Changeset 7495


Ignore:
Timestamp:
10/30/10 13:32:11 (9 years ago)
Author:
rvelices
Message:

feature 1915: add protection on user registration against robots

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/comments.php

    r7488 r7495  
    505505      { 
    506506        $tpl_comment['IN_EDIT'] = true; 
    507         $key = get_comment_post_key($comment['image_id']); 
     507        $key = get_ephemeral_key(2, $comment['image_id']); 
    508508        $tpl_comment['KEY'] = $key; 
    509509        $tpl_comment['IMAGE_ID'] = $comment['image_id']; 
  • trunk/include/functions.inc.php

    r6947 r7495  
    13341334 
    13351335/** 
    1336  * returns a "secret key" that is to be sent back when a user enters a comment 
    1337  * 
    1338  * @param int image_id 
    1339  */ 
    1340 function get_comment_post_key($image_id) 
    1341 { 
    1342   global $conf; 
    1343  
    1344   $time = time(); 
    1345  
    1346   return sprintf( 
    1347     '%s:%s', 
    1348     $time, 
    1349     hash_hmac( 
    1350       'md5', 
    1351       $time.':'.$image_id, 
    1352       $conf['secret_key'] 
    1353       ) 
    1354     ); 
     1336 * returns a "secret key" that is to be sent back when a user posts a form 
     1337 * 
     1338 * @param int valid_after_seconds - key validity start time from now 
     1339 */ 
     1340function get_ephemeral_key($valid_after_seconds, $aditionnal_data_to_hash = '') 
     1341{ 
     1342        global $conf; 
     1343        $time = round(microtime(true), 1); 
     1344        return $time.':'.$valid_after_seconds.':' 
     1345                .hash_hmac( 
     1346                        'md5',  
     1347                        $time.substr($_SERVER['REMOTE_ADDR'],0,5).$valid_after_seconds.$aditionnal_data_to_hash,  
     1348                        $conf['secret_key']); 
     1349} 
     1350 
     1351function verify_ephemeral_key($key, $aditionnal_data_to_hash = '') 
     1352{ 
     1353        global $conf; 
     1354        $time = microtime(true); 
     1355        $key = explode( ':', @$key ); 
     1356        if ( count($key)!=3 
     1357                or $key[0]>$time-(float)$key[1] // page must have been retrieved more than X sec ago 
     1358                or $key[0]<$time-3600 // 60 minutes expiration 
     1359                or hash_hmac( 
     1360                          'md5', $key[0].substr($_SERVER['REMOTE_ADDR'],0,5).$key[1].$aditionnal_data_to_hash, $conf['secret_key'] 
     1361                        ) != $key[2] 
     1362          ) 
     1363        { 
     1364                return false; 
     1365        } 
     1366        return true; 
    13551367} 
    13561368 
  • trunk/include/functions_comment.inc.php

    r6604 r7495  
    120120  } 
    121121 
    122   $key = explode( ':', @$key ); 
    123   if ( count($key)!=2 
    124         or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago 
    125         or $key[0]<time()-3600 // 60 minutes expiration 
    126         or hash_hmac( 
    127               'md5', $key[0].':'.$comm['image_id'], $conf['secret_key'] 
    128             ) != $key[1] 
    129       ) 
     122  if ( !verify_ephemeral_key(@$key, $comm['image_id']) ) 
    130123  { 
    131124    $comment_action='reject'; 
     
    249242  $comment_action = 'validate'; 
    250243 
    251   $key = explode( ':', $post_key ); 
    252   if ( count($key)!=2 
    253        or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago 
    254        or $key[0]<time()-3600 // 60 minutes expiration 
    255        or hash_hmac('md5', $key[0].':'.$comment['image_id'], $conf['secret_key'] 
    256                     ) != $key[1] 
    257        ) 
     244  if ( !verify_ephemeral_key($post_key, $comment['image_id']) ) 
    258245  { 
    259246    $comment_action='reject'; 
  • trunk/include/picture_comment.inc.php

    r6437 r7495  
    199199        { 
    200200          $tpl_comment['IN_EDIT'] = true; 
    201           $key = get_comment_post_key($page['image_id']); 
     201          $key = get_comment_post_key(2, $page['image_id']); 
    202202          $tpl_comment['KEY'] = $key; 
    203203          $tpl_comment['CONTENT'] = $row['content']; 
     
    234234  if ($show_add_comment_form) 
    235235  { 
    236     $key = get_comment_post_key($page['image_id']); 
     236    $key = get_ephemeral_key(3, $page['image_id']); 
    237237    $content = ''; 
    238238    if ('reject'===@$comment_action) 
  • trunk/include/ws_functions.inc.php

    r7212 r7495  
    726726  { 
    727727    $comment_post_data['author'] = stripslashes($user['username']); 
    728     $comment_post_data['key'] = get_comment_post_key($params['image_id']); 
     728    $comment_post_data['key'] = get_ephemeral_key(2, $params['image_id']); 
    729729  } 
    730730 
  • trunk/register.php

    r6363 r7495  
    4141if (isset($_POST['submit'])) 
    4242{ 
     43  if (!verify_ephemeral_key(@$_POST['key'])) 
     44  { 
     45                set_status_header(403); 
     46    array_push($errors, 'Invalid/expired form key'); 
     47  } 
     48 
    4349  if ($_POST['password'] != $_POST['password_conf']) 
    4450  { 
     
    4753 
    4854  $errors = 
    49       register_user(htmlspecialchars($_POST['login'],ENT_COMPAT,'utf-8'), 
     55      register_user($_POST['login'], 
    5056                    $_POST['password'], 
    5157                    $_POST['mail_address'], 
     
    5965    redirect(make_index_url()); 
    6066  } 
     67        $registration_post_key = get_ephemeral_key(2); 
     68} 
     69else 
     70{ 
     71        $registration_post_key = get_ephemeral_key(6); 
    6172} 
    6273 
    63 $login = !empty($_POST['login'])?$_POST['login']:''; 
    64 $email = !empty($_POST['mail_address'])?$_POST['mail_address']:''; 
     74$login = !empty($_POST['login'])?htmlspecialchars(stripslashes($_POST['login'])):''; 
     75$email = !empty($_POST['mail_address'])?htmlspecialchars(stripslashes($_POST['mail_address'])):''; 
    6576 
    6677//----------------------------------------------------- template initialization 
     
    7586$template->assign(array( 
    7687  'U_HOME' => make_index_url(), 
    77  
     88        'F_KEY' => $registration_post_key, 
    7889  'F_ACTION' => 'register.php', 
    79   'F_LOGIN' => htmlspecialchars($login, ENT_QUOTES, 'utf-8'), 
    80   'F_EMAIL' => htmlspecialchars($email, ENT_QUOTES, 'utf-8') 
     90  'F_LOGIN' => $login, 
     91  'F_EMAIL' => $email 
    8192  )); 
    8293 
  • trunk/themes/default/template/register.tpl

    r5164 r7495  
    5555 
    5656  <p class="bottomButtons"> 
     57                <input type="hidden" name="key" value="{$F_KEY}" > 
    5758    <input class="submit" type="submit" name="submit" value="{'Register'|@translate}"> 
    5859    <input class="submit" type="reset" value="{'Reset'|@translate}"> 
Note: See TracChangeset for help on using the changeset viewer.