Changeset 7495 for trunk/include

Timestamp:

Oct 30, 2010, 1:32:11 PM (13 years ago)

Author:

rvelices

Message:

feature 1915: add protection on user registration against robots

Location:

trunk/include

Files:

• functions.inc.php (modified) (1 diff)
• functions_comment.inc.php (modified) (2 diffs)
• picture_comment.inc.php (modified) (2 diffs)
• ws_functions.inc.php (modified) (1 diff)

trunk/include/functions.inc.php

@@ -1334 +1334 @@
 
 /**
- * returns a "secret key" that is to be sent back when a user enters a comment
- *
- * @param int image_id
- */
-function get_comment_post_key($image_id)
-{
-  global $conf;
-
-  $time = time();
-
-  return sprintf(
-    '%s:%s',
-    $time,
-    hash_hmac(
-      'md5',
-      $time.':'.$image_id,
-      $conf['secret_key']
-      )
-    );
+ * returns a "secret key" that is to be sent back when a user posts a form
+ *
+ * @param int valid_after_seconds - key validity start time from now
+ */
+function get_ephemeral_key($valid_after_seconds, $aditionnal_data_to_hash = '')
+{
+        global $conf;
+        $time = round(microtime(true), 1);
+        return $time.':'.$valid_after_seconds.':'
+                .hash_hmac(
+                        'md5', 
+                        $time.substr($_SERVER['REMOTE_ADDR'],0,5).$valid_after_seconds.$aditionnal_data_to_hash, 
+                        $conf['secret_key']);
+}
+
+function verify_ephemeral_key($key, $aditionnal_data_to_hash = '')
+{
+        global $conf;
+        $time = microtime(true);
+        $key = explode( ':', @$key );
+        if ( count($key)!=3
+                or $key[0]>$time-(float)$key[1] // page must have been retrieved more than X sec ago
+                or $key[0]<$time-3600 // 60 minutes expiration
+                or hash_hmac(
+                          'md5', $key[0].substr($_SERVER['REMOTE_ADDR'],0,5).$key[1].$aditionnal_data_to_hash, $conf['secret_key']
+                        ) != $key[2]
+          )
+        {
+                return false;
+        }
+        return true;
 }
 

trunk/include/functions_comment.inc.php

@@ -120 +120 @@
   }
 
-  $key = explode( ':', @$key );
-  if ( count($key)!=2
-        or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
-        or $key[0]<time()-3600 // 60 minutes expiration
-        or hash_hmac(
-              'md5', $key[0].':'.$comm['image_id'], $conf['secret_key']
-            ) != $key[1]
-      )
+  if ( !verify_ephemeral_key(@$key, $comm['image_id']) )
   {
     $comment_action='reject';
@@ -249 +242 @@
   $comment_action = 'validate';
 
-  $key = explode( ':', $post_key );
-  if ( count($key)!=2
-       or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
-       or $key[0]<time()-3600 // 60 minutes expiration
-       or hash_hmac('md5', $key[0].':'.$comment['image_id'], $conf['secret_key']
-                    ) != $key[1]
-       )
+  if ( !verify_ephemeral_key($post_key, $comment['image_id']) )
   {
     $comment_action='reject';

trunk/include/picture_comment.inc.php

@@ -199 +199 @@
         {
           $tpl_comment['IN_EDIT'] = true;
-          $key = get_comment_post_key($page['image_id']);
+          $key = get_comment_post_key(2, $page['image_id']);
           $tpl_comment['KEY'] = $key;
           $tpl_comment['CONTENT'] = $row['content'];
@@ -234 +234 @@
   if ($show_add_comment_form)
   {
-    $key = get_comment_post_key($page['image_id']);
+    $key = get_ephemeral_key(3, $page['image_id']);
     $content = '';
     if ('reject'===@$comment_action)

trunk/include/ws_functions.inc.php

@@ -726 +726 @@
   {
     $comment_post_data['author'] = stripslashes($user['username']);
-    $comment_post_data['key'] = get_comment_post_key($params['image_id']);
+    $comment_post_data['key'] = get_ephemeral_key(2, $params['image_id']);
   }