Check user_id as part of validating CSRF tokens

This commit is contained in:
Omar Roth 2018-11-08 00:29:20 -06:00
parent b9c29bf537
commit 1ff8579575
2 changed files with 9 additions and 5 deletions

View file

@ -1429,7 +1429,7 @@ post "/delete_account" do |env|
token = env.params.body["token"]?
begin
validate_response(challenge, token, "delete_account", HMAC_KEY)
validate_response(challenge, token, user.email, "delete_account", HMAC_KEY)
rescue ex
error_message = ex.message
next templated "error"
@ -1474,7 +1474,7 @@ post "/clear_watch_history" do |env|
token = env.params.body["token"]?
begin
validate_response(challenge, token, "clear_watch_history", HMAC_KEY)
validate_response(challenge, token, user.email, "clear_watch_history", HMAC_KEY)
rescue ex
error_message = ex.message
next templated "error"

View file

@ -403,7 +403,7 @@ def create_response(user_id, operation, key)
return challenge, token
end
def validate_response(challenge, token, action, key)
def validate_response(challenge, token, user_id, operation, key)
if !challenge
raise "Hidden field \"challenge\" is a required field"
end
@ -414,7 +414,7 @@ def validate_response(challenge, token, action, key)
challenge = Base64.decode_string(challenge)
if challenge.split("-").size == 4
expire, nonce, user_id, operation = challenge.split("-")
expire, nonce, challenge_user_id, challenge_operation = challenge.split("-")
expire = expire.to_i?
expire ||= 0
@ -429,7 +429,11 @@ def validate_response(challenge, token, action, key)
raise "Invalid token"
end
if operation != action
if challenge_operation != operation
raise "Invalid token"
end
if challenge_user_id != user_id
raise "Invalid token"
end