[geeklog-devel] Security Tokens

Michael Jervis mjervis at gmail.com
Fri Feb 22 03:23:19 EST 2008

>  I read the whole commit. Plugins have admin pages and thus should
>  also use this API. Maybe a plugin has more than just index.php in
>  their admin area and has pages where the url to generate the form
>  isn't the url that processes the form. That is impossible in your
>  current implementation. Why make you implementation restrict where I
>  put my code?

Well you may have read it, you don't understand it.

The token is generated on page A and stored against page A. The
receiving page, which may be page A or page B checks the token. It
doesn't check it against it's own URL. It checks it against the
HTTP_REFERER. i.e. the token is invalid on Page B if it was generated
on Page A but the user got to Page B from Somewhere Else. i.e. it's a
check for token theft.

>  So, you could just answer the question.

I could, but I didn't feel a pressing need to explain something you
clearly had misunderstood when the code I felt was self evident as the
check is against HTTP_REFERER...

> Why is $page read from
>  $_SERVER fields instead of just being arbitrary text passed into the function?

So that it's as easy as possible to implement correctly. The function
knows what page you are on, so why ask the programmer to supply
information (in possibly loads of calls to the function throughout the
code base) when the function can work it out consistently correctly in
one small set of LoC. Plus, there is no question about the right value
as when the token is checked, it's the HTTP_REFERER, but then you
failed to understand that in your first reading.

>  And if there's a pressing reason against my idea, why didn't you just
>  call COM_getCurrentURL()? That code is known to work on multiple web servers.

Ah, ooops, nice catch. Forgot about that function (I've been out of
circulation for some time...)

>  And GL is supposed to be in a feature freeze for the pending 1.5
>  release. In my professional experience, works in progress are not
>  checked into during a feature freeze. But what do I know? It's not
>  like I read the devel mailing list so I'll know what's going on.

Everything is "done" other than TTL, which is still in debate, best
way to decide TTLs for pages, should it be configurable etc. Need to
make sure it actually works in practice for more people than just me
prior to making use of it throughout admin.

It's working, debugged code (other than the oops with
lib-database.php...), just needs some finessing subject to testing.



More information about the geeklog-devel mailing list