[英]How does this PHP nonce library work?
From http://fullthrottledevelopment.com/php-nonce-library#download , there is a PHP nonce library, but there are a few things that I don't know understand. 从http://fullthrottledevelopment.com/php-nonce-library#download ,有一个PHP nonce库,但有一些我不明白的东西。 The first one is that it reminds us to set a value for the
FT_NONCE_UNIQUE_KEY
but it never uses it in any of its functions. 第一个是它提醒我们为
FT_NONCE_UNIQUE_KEY
设置一个值,但它从不在任何函数中使用它。
The second thing is, when I call the ft_nonce_create_query_string
function, wait for a few seconds and then call it again with the same parameters, both calls return the same value. 第二件事是,当我调用
ft_nonce_create_query_string
函数时,等待几秒钟,然后使用相同的参数再次调用它,两个调用都返回相同的值。 This is strange, I really don't understand how it can make sure for each nonce it generates, the nonce will be valid for the duration specified in the FT_NONCE_DURATION
. 这很奇怪,我真的不明白它如何确保它生成的每个nonce,nonce将在
FT_NONCE_DURATION
指定的持续时间内有效。
But if I wait for longer time before the second call, they will return different value. 但如果我在第二次通话之前等待更长时间,他们将返回不同的价值。 I have pasted the codes here so that you can try to run it directly.
我在这里粘贴了代码,以便您可以尝试直接运行它。
Why is it like this? 为什么会这样? How is it supposed to work?
它应该如何工作?
<?php
/*
* Name: FT-NONCE-LIB
* Created By: Full Throttle Development, LLC (http://fullthrottledevelopment.com)
* Created On: July 2009
* Last Modified On: August 12, 2009
* Last Modified By: Glenn Ansley (glenn@fullthrottledevelopment.com)
* Version: 0.2
*/
/*
Copyright 2009 Full Throttle Development, LLC
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
define( 'FT_NONCE_UNIQUE_KEY' , '' );
define( 'FT_NONCE_DURATION' , 300 ); // 300 makes link or form good for 5 minutes from time of generation
define( 'FT_NONCE_KEY' , '_nonce' );
// This method creates a key / value pair for a url string
function ft_nonce_create_query_string( $action = '' , $user = '' ){
return FT_NONCE_KEY."=".ft_nonce_create( $action , $user );
}
// This method creates an nonce for a form field
function ft_nonce_create_form_input( $action = '' , $user='' ){
echo "<input type='hidden' name='".FT_NONCE_KEY."' value='".ft_nonce_create( $action . $user )."' />";
}
// This method creates an nonce. It should be called by one of the previous two functions.
function ft_nonce_create( $action = '' , $user='' ){
return substr( ft_nonce_generate_hash( $action . $user ), -12, 10);
}
// This method validates an nonce
function ft_nonce_is_valid( $nonce , $action = '' , $user='' ){
// Nonce generated 0-12 hours ago
if ( substr(ft_nonce_generate_hash( $action . $user ), -12, 10) == $nonce ){
return true;
}
return false;
}
// This method generates the nonce timestamp
function ft_nonce_generate_hash( $action='' , $user='' ){
$i = ceil( time() / ( FT_NONCE_DURATION / 2 ) );
return md5( $i . $action . $user . $action );
}
if ( FT_NONCE_UNIQUE_KEY == '' ){ die( 'You must enter a unique key on line 2 of ft_nonce_lib.php to use this library.'); }
?>
Wow, DO NOT USE THIS LIBRARY. 哇,不要使用这个图书馆。 I am going to report this as a vulnerability right after this post.
我将在此帖后立即将此报告为漏洞。 A Nonce is a value that is only used once, and this library does provide this.
Nonce是一个只使用一次的值,这个库确实提供了这个值。 HOWEVER, the author was trying to prevent Cross Site Request Forgeries (XSRF).
但是,作者试图阻止跨站请求伪造(XSRF)。 In order to prevent attackers from forging a message there needs to be a secret value that the attacker can't predict.
为了防止攻击者伪造消息,需要有一个攻击者无法预测的秘密值。 In order to do this you need a Cryptographically Secure Random Number Generator or CSRPING.
为此,您需要一个密码安全随机数生成器或CSRPING。 The Nonce that this library builds, is extremely predictable and could easily be brute forced using simple javascript.
这个库构建的Nonce是非常可预测的,并且可以使用简单的javascript轻松强制执行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.