API
1 month ago
Access
3 months ago
Application
1 month ago
Archive
1 month ago
ArchiveProcessor
1 month ago
Archiver
2 years ago
AssetManager
1 month ago
Auth
6 months ago
Category
6 months ago
Changes
1 month ago
CliMulti
1 year ago
Columns
1 month ago
Concurrency
1 month ago
Config
1 month ago
Container
1 month ago
CronArchive
3 months ago
DataAccess
1 month ago
DataFiles
2 years ago
DataTable
2 weeks ago
Db
2 weeks ago
DeviceDetector
1 year ago
Email
2 years ago
Exception
4 months ago
Http
4 months ago
Intl
3 months ago
Log
2 years ago
Mail
1 year ago
Measurable
6 months ago
Menu
1 month ago
Metrics
3 months ago
Notification
6 months ago
Period
1 month ago
Plugin
2 weeks ago
Policy
1 month ago
ProfessionalServices
1 year ago
Report
1 year ago
ReportRenderer
3 months ago
Request
3 months ago
Scheduler
1 month ago
Segment
1 month ago
Session
2 weeks ago
Settings
1 month ago
Tracker
2 weeks ago
Translation
1 month ago
Twig
1 year ago
UpdateCheck
3 months ago
Updater
1 month ago
Updates
2 days ago
Validators
1 year ago
View
1 month ago
ViewDataTable
2 weeks ago
Visualization
1 year ago
Widget
1 month ago
.htaccess
2 years ago
Access.php
1 month ago
Archive.php
1 month ago
ArchiveProcessor.php
1 month ago
AssetManager.php
1 month ago
Auth.php
6 months ago
AuthResult.php
6 months ago
BaseFactory.php
2 years ago
Cache.php
2 years ago
CacheId.php
4 months ago
CliMulti.php
1 month ago
Common.php
2 weeks ago
Config.php
1 month ago
Console.php
3 months ago
Context.php
2 years ago
Cookie.php
1 year ago
CronArchive.php
1 month ago
DI.php
3 months ago
DataArray.php
1 month ago
DataTable.php
1 month ago
Date.php
1 month ago
Db.php
1 month ago
DbHelper.php
1 month ago
Development.php
1 year ago
ErrorHandler.php
6 months ago
EventDispatcher.php
1 month ago
ExceptionHandler.php
4 months ago
FileIntegrity.php
1 month ago
Filechecks.php
1 year ago
Filesystem.php
1 month ago
FrontController.php
4 months ago
Http.php
1 month ago
IP.php
1 year ago
Log.php
3 months ago
LogDeleter.php
1 year ago
Mail.php
1 year ago
Metrics.php
1 month ago
NoAccessException.php
2 years ago
Nonce.php
6 months ago
Notification.php
1 month ago
NumberFormatter.php
5 months ago
Option.php
5 months ago
Period.php
1 month ago
Piwik.php
1 month ago
Plugin.php
1 month ago
Process.php
1 month ago
Profiler.php
6 months ago
ProxyHeaders.php
4 months ago
ProxyHttp.php
5 months ago
QuickForm2.php
3 months ago
RankingQuery.php
1 month ago
ReportRenderer.php
1 month ago
Request.php
1 month ago
Segment.php
1 month ago
Sequence.php
6 months ago
Session.php
2 weeks ago
SettingsPiwik.php
1 month ago
SettingsServer.php
1 year ago
Singleton.php
2 years ago
Site.php
1 month ago
SiteContentDetector.php
1 month ago
SupportedBrowser.php
2 years ago
TCPDF.php
1 year ago
Theme.php
1 year ago
Timer.php
1 month ago
Tracker.php
1 month ago
Twig.php
1 month ago
Unzip.php
1 year ago
UpdateCheck.php
1 month ago
Updater.php
1 month ago
UpdaterErrorException.php
2 years ago
Updates.php
3 months ago
Url.php
3 months ago
UrlHelper.php
1 month ago
Version.php
2 days ago
View.php
1 month ago
bootstrap.php
1 year ago
dispatch.php
2 years ago
testMinimumPhpVersion.php
6 months ago
Nonce.php
202 lines
| 1 | <?php |
| 2 | |
| 3 | /** |
| 4 | * Matomo - free/libre analytics platform |
| 5 | * |
| 6 | * @link https://matomo.org |
| 7 | * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later |
| 8 | */ |
| 9 | namespace Piwik; |
| 10 | |
| 11 | use Piwik\Session\SessionNamespace; |
| 12 | /** |
| 13 | * Nonce class. |
| 14 | * |
| 15 | * A cryptographic nonce -- "number used only once" -- is often recommended as |
| 16 | * part of a robust defense against cross-site request forgery (CSRF/XSRF). This |
| 17 | * class provides static methods that create and manage nonce values. |
| 18 | * |
| 19 | * Nonces in Piwik are stored as a session variable and have a configurable expiration. |
| 20 | * |
| 21 | * Learn more about nonces [here](https://en.wikipedia.org/wiki/Cryptographic_nonce). |
| 22 | * |
| 23 | * @api |
| 24 | */ |
| 25 | class Nonce |
| 26 | { |
| 27 | /** |
| 28 | * Returns an existing nonce by ID. If none exists, a new nonce will be generated. |
| 29 | * |
| 30 | * @param string $id Unique id to avoid namespace conflicts, e.g., `'ModuleName.ActionName'`. |
| 31 | * @param int $ttl Optional time-to-live in seconds; default is 5 minutes. (ie, in 5 minutes, |
| 32 | * the nonce will no longer be valid). |
| 33 | * @return string |
| 34 | */ |
| 35 | public static function getNonce($id, $ttl = 600) |
| 36 | { |
| 37 | // save session-dependent nonce |
| 38 | $ns = new SessionNamespace($id); |
| 39 | $nonce = $ns->nonce; |
| 40 | // re-use an unexpired nonce (a small deviation from the "used only once" principle, so long as we do not reset the expiration) |
| 41 | // to handle browser pre-fetch or double fetch caused by some browser add-ons/extensions |
| 42 | if (empty($nonce)) { |
| 43 | // generate a new nonce |
| 44 | $nonce = md5(\Piwik\SettingsPiwik::getSalt() . time() . \Piwik\Common::generateUniqId()); |
| 45 | $ns->nonce = $nonce; |
| 46 | } |
| 47 | // extend lifetime if nonce is requested again to prevent from early timeout if nonce is requested again |
| 48 | // a few seconds before timeout |
| 49 | $ns->setExpirationSeconds($ttl, 'nonce'); |
| 50 | return $nonce; |
| 51 | } |
| 52 | /** |
| 53 | * Returns if a nonce is valid and comes from a valid request. |
| 54 | * |
| 55 | * A nonce is valid if it matches the current nonce and if the current nonce |
| 56 | * has not expired. |
| 57 | * |
| 58 | * The request is valid if the referrer is a local URL (see {@link Url::isLocalUrl()}) |
| 59 | * and if the HTTP origin is valid (see {@link getAcceptableOrigins()}). |
| 60 | * |
| 61 | * @param string $id The nonce's unique ID. See {@link getNonce()}. |
| 62 | * @param string $cnonce Nonce sent from client. |
| 63 | * @param null|string $allowedReferrerHost The allowed referrer host for the HTTP referrer URL. |
| 64 | * @return bool `true` if valid; `false` otherwise. |
| 65 | */ |
| 66 | public static function verifyNonce($id, $cnonce, $allowedReferrerHost = null) |
| 67 | { |
| 68 | // load error with message function. |
| 69 | $error = self::verifyNonceWithErrorMessage($id, $cnonce, $allowedReferrerHost); |
| 70 | return $error === ""; |
| 71 | } |
| 72 | /** |
| 73 | * Returns an error message, if any of the individual checks fails. |
| 74 | * |
| 75 | * A nonce must match the current nonce and must not be expired. |
| 76 | * |
| 77 | * If a referrer is present, it must match $allowedReferrerHost. The exception is a referrer that resolves to local, |
| 78 | * which is allowed if $allowedReferrerHost is empty. |
| 79 | * If a referrer is not present, then $allowedReferrerHost is ignored. |
| 80 | * |
| 81 | * The HTTP origin must be valid (see {@link getAcceptableOrigins()}). |
| 82 | * |
| 83 | * @param string $id The nonce's unique ID. See {@link getNonce()}. |
| 84 | * @param string $cnonce Nonce sent from client. |
| 85 | * @param string|null $allowedReferrerHost The allowed referrer for the HTTP referrer URL. See method description. |
| 86 | * @return string if empty is valid otherwise return error message |
| 87 | */ |
| 88 | public static function verifyNonceWithErrorMessage($id, $cnonce, $allowedReferrerHost = null) |
| 89 | { |
| 90 | $ns = new SessionNamespace($id); |
| 91 | $nonce = $ns->nonce; |
| 92 | $additionalErrors = ''; |
| 93 | // The Session cookie is set to a secure cookie, when SSL is mis-configured, it can cause the PHP session cookie ID to change on each page view. |
| 94 | // Indicate to user how to solve this particular use case by forcing secure connections. |
| 95 | if (\Piwik\Url::isSecureConnectionAssumedByPiwikButNotForcedYet()) { |
| 96 | $additionalErrors = '<br/><br/>' . \Piwik\Piwik::translate('Login_InvalidNonceSSLMisconfigured', [\Piwik\Url::getExternalLinkTag('https://matomo.org/faq/how-to/faq_91/'), '</a>', 'config/config.ini.php', '<pre>force_ssl=1</pre>', '<pre>[General]</pre>']); |
| 97 | } |
| 98 | // validate token |
| 99 | if (empty($cnonce) || $cnonce !== $nonce) { |
| 100 | return \Piwik\Piwik::translate('Login_InvalidNonceToken'); |
| 101 | } |
| 102 | // Validate referrer if present |
| 103 | $referrer = \Piwik\Url::getReferrer(); |
| 104 | if (!empty($referrer)) { |
| 105 | // Allow the instance host by default, if no allowedReferrerHost is specified. |
| 106 | if (empty($allowedReferrerHost) && !\Piwik\Url::isLocalUrl($referrer)) { |
| 107 | return \Piwik\Piwik::translate('Login_InvalidNonceReferrer', [\Piwik\Url::getExternalLinkTag('https://matomo.org/faq/how-to-install/faq_98'), '</a>']) . $additionalErrors; |
| 108 | } |
| 109 | // Test that referrer matches what is allowed. |
| 110 | if (!empty($allowedReferrerHost) && !self::isReferrerHostValid($referrer, $allowedReferrerHost)) { |
| 111 | return \Piwik\Piwik::translate('Login_InvalidNonceUnexpectedReferrer') . $additionalErrors; |
| 112 | } |
| 113 | } |
| 114 | // validate origin |
| 115 | $origin = self::getOrigin(); |
| 116 | if (!empty($origin) && ($origin == 'null' || !in_array($origin, self::getAcceptableOrigins()))) { |
| 117 | return \Piwik\Piwik::translate('Login_InvalidNonceOrigin') . $additionalErrors; |
| 118 | } |
| 119 | return ''; |
| 120 | } |
| 121 | // public for tests |
| 122 | public static function isReferrerHostValid($referrer, $allowedReferrerHost) |
| 123 | { |
| 124 | if (empty($referrer)) { |
| 125 | return \false; |
| 126 | } |
| 127 | $referrerHost = \Piwik\Url::getHostFromUrl($referrer); |
| 128 | return preg_match('/(^|\\.)' . preg_quote($allowedReferrerHost) . '$/i', $referrerHost); |
| 129 | } |
| 130 | /** |
| 131 | * Force expiration of the current nonce. |
| 132 | * |
| 133 | * @param string $id The unique nonce ID. |
| 134 | */ |
| 135 | public static function discardNonce($id) |
| 136 | { |
| 137 | $ns = new SessionNamespace($id); |
| 138 | $ns->unsetAll(); |
| 139 | } |
| 140 | /** |
| 141 | * Returns the **Origin** HTTP header or `false` if not found. |
| 142 | * |
| 143 | * @return string|bool |
| 144 | */ |
| 145 | public static function getOrigin() |
| 146 | { |
| 147 | if (!empty($_SERVER['HTTP_ORIGIN'])) { |
| 148 | return $_SERVER['HTTP_ORIGIN']; |
| 149 | } |
| 150 | return \false; |
| 151 | } |
| 152 | /** |
| 153 | * Returns a list acceptable values for the HTTP **Origin** header. |
| 154 | * |
| 155 | * @return array |
| 156 | */ |
| 157 | public static function getAcceptableOrigins() |
| 158 | { |
| 159 | $host = \Piwik\Url::getCurrentHost(null); |
| 160 | if (empty($host)) { |
| 161 | return array(); |
| 162 | } |
| 163 | // parse host:port |
| 164 | if (preg_match('/^([^:]+):([0-9]+)$/D', $host, $matches)) { |
| 165 | $host = $matches[1]; |
| 166 | $port = $matches[2]; |
| 167 | $origins = array('http://' . $host, 'https://' . $host); |
| 168 | if ($port != 443) { |
| 169 | $origins[] = 'http://' . $host . ':' . $port; |
| 170 | } |
| 171 | $origins[] = 'https://' . $host . ':' . $port; |
| 172 | } elseif (\Piwik\Config::getInstance()->General['force_ssl']) { |
| 173 | $origins = array('https://' . $host, 'https://' . $host . ':443'); |
| 174 | } else { |
| 175 | $origins = array('http://' . $host, 'https://' . $host, 'http://' . $host . ':80', 'https://' . $host . ':443'); |
| 176 | } |
| 177 | return $origins; |
| 178 | } |
| 179 | /** |
| 180 | * Verifies and discards a nonce. |
| 181 | * |
| 182 | * @param string $nonceName The nonce's unique ID. See {@link getNonce()}. |
| 183 | * @param string|null $nonce The nonce from the client. If `null`, the value from the |
| 184 | * **nonce** query parameter is used. |
| 185 | * @throws \Exception if the nonce is invalid. See {@link verifyNonce()}. |
| 186 | */ |
| 187 | public static function checkNonce($nonceName, $nonce = null, $allowedReferrerHost = null) |
| 188 | { |
| 189 | if ($nonce === null) { |
| 190 | $nonce = \Piwik\Common::getRequestVar('nonce', null, 'string'); |
| 191 | } |
| 192 | if (!self::verifyNonce($nonceName, $nonce, $allowedReferrerHost)) { |
| 193 | if (!empty($nonce)) { |
| 194 | self::discardNonce($nonceName); |
| 195 | // Invalidate nonce on failed attempts |
| 196 | } |
| 197 | throw new \Exception(\Piwik\Piwik::translate('General_ExceptionSecurityCheckFailed')); |
| 198 | } |
| 199 | self::discardNonce($nonceName); |
| 200 | } |
| 201 | } |
| 202 |