diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php index 02d5e158a..2af754525 100644 --- a/system/src/Grav/Common/Utils.php +++ b/system/src/Grav/Common/Utils.php @@ -705,11 +705,11 @@ abstract class Utils * with reverse proxy setups. * * @param string $action - * @param bool $plusOneTick if true, generates the token for the next tick (the next 12 hours) + * @param bool $previousTick if true, generates the token for the previous tick (the previous 12 hours) * * @return string the nonce string */ - private static function generateNonceString($action, $plusOneTick = false) + private static function generateNonceString($action, $previousTick = false) { $username = ''; if (isset(Grav::instance()['user'])) { @@ -720,29 +720,8 @@ abstract class Utils $token = session_id(); $i = self::nonceTick(); - if ($plusOneTick) { - $i++; - } - - return ($i . '|' . $action . '|' . $username . '|' . $token . '|' . Grav::instance()['config']->get('security.salt')); - } - - //Added in version 1.0.8 to ensure that existing nonces are not broken. - private static function generateNonceStringOldStyle($action, $plusOneTick = false) - { - if (isset(Grav::instance()['user'])) { - $user = Grav::instance()['user']; - $username = $user->username; - if (isset($_SERVER['REMOTE_ADDR'])) { - $username .= $_SERVER['REMOTE_ADDR']; - } - } else { - $username = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : ''; - } - $token = session_id(); - $i = self::nonceTick(); - if ($plusOneTick) { - $i++; + if ($previousTick) { + $i--; } return ($i . '|' . $action . '|' . $username . '|' . $token . '|' . Grav::instance()['config']->get('security.salt')); @@ -768,33 +747,20 @@ abstract class Utils * action is the same for 12 hours. * * @param string $action the action the nonce is tied to (e.g. save-user-admin or move-page-homepage) - * @param bool $plusOneTick if true, generates the token for the next tick (the next 12 hours) + * @param bool $previousTick if true, generates the token for the previous tick (the previous 12 hours) * * @return string the nonce */ - public static function getNonce($action, $plusOneTick = false) + public static function getNonce($action, $previousTick = false) { // Don't regenerate this again if not needed - if (isset(static::$nonces[$action])) { - return static::$nonces[$action]; + if (isset(static::$nonces[$action][$previousTick])) { + return static::$nonces[$action][$previousTick]; } - $nonce = md5(self::generateNonceString($action, $plusOneTick)); - static::$nonces[$action] = $nonce; + $nonce = md5(self::generateNonceString($action, $previousTick)); + static::$nonces[$action][$previousTick] = $nonce; - return static::$nonces[$action]; - } - - //Added in version 1.0.8 to ensure that existing nonces are not broken. - public static function getNonceOldStyle($action, $plusOneTick = false) - { - // Don't regenerate this again if not needed - if (isset(static::$nonces[$action])) { - return static::$nonces[$action]; - } - $nonce = md5(self::generateNonceStringOldStyle($action, $plusOneTick)); - static::$nonces[$action] = $nonce; - - return static::$nonces[$action]; + return static::$nonces[$action][$previousTick]; } /** @@ -818,20 +784,8 @@ abstract class Utils } //Nonce generated 12-24 hours ago - $plusOneTick = true; - if ($nonce === self::getNonce($action, $plusOneTick)) { - return true; - } - - //Added in version 1.0.8 to ensure that existing nonces are not broken. - //Nonce generated 0-12 hours ago - if ($nonce === self::getNonceOldStyle($action)) { - return true; - } - - //Nonce generated 12-24 hours ago - $plusOneTick = true; - if ($nonce === self::getNonceOldStyle($action, $plusOneTick)) { + $previousTick = true; + if ($nonce === self::getNonce($action, $previousTick)) { return true; }