bug 1328: backport the pwg_token on trunk

bug 1329: backport the check_input_parameter on trunk feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring on this feature to make the code simpler and easier to maintain (I hope). git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee
author: plegall <plg@piwigo.org> 2010-03-19 22:25:39 +0000
committer: plegall <plg@piwigo.org> 2010-03-19 22:25:39 +0000
commit: c695136e4d75695178a9fc848a7cf6bfa2b9346c (patch)
tree: efba21de4995d7bd6b2f792e6d118a8e6e6bd405 /include
parent: ff7e537e2b4bceaef241096a377d12af4b917c43 (diff)
5 files changed, 185 insertions, 38 deletions
diff --git a/include/constants.php b/include/constants.php
index ea5378e94..69b746474 100644
--- a/include/constants.php
+++ b/include/constants.php
@@ -40,6 +40,9 @@ define('ACCESS_ADMINISTRATOR', 3);
 define('ACCESS_WEBMASTER', 4);
 define('ACCESS_CLOSED', 5);
 
+// Sanity checks
+define('PATTERN_ID', '/^\d+$/');
+
 // Table names
 if (!defined('CATEGORIES_TABLE'))
   define('CATEGORIES_TABLE', $prefixeTable.'categories');
diff --git a/include/functions.inc.php b/include/functions.inc.php
index 91738090f..092fe15a4 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1482,4 +1482,86 @@ function get_icon($date, $is_child_date = false)
 
   return $cache['get_icon'][$date] ? $icon : array();
 }
+
+/**
+ * check token comming from form posted or get params to prevent csrf attacks
+ * if pwg_token is empty action doesn't require token
+ * else pwg_token is compare to server token
+ *
+ * @return void access denied if token given is not equal to server token
+ */
+function check_pwg_token()
+{
+  $valid_token = get_pwg_token();
+  $given_token = null;
+
+  if (!empty($_POST['pwg_token']))
+  {
+    $given_token = $_POST['pwg_token'];
+  }
+  elseif (!empty($_GET['pwg_token']))
+  {
+    $given_token = $_GET['pwg_token'];
+  }
+  if ($given_token != $valid_token)
+  {
+    access_denied();
+  }
+}
+
+function get_pwg_token()
+{
+  global $conf;
+
+  return hash_hmac('md5', session_id(), $conf['secret_key']);
+}
+
+/*
+ * breaks the script execution if the given value doesn't match the given
+ * pattern. This should happen only during hacking attempts.
+ *
+ * @param string param_name
+ * @param array param_array
+ * @param boolean is_array
+ * @param string pattern
+ *
+ * @return void
+ */
+function check_input_parameter($param_name, $param_array, $is_array, $pattern)
+{
+  $param_value = null;
+  if (isset($param_array[$param_name]))
+  {
+    $param_value = $param_array[$param_name];
+  }
+
+  // it's ok if the input parameter is null
+  if (empty($param_value))
+  {
+    return true;
+  }
+
+  if ($is_array)
+  {
+    if (!is_array($param_value))
+    {
+      fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" should be an array');
+    }
+
+    foreach ($param_value as $item_to_check)
+    {
+      if (!preg_match($pattern, $item_to_check))
+      {
+        fatal_error('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"');
+      }
+    }
+  }
+  else
+  {
+    if (!preg_match($pattern, $param_value))
+    {
+      fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" is not valid');
+    }
+  }
+}
 ?>
 \ No newline at end of file
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php
index a35c8ad60..0fadeb1f2 100644
--- a/include/functions_comment.inc.php
+++ b/include/functions_comment.inc.php
@@ -170,28 +170,25 @@ INSERT INTO '.COMMENTS_TABLE.'
 
     $comm['id'] = pwg_db_insert_id(COMMENTS_TABLE);
 
-    if (($comment_action=='validate' and $conf['email_admin_on_comment']) or
-        ($comment_action!='validate' and $conf['email_admin_on_comment_validation']))
+    if ($conf['email_admin_on_comment']
+        or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
     {
       include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
 
-      $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id'];
+      $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
 
       $keyargs_content = array
       (
         get_l10n_args('Author: %s', stripslashes($comm['author']) ),
         get_l10n_args('Comment: %s', stripslashes($comm['content']) ),
         get_l10n_args('', ''),
-        get_l10n_args('Delete: %s', $del_url)
+        get_l10n_args('Manage this user comment: %s', $comment_url)
       );
 
-      if ($comment_action!='validate')
+      if ('moderate' == $comment_action)
       {
-        $keyargs_content[] =
-          get_l10n_args('', '');
-        $keyargs_content[] =
-          get_l10n_args('Validate: %s',
-            get_absolute_root_url().'comments.php?validate='.$comm['id']);
+        $keyargs_content[] = get_l10n_args('', '');
+        $keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
       }
 
       pwg_mail_notification_admins
@@ -212,7 +209,6 @@ INSERT INTO '.COMMENTS_TABLE.'
  *
  * @param comment_id
  */
-
 function delete_user_comment($comment_id) {
   $user_where_clause = '';
   if (!is_admin())
@@ -337,4 +333,41 @@ function email_admin($action, $comment)
 			       $keyargs_content
 			       );
 }
+
+function get_comment_author_id($comment_id, $die_on_error=true)
+{
+  $query = '
+SELECT
+    author_id
+  FROM '.COMMENTS_TABLE.'
+  WHERE id = '.$comment_id.'
+;';
+  $result = pwg_query($query);
+  if (pwg_db_num_rows($result) == 0)
+  {
+    if ($die_on_error)
+    {
+      fatal_error('Unknown comment identifier');
+    }
+    else
+    {
+      return false;
+    }
+  }
+  
+  list($author_id) = pwg_db_fetch_row($result);
+
+  return $author_id;
+}
+
+function validate_user_comment($comment_id)
+{
+  $query = '
+UPDATE '.COMMENTS_TABLE.'
+  SET validated = "true"
+    , validation_date = NOW()
+  WHERE id = '.$comment_id.'
+;';
+  pwg_query($query);
+}
 ?>
 \ No newline at end of file
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index f3eb0b172..4488294f7 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -1246,19 +1246,44 @@ function is_adviser()
 }
 
 /*
- * Return if current user can edit/delete a comment
- * @param action edit/delete
+ * Return if current user can edit/delete/validate a comment
+ * @param action edit/delete/validate
  * @return bool
  */
 function can_manage_comment($action, $comment_author_id)
 {
-  if (!in_array($action, array('delete','edit'))) {
+  global $user, $conf;
+  
+  if (is_a_guest())
+  {
+    return false;
+  }
+  
+  if (!in_array($action, array('delete','edit', 'validate')))
+  {
     return false;
   }
-  return (is_admin() ||
-	  (($GLOBALS['user']['id'] == $comment_author_id)
-	   && !is_a_guest()
-	   && $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)]));
+
+  if (is_admin())
+  {
+    return true;
+  }
+
+  if ('edit' == $action and $conf['user_can_edit_comment'])
+  {
+    if ($comment_author_id == $user['id']) {
+      return true;
+    }
+  }
+
+  if ('delete' == $action and $conf['user_can_delete_comment'])
+  {
+    if ($comment_author_id == $user['id']) {
+      return true;
+    }
+  }
+
+  return false;
 }
 
 /*
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php
index 35f686453..439546329 100644
--- a/include/picture_comment.inc.php
+++ b/include/picture_comment.inc.php
@@ -166,23 +166,25 @@ $validated_clause.'
 
       if (can_manage_comment('delete', $row['author_id']))
       {
-        $tpl_comment['U_DELETE'] =
-	  add_url_params($url_self,
-			 array(
-			   'action'=>'delete_comment',
-			   'comment_to_delete'=>$row['id']
-			       )
-			 );
+        $tpl_comment['U_DELETE'] = add_url_params(
+          $url_self,
+          array(
+            'action'=>'delete_comment',
+            'comment_to_delete'=>$row['id'],
+            'pwg_token' => get_pwg_token(),
+            )
+          );
       }
       if (can_manage_comment('edit', $row['author_id']))
       {
-	$tpl_comment['U_EDIT'] =
-	  add_url_params($url_self,
-			 array(
-			   'action'=>'edit_comment',
-			   'comment_to_edit'=>$row['id']
-			       )
-			 );
+	$tpl_comment['U_EDIT'] = add_url_params(
+          $url_self,
+          array(
+            'action'=>'edit_comment',
+            'comment_to_edit'=>$row['id'],
+            'pwg_token' => get_pwg_token(),
+            )
+          );
 	if (isset($edit_comment) and ($row['id'] == $edit_comment))
 	{
 	  $tpl_comment['IN_EDIT'] = true;
@@ -195,12 +197,14 @@ $validated_clause.'
       {
 	if ($row['validated'] != 'true')
 	{
-	  $tpl_comment['U_VALIDATE'] =
-	    add_url_params($url_self,
-			   array('action' => 'validate_comment',
-				 'comment_to_validate' => $row['id']
-				 )
-			   );
+	  $tpl_comment['U_VALIDATE'] = add_url_params(
+            $url_self,
+            array(
+              'action' => 'validate_comment',
+              'comment_to_validate' => $row['id'],
+              'pwg_token' => get_pwg_token(),
+              )
+            );
 	}
       }
       $template->append('comments', $tpl_comment);
author	plegall <plg@piwigo.org>	2010-03-19 22:25:39 +0000
committer	plegall <plg@piwigo.org>	2010-03-19 22:25:39 +0000
commit	c695136e4d75695178a9fc848a7cf6bfa2b9346c (patch)
tree	efba21de4995d7bd6b2f792e6d118a8e6e6bd405 /include
parent	ff7e537e2b4bceaef241096a377d12af4b917c43 (diff)