
+       }
+
+}
+
Index: views/helpers/token.php
===================================================================
--- views/helpers/token.php     (revision 0)
+++ views/helpers/token.php     (revision 0)
@@ -0,0 +1,38 @@
+<?php
+/**
+ * CSRFå¯¾ç–ç”¨Tokenå‡ºåŠ›ãƒ˜ãƒ«ãƒ‘ãƒ¼
+ * è¦Formãƒ˜ãƒ«ãƒ‘ãƒ¼
+ */
+
+class TokenHelper extends AppHelper {
+/**
+ * Other helpers used by TokenHelper
+ *
+ * @var array
+ * @access public
+ */
+       var $helpers = array('Form', 'Session');
+
+       /* Tokenã‚’ã‚»ãƒƒãƒˆã—ãŸhiddenã‚¿ã‚°å‡ºåŠ› */
+       function create($tag_name = '__Token', $hash_type = 'md5')
+       {
+               $hashed_id = $this-> get_hashed_session_id($hash_type);
+
+               return $this->Form->input($tag_name, array(
+                       'type' => 'hidden',
+                       'value' => $hashed_id,
+                       )
+               );
+       }
+
+       /* ç¾åœ¨ã®ã‚»ãƒƒã‚·ãƒ§ãƒ³IDã‚’æš—å·åŒ–ã—ã¦å–å¾— */
+       function get_hashed_session_id($hash_type = 'md5')
+       {
+               $session_id = $this->Session->id();
+
+               return Security::hash($session_id. Configure::read('Security.salt'), $hash_type);
+       }
+
+}
+
+

Index: controllers/app_controller.php
===================================================================
--- controllers/app_controller.php      (revision 196)
+++ controllers/app_controller.php      (working copy)
@@ -21,17 +21,23 @@
        var $isAdmin = false;
        var $isMobile = false;

       var $components = array(
               'AuthPlus',
               'Acl',
+               'Token'
       );

        /* ACL */
        // è¿½åŠ ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ç”¨ crudMap
        var $actionMapPlus = array();

+       // POSTã®Tokenãƒã‚§ãƒƒã‚¯ã‚’ã—ãªã„ã‚¢ã‚¯ã‚·ãƒ§ãƒ³
+       var $disableTokenActions = array();
+
        function beforeFilter()
        {
                parent::beforeFilter();

@@ -46,6 +52,9 @@
                        $this->AuthPlus->actionPath = 'controllers/';
                        $this->AuthPlus->authorize = 'crud';

+                       // å¯¾CSRF:Tokenãƒã‚§ãƒƒã‚¯
+                       $this->Token->checkToken();
+
                        // èªè¨¼ã‚¢ã‚¯ã‚·ãƒ§ãƒ³è¨å®š
                        if (Configure::read('mobileUserAgent')) {
                                $this->AuthPlus->loginAction = '/m/users/login';


Index: controllers/users_controller.php
===================================================================
--- controllers/users_controller.php    (revision 196)
+++ controllers/users_controller.php    (working copy)
@@ -2,7 +2,11 @@
 class UsersController extends ModuleController {

        var $name = 'Users';
        var $helpers = array(
               'Html',
               'Form',
+               'Token'
        );

        /* ACL */
        // è¿½åŠ ã‚¢ã‚¯ã‚·ãƒ§ãƒ³ç”¨ crudMap
@@ -11,6 +15,8 @@
                'change_password' => 'update',
        );

+       var $disableTokenActions = array('add','mobile_add');
+
        function beforeFilter() {

                parent::beforeFilter();

--- views/users/edit.ctp        (revision 197)
+++ views/users/edit.ctp        (working copy)
@@ -7,6 +7,7 @@
                                'label' => __('YourName', true),
                        )
                );
+               echo $token->create();
        ?>
        </fieldset>
 <?php echo $form->end('Submit');?>

--- config/core.php.sample      (revision 196)
+++ config/core.php.sample      (working copy)
@@ -122,7 +122,7 @@
  * Session time out time (in seconds).
  * Actual value depends on 'Security.level' setting.
  */
-       Configure::write('Session.timeout', '3600');
+       Configure::write('Session.timeout', '432'); // 60 * 60 * 12 / 100
 /**
  * If set to false, sessions are not automatically started.
  */

*2:ãˆã„ã‚„ã€ã®å€¤ã€‚åŠæ—¥ãŒã‹ã‚Šã§ãƒ–ãƒ©ã‚¦ã‚¶ä¸Šã§æŠ•ç¨¿æ›¸ãã¨ç„¡åŠ¹ã«ãªã‚Šã¾ã™ã€‚ ãƒ»ãƒ»ãƒ»ãã‚“ãªåŠ›ã®å…¥ã£ãŸé•·æ–‡ã¯ã€ãƒ†ã‚ã‚¹ãƒˆã‚¨ãƒ‡ã‚£ã‚¿ã§éšæ™‚ä¿å˜ã—ã¤ã¤æ›¸ã„ã¦ã‚³ãƒ”ãƒšã—ã¦ãã ã•ã„ã€ã¨ç§ã¯è¨€ã„ãŸã„ã€‚

Tokenã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆ

Tokenãƒ˜ãƒ«ãƒ‘ãƒ¼

ã‚³ãƒ³ãƒˆãƒ­ãƒ¼ãƒ©ãƒ»ãƒ“ãƒ¥ãƒ¼å´ã®å¯¾å¿œ

å…¨å·®åˆ†

Tokenã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆ

ã‚³ãƒ³ãƒˆãƒãƒ¼ãƒ©ãƒ»ãƒ“ãƒ¥ãƒ¼å´ã®å¯¾å¿œ