1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
<?php
/**
* MediaWiki session token
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
* http://www.gnu.org/copyleft/gpl.html
*
* @file
* @ingroup Session
*/
namespace MediaWiki\Session;
/**
* Value object representing a CSRF token
*
* @ingroup Session
* @since 1.27
*/
class Token {
/** CSRF token suffix. Plus and terminal backslash are included to stop
* editing from certain broken proxies. */
const SUFFIX = '+\\';
private $secret = '';
private $salt = '';
private $new = false;
/**
* @param string $secret Token secret
* @param string $salt Token salt
* @param bool $new Whether the secret was newly-created
*/
public function __construct( $secret, $salt, $new = false ) {
$this->secret = $secret;
$this->salt = $salt;
$this->new = $new;
}
/**
* Decode the timestamp from a token string
*
* Does not validate the token beyond the syntactic checks necessary to
* be able to extract the timestamp.
*
* @param string $token
* @return int|null
*/
public static function getTimestamp( $token ) {
$suffixLen = strlen( self::SUFFIX );
$len = strlen( $token );
if ( $len <= 32 + $suffixLen ||
substr( $token, -$suffixLen ) !== self::SUFFIX ||
strspn( $token, '0123456789abcdef' ) + $suffixLen !== $len
) {
return null;
}
return hexdec( substr( $token, 32, -$suffixLen ) );
}
/**
* Get the string representation of the token at a timestamp
* @param int $timestamp
* @return string
*/
protected function toStringAtTimestamp( $timestamp ) {
return hash_hmac( 'md5', $timestamp . $this->salt, $this->secret, false ) .
dechex( $timestamp ) .
self::SUFFIX;
}
/**
* Get the string representation of the token
* @return string
*/
public function toString() {
return $this->toStringAtTimestamp( wfTimestamp() );
}
public function __toString() {
return $this->toString();
}
/**
* Test if the token-string matches this token
* @param string $userToken
* @param int|null $maxAge Return false if $userToken is older than this many seconds
* @return bool
*/
public function match( $userToken, $maxAge = null ) {
$timestamp = self::getTimestamp( $userToken );
if ( $timestamp === null ) {
return false;
}
if ( $maxAge !== null && $timestamp < wfTimestamp() - $maxAge ) {
// Expired token
return false;
}
$sessionToken = $this->toStringAtTimestamp( $timestamp );
return hash_equals( $sessionToken, $userToken );
}
/**
* Indicate whether this token was just created
* @return bool
*/
public function wasNew() {
return $this->new;
}
}
|