Changeset 7495 for trunk/include
- Timestamp:
- Oct 30, 2010, 1:32:11 PM (13 years ago)
- Location:
- trunk/include
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/include/functions.inc.php
r6947 r7495 1334 1334 1335 1335 /** 1336 * returns a "secret key" that is to be sent back when a user enters a comment 1337 * 1338 * @param int image_id 1339 */ 1340 function get_comment_post_key($image_id) 1341 { 1342 global $conf; 1343 1344 $time = time(); 1345 1346 return sprintf( 1347 '%s:%s', 1348 $time, 1349 hash_hmac( 1350 'md5', 1351 $time.':'.$image_id, 1352 $conf['secret_key'] 1353 ) 1354 ); 1336 * returns a "secret key" that is to be sent back when a user posts a form 1337 * 1338 * @param int valid_after_seconds - key validity start time from now 1339 */ 1340 function get_ephemeral_key($valid_after_seconds, $aditionnal_data_to_hash = '') 1341 { 1342 global $conf; 1343 $time = round(microtime(true), 1); 1344 return $time.':'.$valid_after_seconds.':' 1345 .hash_hmac( 1346 'md5', 1347 $time.substr($_SERVER['REMOTE_ADDR'],0,5).$valid_after_seconds.$aditionnal_data_to_hash, 1348 $conf['secret_key']); 1349 } 1350 1351 function verify_ephemeral_key($key, $aditionnal_data_to_hash = '') 1352 { 1353 global $conf; 1354 $time = microtime(true); 1355 $key = explode( ':', @$key ); 1356 if ( count($key)!=3 1357 or $key[0]>$time-(float)$key[1] // page must have been retrieved more than X sec ago 1358 or $key[0]<$time-3600 // 60 minutes expiration 1359 or hash_hmac( 1360 'md5', $key[0].substr($_SERVER['REMOTE_ADDR'],0,5).$key[1].$aditionnal_data_to_hash, $conf['secret_key'] 1361 ) != $key[2] 1362 ) 1363 { 1364 return false; 1365 } 1366 return true; 1355 1367 } 1356 1368 -
trunk/include/functions_comment.inc.php
r6604 r7495 120 120 } 121 121 122 $key = explode( ':', @$key ); 123 if ( count($key)!=2 124 or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago 125 or $key[0]<time()-3600 // 60 minutes expiration 126 or hash_hmac( 127 'md5', $key[0].':'.$comm['image_id'], $conf['secret_key'] 128 ) != $key[1] 129 ) 122 if ( !verify_ephemeral_key(@$key, $comm['image_id']) ) 130 123 { 131 124 $comment_action='reject'; … … 249 242 $comment_action = 'validate'; 250 243 251 $key = explode( ':', $post_key ); 252 if ( count($key)!=2 253 or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago 254 or $key[0]<time()-3600 // 60 minutes expiration 255 or hash_hmac('md5', $key[0].':'.$comment['image_id'], $conf['secret_key'] 256 ) != $key[1] 257 ) 244 if ( !verify_ephemeral_key($post_key, $comment['image_id']) ) 258 245 { 259 246 $comment_action='reject'; -
trunk/include/picture_comment.inc.php
r6437 r7495 199 199 { 200 200 $tpl_comment['IN_EDIT'] = true; 201 $key = get_comment_post_key( $page['image_id']);201 $key = get_comment_post_key(2, $page['image_id']); 202 202 $tpl_comment['KEY'] = $key; 203 203 $tpl_comment['CONTENT'] = $row['content']; … … 234 234 if ($show_add_comment_form) 235 235 { 236 $key = get_ comment_post_key($page['image_id']);236 $key = get_ephemeral_key(3, $page['image_id']); 237 237 $content = ''; 238 238 if ('reject'===@$comment_action) -
trunk/include/ws_functions.inc.php
r7212 r7495 726 726 { 727 727 $comment_post_data['author'] = stripslashes($user['username']); 728 $comment_post_data['key'] = get_ comment_post_key($params['image_id']);728 $comment_post_data['key'] = get_ephemeral_key(2, $params['image_id']); 729 729 } 730 730
Note: See TracChangeset
for help on using the changeset viewer.