Changeset 7495


Ignore:
Timestamp:
Oct 30, 2010, 1:32:11 PM (10 years ago)
Author:
rvelices
Message:

feature 1915: add protection on user registration against robots

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/comments.php

    r7488 r7495  
    505505      {
    506506        $tpl_comment['IN_EDIT'] = true;
    507         $key = get_comment_post_key($comment['image_id']);
     507        $key = get_ephemeral_key(2, $comment['image_id']);
    508508        $tpl_comment['KEY'] = $key;
    509509        $tpl_comment['IMAGE_ID'] = $comment['image_id'];
  • trunk/include/functions.inc.php

    r6947 r7495  
    13341334
    13351335/**
    1336  * returns a "secret key" that is to be sent back when a user enters a comment
    1337  *
    1338  * @param int image_id
    1339  */
    1340 function get_comment_post_key($image_id)
    1341 {
    1342   global $conf;
    1343 
    1344   $time = time();
    1345 
    1346   return sprintf(
    1347     '%s:%s',
    1348     $time,
    1349     hash_hmac(
    1350       'md5',
    1351       $time.':'.$image_id,
    1352       $conf['secret_key']
    1353       )
    1354     );
     1336 * returns a "secret key" that is to be sent back when a user posts a form
     1337 *
     1338 * @param int valid_after_seconds - key validity start time from now
     1339 */
     1340function get_ephemeral_key($valid_after_seconds, $aditionnal_data_to_hash = '')
     1341{
     1342        global $conf;
     1343        $time = round(microtime(true), 1);
     1344        return $time.':'.$valid_after_seconds.':'
     1345                .hash_hmac(
     1346                        'md5',
     1347                        $time.substr($_SERVER['REMOTE_ADDR'],0,5).$valid_after_seconds.$aditionnal_data_to_hash,
     1348                        $conf['secret_key']);
     1349}
     1350
     1351function verify_ephemeral_key($key, $aditionnal_data_to_hash = '')
     1352{
     1353        global $conf;
     1354        $time = microtime(true);
     1355        $key = explode( ':', @$key );
     1356        if ( count($key)!=3
     1357                or $key[0]>$time-(float)$key[1] // page must have been retrieved more than X sec ago
     1358                or $key[0]<$time-3600 // 60 minutes expiration
     1359                or hash_hmac(
     1360                          'md5', $key[0].substr($_SERVER['REMOTE_ADDR'],0,5).$key[1].$aditionnal_data_to_hash, $conf['secret_key']
     1361                        ) != $key[2]
     1362          )
     1363        {
     1364                return false;
     1365        }
     1366        return true;
    13551367}
    13561368
  • trunk/include/functions_comment.inc.php

    r6604 r7495  
    120120  }
    121121
    122   $key = explode( ':', @$key );
    123   if ( count($key)!=2
    124         or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
    125         or $key[0]<time()-3600 // 60 minutes expiration
    126         or hash_hmac(
    127               'md5', $key[0].':'.$comm['image_id'], $conf['secret_key']
    128             ) != $key[1]
    129       )
     122  if ( !verify_ephemeral_key(@$key, $comm['image_id']) )
    130123  {
    131124    $comment_action='reject';
     
    249242  $comment_action = 'validate';
    250243
    251   $key = explode( ':', $post_key );
    252   if ( count($key)!=2
    253        or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
    254        or $key[0]<time()-3600 // 60 minutes expiration
    255        or hash_hmac('md5', $key[0].':'.$comment['image_id'], $conf['secret_key']
    256                     ) != $key[1]
    257        )
     244  if ( !verify_ephemeral_key($post_key, $comment['image_id']) )
    258245  {
    259246    $comment_action='reject';
  • trunk/include/picture_comment.inc.php

    r6437 r7495  
    199199        {
    200200          $tpl_comment['IN_EDIT'] = true;
    201           $key = get_comment_post_key($page['image_id']);
     201          $key = get_comment_post_key(2, $page['image_id']);
    202202          $tpl_comment['KEY'] = $key;
    203203          $tpl_comment['CONTENT'] = $row['content'];
     
    234234  if ($show_add_comment_form)
    235235  {
    236     $key = get_comment_post_key($page['image_id']);
     236    $key = get_ephemeral_key(3, $page['image_id']);
    237237    $content = '';
    238238    if ('reject'===@$comment_action)
  • trunk/include/ws_functions.inc.php

    r7212 r7495  
    726726  {
    727727    $comment_post_data['author'] = stripslashes($user['username']);
    728     $comment_post_data['key'] = get_comment_post_key($params['image_id']);
     728    $comment_post_data['key'] = get_ephemeral_key(2, $params['image_id']);
    729729  }
    730730
  • trunk/register.php

    r6363 r7495  
    4141if (isset($_POST['submit']))
    4242{
     43  if (!verify_ephemeral_key(@$_POST['key']))
     44  {
     45                set_status_header(403);
     46    array_push($errors, 'Invalid/expired form key');
     47  }
     48
    4349  if ($_POST['password'] != $_POST['password_conf'])
    4450  {
     
    4753
    4854  $errors =
    49       register_user(htmlspecialchars($_POST['login'],ENT_COMPAT,'utf-8'),
     55      register_user($_POST['login'],
    5056                    $_POST['password'],
    5157                    $_POST['mail_address'],
     
    5965    redirect(make_index_url());
    6066  }
     67        $registration_post_key = get_ephemeral_key(2);
     68}
     69else
     70{
     71        $registration_post_key = get_ephemeral_key(6);
    6172}
    6273
    63 $login = !empty($_POST['login'])?$_POST['login']:'';
    64 $email = !empty($_POST['mail_address'])?$_POST['mail_address']:'';
     74$login = !empty($_POST['login'])?htmlspecialchars(stripslashes($_POST['login'])):'';
     75$email = !empty($_POST['mail_address'])?htmlspecialchars(stripslashes($_POST['mail_address'])):'';
    6576
    6677//----------------------------------------------------- template initialization
     
    7586$template->assign(array(
    7687  'U_HOME' => make_index_url(),
    77 
     88        'F_KEY' => $registration_post_key,
    7889  'F_ACTION' => 'register.php',
    79   'F_LOGIN' => htmlspecialchars($login, ENT_QUOTES, 'utf-8'),
    80   'F_EMAIL' => htmlspecialchars($email, ENT_QUOTES, 'utf-8')
     90  'F_LOGIN' => $login,
     91  'F_EMAIL' => $email
    8192  ));
    8293
  • trunk/themes/default/template/register.tpl

    r5164 r7495  
    5555
    5656  <p class="bottomButtons">
     57                <input type="hidden" name="key" value="{$F_KEY}" >
    5758    <input class="submit" type="submit" name="submit" value="{'Register'|@translate}">
    5859    <input class="submit" type="reset" value="{'Reset'|@translate}">
Note: See TracChangeset for help on using the changeset viewer.