Ignore:
Timestamp:
Dec 17, 2009, 11:47:31 PM (14 years ago)
Author:
plg
Message:

bug 1328: implement check_pwg_token for emails on user comments management.

The check_pwg_token and get_pwg_token functions were moved to the public side
(for use on comments.php)

The email sent to admins on new user comment does not directly includes
validate/delete actions.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/2.0/include/functions.inc.php

    r4495 r4508  
    15361536  }
    15371537}
     1538
     1539/**
     1540 * check token comming from form posted or get params to prevent csrf attacks
     1541 * if pwg_token is empty action doesn't require token
     1542 * else pwg_token is compare to server token
     1543 *
     1544 * @return void access denied if token given is not equal to server token
     1545 */
     1546function check_pwg_token()
     1547{
     1548  $valid_token = get_pwg_token();
     1549  $given_token = null;
     1550
     1551  if (!empty($_POST['pwg_token']))
     1552  {
     1553    $given_token = $_POST['pwg_token'];
     1554  }
     1555  elseif (!empty($_GET['pwg_token']))
     1556  {
     1557    $given_token = $_GET['pwg_token'];
     1558  }
     1559  if ($given_token != $valid_token)
     1560  {
     1561    access_denied();   
     1562  }
     1563}
     1564
     1565function get_pwg_token()
     1566{
     1567  global $conf;
     1568
     1569  return hash_hmac('md5', session_id(), $conf['secret_key']);
     1570}
    15381571?>
Note: See TracChangeset for help on using the changeset viewer.