Changeset 7495
- Timestamp:
- Oct 30, 2010, 1:32:11 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/comments.php
r7488 r7495 505 505 { 506 506 $tpl_comment['IN_EDIT'] = true; 507 $key = get_ comment_post_key($comment['image_id']);507 $key = get_ephemeral_key(2, $comment['image_id']); 508 508 $tpl_comment['KEY'] = $key; 509 509 $tpl_comment['IMAGE_ID'] = $comment['image_id']; -
trunk/include/functions.inc.php
r6947 r7495 1334 1334 1335 1335 /** 1336 * returns a "secret key" that is to be sent back when a user enters a comment 1337 * 1338 * @param int image_id 1339 */ 1340 function get_comment_post_key($image_id) 1341 { 1342 global $conf; 1343 1344 $time = time(); 1345 1346 return sprintf( 1347 '%s:%s', 1348 $time, 1349 hash_hmac( 1350 'md5', 1351 $time.':'.$image_id, 1352 $conf['secret_key'] 1353 ) 1354 ); 1336 * returns a "secret key" that is to be sent back when a user posts a form 1337 * 1338 * @param int valid_after_seconds - key validity start time from now 1339 */ 1340 function get_ephemeral_key($valid_after_seconds, $aditionnal_data_to_hash = '') 1341 { 1342 global $conf; 1343 $time = round(microtime(true), 1); 1344 return $time.':'.$valid_after_seconds.':' 1345 .hash_hmac( 1346 'md5', 1347 $time.substr($_SERVER['REMOTE_ADDR'],0,5).$valid_after_seconds.$aditionnal_data_to_hash, 1348 $conf['secret_key']); 1349 } 1350 1351 function verify_ephemeral_key($key, $aditionnal_data_to_hash = '') 1352 { 1353 global $conf; 1354 $time = microtime(true); 1355 $key = explode( ':', @$key ); 1356 if ( count($key)!=3 1357 or $key[0]>$time-(float)$key[1] // page must have been retrieved more than X sec ago 1358 or $key[0]<$time-3600 // 60 minutes expiration 1359 or hash_hmac( 1360 'md5', $key[0].substr($_SERVER['REMOTE_ADDR'],0,5).$key[1].$aditionnal_data_to_hash, $conf['secret_key'] 1361 ) != $key[2] 1362 ) 1363 { 1364 return false; 1365 } 1366 return true; 1355 1367 } 1356 1368 -
trunk/include/functions_comment.inc.php
r6604 r7495 120 120 } 121 121 122 $key = explode( ':', @$key ); 123 if ( count($key)!=2 124 or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago 125 or $key[0]<time()-3600 // 60 minutes expiration 126 or hash_hmac( 127 'md5', $key[0].':'.$comm['image_id'], $conf['secret_key'] 128 ) != $key[1] 129 ) 122 if ( !verify_ephemeral_key(@$key, $comm['image_id']) ) 130 123 { 131 124 $comment_action='reject'; … … 249 242 $comment_action = 'validate'; 250 243 251 $key = explode( ':', $post_key ); 252 if ( count($key)!=2 253 or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago 254 or $key[0]<time()-3600 // 60 minutes expiration 255 or hash_hmac('md5', $key[0].':'.$comment['image_id'], $conf['secret_key'] 256 ) != $key[1] 257 ) 244 if ( !verify_ephemeral_key($post_key, $comment['image_id']) ) 258 245 { 259 246 $comment_action='reject'; -
trunk/include/picture_comment.inc.php
r6437 r7495 199 199 { 200 200 $tpl_comment['IN_EDIT'] = true; 201 $key = get_comment_post_key( $page['image_id']);201 $key = get_comment_post_key(2, $page['image_id']); 202 202 $tpl_comment['KEY'] = $key; 203 203 $tpl_comment['CONTENT'] = $row['content']; … … 234 234 if ($show_add_comment_form) 235 235 { 236 $key = get_ comment_post_key($page['image_id']);236 $key = get_ephemeral_key(3, $page['image_id']); 237 237 $content = ''; 238 238 if ('reject'===@$comment_action) -
trunk/include/ws_functions.inc.php
r7212 r7495 726 726 { 727 727 $comment_post_data['author'] = stripslashes($user['username']); 728 $comment_post_data['key'] = get_ comment_post_key($params['image_id']);728 $comment_post_data['key'] = get_ephemeral_key(2, $params['image_id']); 729 729 } 730 730 -
trunk/register.php
r6363 r7495 41 41 if (isset($_POST['submit'])) 42 42 { 43 if (!verify_ephemeral_key(@$_POST['key'])) 44 { 45 set_status_header(403); 46 array_push($errors, 'Invalid/expired form key'); 47 } 48 43 49 if ($_POST['password'] != $_POST['password_conf']) 44 50 { … … 47 53 48 54 $errors = 49 register_user( htmlspecialchars($_POST['login'],ENT_COMPAT,'utf-8'),55 register_user($_POST['login'], 50 56 $_POST['password'], 51 57 $_POST['mail_address'], … … 59 65 redirect(make_index_url()); 60 66 } 67 $registration_post_key = get_ephemeral_key(2); 68 } 69 else 70 { 71 $registration_post_key = get_ephemeral_key(6); 61 72 } 62 73 63 $login = !empty($_POST['login'])? $_POST['login']:'';64 $email = !empty($_POST['mail_address'])? $_POST['mail_address']:'';74 $login = !empty($_POST['login'])?htmlspecialchars(stripslashes($_POST['login'])):''; 75 $email = !empty($_POST['mail_address'])?htmlspecialchars(stripslashes($_POST['mail_address'])):''; 65 76 66 77 //----------------------------------------------------- template initialization … … 75 86 $template->assign(array( 76 87 'U_HOME' => make_index_url(), 77 88 'F_KEY' => $registration_post_key, 78 89 'F_ACTION' => 'register.php', 79 'F_LOGIN' => htmlspecialchars($login, ENT_QUOTES, 'utf-8'),80 'F_EMAIL' => htmlspecialchars($email, ENT_QUOTES, 'utf-8')90 'F_LOGIN' => $login, 91 'F_EMAIL' => $email 81 92 )); 82 93 -
trunk/themes/default/template/register.tpl
r5164 r7495 55 55 56 56 <p class="bottomButtons"> 57 <input type="hidden" name="key" value="{$F_KEY}" > 57 58 <input class="submit" type="submit" name="submit" value="{'Register'|@translate}"> 58 59 <input class="submit" type="reset" value="{'Reset'|@translate}">
Note: See TracChangeset
for help on using the changeset viewer.