mod_csrfprotector.c

Summary
mod_csrfprotector.c
Variables
Flag
csrfp_actions
Filter_Statae
Filter_Cookie_Length_State
csrfp_config
csrfp_opf_ctx
getRuleNode
Functions
csrfp_strncasestrSimilar to standard strstr() but case insensitive and lenght limitation (char which is not 0 terminated).
getCurrentUrlFunction to retrun current url
generateTokenFunction to generate a pseudo random no to function as CSRFP_TOKEN
setTokenCookieFunction to append new CSRFP_TOKEN to output header
getCookieTokenFunction to return the token value from cookie
validateTokenFunction to validate GET token, csrfp_token in GET query parameter
getOutputContentTypeReturns content type of output generated by content generator
csrfp_get_rctxGet or create (and init) the pre request context used by the output filter
csrfp_injectInjects a new bucket containing a reference to the javascript.
logCSRFAttackFunction to log an attack
failedValidationActionReturns appropriate status code, as per configuration For failed validation action
needvalidationFunction to decide weather to validate current request Depending upon requested file, matched against ignore pattern
csrfp_sql_initFunction to initiate the sql process for code validation
csrfp_sql_update_counterFunction to add / Update counter value for reseeding
csrfp_sql_addnFunction to add / Update token value in the db
csrfp_sql_table_cleanFunction to clear expired tokens from db
csrfp_header_parserCallback function for header parser by Hook Registering function
csrfp_out_filterFilters output generated by content generator and modify content
csrfp_insert_filterRegisters in filter -- csrfp_in_filter

Variables

Flag

typedef enum { CSRFP_TRUE, CSRFP_FALSE // Added CSRFP_ prefix to preven enum redeclaration error in OS X } Flag
enumeratorfor storing TRUE FALSE values for CSRFP

csrfp_actions

typedef enum { forbidden, strip, redirect, message, internal_server_error } csrfp_actions
enumeratorlists the actions to be taken in case of failed validation

Filter_Statae

enumeratorlists the state through which the output filter goes

Filter_Cookie_Length_State

typedef enum { nmodified, // States Cookie Length not modified modified // States Cookie Length modified } Filter_Cookie_Length_State
enumeratorlists the state of token cookie

csrfp_config

structurestructure of the csrfp configuration

csrfp_opf_ctx

structurestructure of the csrfp output filter configuration

getRuleNode

typedef struct getRuleNode { ap_regex_t *pattern; const char *patternString; struct getRuleNode *next; }
structurelinked list node for storing the GET rules

Functions

csrfp_strncasestr

static const char *csrfp_strncasestr(const char *s1,
const char *s2,
int len)

Similar to standard strstr() but case insensitive and lenght limitation (char which is not 0 terminated).

Parameters

s1String to search in
s2Pattern to ind
lenLength of s1

Rreturns

char*pointer to the beginning of the substring s2 within s1, or NULL if the substring is not found

getCurrentUrl

static char* getCurrentUrl(request_rec *r)

Function to retrun current url

Parameters

rrequest_rec object

Returns

current url (char *)

generateToken

static char* generateToken(request_rec *r,
int length)

Function to generate a pseudo random no to function as CSRFP_TOKEN

Parameters

rrequest_rec object
lengthlength of token to generate

Returns

tokencsrftoken ,string

setTokenCookie

static void setTokenCookie(request_rec *r,
sqlite3 *db)

Function to append new CSRFP_TOKEN to output header

Parameters

rrequest_rec object

Returns

void

getCookieToken

static char* getCookieToken(request_rec *r,
char *key)

Function to return the token value from cookie

Parameters

rrequest_rec

Returns

CSRFP_TOKENif exist in cookie, else null

validateToken

static int validateToken(request_rec *r,
sqlite3 *db)

Function to validate GET token, csrfp_token in GET query parameter

Parameters

rrequest_rec pointer

Return

int, 0for failed validation, 1 - for passed

getOutputContentType

static const char *getOutputContentType(request_rec *r)

Returns content type of output generated by content generator

Parametes

rrequest_rec object

Returns

content typestring

csrfp_get_rctx

static csrfp_opf_ctx *csrfp_get_rctx(request_rec *r)

Get or create (and init) the pre request context used by the output filter

Parametes

rrequest_rec object

Returns

context object for output filter ( csrfp_opf_ctx* )

csrfp_inject

static apr_bucket *csrfp_inject(request_rec *r,
apr_bucket_brigade *bb,
apr_bucket *b,
csrfp_opf_ctx *rctx,
const char *buf,
apr_size_t sz,
int flag)

Injects a new bucket containing a reference to the javascript.

Parametes

rrequest_rec object
bbbucket_brigade object b Bucket to split and insert date new bucket at the postion of the marker
rctxRequest context containing the state of the parser
bufString representation of the bucket
szPosition to split the bucket and insert the new content
flag0 - for <noscript> insertion, 1 for <script> insertion

Returns

Bucket to continue searching (at the marker)

logCSRFAttack

static void logCSRFAttack(request_rec *r)

Function to log an attack

Parameters

rrequest_rec object

Returns

void

failedValidationAction

static int failedValidationAction(request_rec *r)

Returns appropriate status code, as per configuration For failed validation action

Parameters

rrequest_rec object

Returns

intstatus code for action

needvalidation

static int needvalidation(request_rec *r)

Function to decide weather to validate current request Depending upon requested file, matched against ignore pattern

Parameters

rrequest_rec object

Returns

int,1 if validation needed, 0 otherwise

csrfp_sql_init

static sqlite3 *csrfp_sql_init(request_rec *r)

Function to initiate the sql process for code validation

Parameters

rrequest_rec object

Returns

db, SQLITE database object on success

csrfp_sql_update_counter

static int csrfp_sql_update_counter(request_rec *r,
sqlite3 *db)

Function to add / Update counter value for reseeding

Parameters

rrequest_rec object
dbsqlite database object

Returns

integer, current counter

csrfp_sql_addn

static int csrfp_sql_addn(request_rec *r,
sqlite3 *db,
const char *sessid,
const char *value)

Function to add / Update token value in the db

Parameters

rrequest_rec object
dbsqlite database object
sessidsession id for this user value- value of the token

Returns

integer, SQLITE_OK on success

csrfp_sql_table_clean

static void csrfp_sql_table_clean(request_rec *r,
sqlite3 *db)

Function to clear expired tokens from db

Parameters

rrequest_rec object
dbsqlite database object

Returns

void

csrfp_header_parser

static int csrfp_header_parser(request_rec *r)

Callback function for header parser by Hook Registering function

Parameters

rrequest_rec object

Return

status code, int

csrfp_out_filter

static apr_status_t csrfp_out_filter(ap_filter_t *f,
apr_bucket_brigade *bb)

Filters output generated by content generator and modify content

Parameters

fapache filter object
bbapache brigade object

Returns

apr_status_t code

csrfp_insert_filter

static void csrfp_insert_filter(request_rec *r)

Registers in filter -- csrfp_in_filter

Parameters

rrequest_rec object

Returns

void

typedef enum { CSRFP_TRUE, CSRFP_FALSE // Added CSRFP_ prefix to preven enum redeclaration error in OS X } Flag
typedef enum { forbidden, strip, redirect, message, internal_server_error } csrfp_actions
typedef enum { nmodified, // States Cookie Length not modified modified // States Cookie Length modified } Filter_Cookie_Length_State
typedef struct getRuleNode { ap_regex_t *pattern; const char *patternString; struct getRuleNode *next; }
static const char *csrfp_strncasestr(const char *s1,
const char *s2,
int len)
Similar to standard strstr() but case insensitive and lenght limitation (char which is not 0 terminated).
static char* getCurrentUrl(request_rec *r)
Function to retrun current url
static char* generateToken(request_rec *r,
int length)
Function to generate a pseudo random no to function as CSRFP_TOKEN
static void setTokenCookie(request_rec *r,
sqlite3 *db)
Function to append new CSRFP_TOKEN to output header
static char* getCookieToken(request_rec *r,
char *key)
Function to return the token value from cookie
static int validateToken(request_rec *r,
sqlite3 *db)
Function to validate GET token, csrfp_token in GET query parameter
static const char *getOutputContentType(request_rec *r)
Returns content type of output generated by content generator
static csrfp_opf_ctx *csrfp_get_rctx(request_rec *r)
Get or create (and init) the pre request context used by the output filter
static apr_bucket *csrfp_inject(request_rec *r,
apr_bucket_brigade *bb,
apr_bucket *b,
csrfp_opf_ctx *rctx,
const char *buf,
apr_size_t sz,
int flag)
Injects a new bucket containing a reference to the javascript.
static void logCSRFAttack(request_rec *r)
Function to log an attack
static int failedValidationAction(request_rec *r)
Returns appropriate status code, as per configuration For failed validation action
static int needvalidation(request_rec *r)
Function to decide weather to validate current request Depending upon requested file, matched against ignore pattern
static sqlite3 *csrfp_sql_init(request_rec *r)
Function to initiate the sql process for code validation
static int csrfp_sql_update_counter(request_rec *r,
sqlite3 *db)
Function to add / Update counter value for reseeding
static int csrfp_sql_addn(request_rec *r,
sqlite3 *db,
const char *sessid,
const char *value)
Function to add / Update token value in the db
static void csrfp_sql_table_clean(request_rec *r,
sqlite3 *db)
Function to clear expired tokens from db
static int csrfp_header_parser(request_rec *r)
Callback function for header parser by Hook Registering function
static apr_status_t csrfp_out_filter(ap_filter_t *f,
apr_bucket_brigade *bb)
Filters output generated by content generator and modify content
static void csrfp_insert_filter(request_rec *r)
Registers in filter -- csrfp_in_filter
Close