From d8ec9b9fdd6fb5a29e762ecd95d440f8942ca382 Mon Sep 17 00:00:00 2001
From: rvelices <rv-github@modusoptimus.com>
Date: Sat, 30 Oct 2010 11:32:11 +0000
Subject: feature 1915: add protection on user registration against robots

git-svn-id: http://piwigo.org/svn/trunk@7495 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 comments.php                         |  2 +-
 include/functions.inc.php            | 42 +++++++++++++++++++++++-------------
 include/functions_comment.inc.php    | 17 ++-------------
 include/picture_comment.inc.php      |  4 ++--
 include/ws_functions.inc.php         |  2 +-
 register.php                         | 23 ++++++++++++++------
 themes/default/template/register.tpl |  1 +
 7 files changed, 51 insertions(+), 40 deletions(-)

diff --git a/comments.php b/comments.php
index 78f3d011d..25a0084bc 100644
--- a/comments.php
+++ b/comments.php
@@ -504,7 +504,7 @@ SELECT c.id, name, permalink, uppercats, com.id as comment_id
       if (isset($edit_comment) and ($comment['comment_id'] == $edit_comment))
       {
 	$tpl_comment['IN_EDIT'] = true;
-	$key = get_comment_post_key($comment['image_id']);
+	$key = get_ephemeral_key(2, $comment['image_id']);
 	$tpl_comment['KEY'] = $key;
 	$tpl_comment['IMAGE_ID'] = $comment['image_id'];
 	$tpl_comment['CONTENT'] = $comment['content'];
diff --git a/include/functions.inc.php b/include/functions.inc.php
index a994fdb95..61db92ab5 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1333,25 +1333,37 @@ function secure_directory($dir)
 }
 
 /**
- * returns a "secret key" that is to be sent back when a user enters a comment
+ * returns a "secret key" that is to be sent back when a user posts a form
  *
- * @param int image_id
+ * @param int valid_after_seconds - key validity start time from now
  */
-function get_comment_post_key($image_id)
+function get_ephemeral_key($valid_after_seconds, $aditionnal_data_to_hash = '')
 {
-  global $conf;
-
-  $time = time();
+	global $conf;
+	$time = round(microtime(true), 1);
+	return $time.':'.$valid_after_seconds.':'
+		.hash_hmac(
+			'md5', 
+			$time.substr($_SERVER['REMOTE_ADDR'],0,5).$valid_after_seconds.$aditionnal_data_to_hash, 
+			$conf['secret_key']);
+}
 
-  return sprintf(
-    '%s:%s',
-    $time,
-    hash_hmac(
-      'md5',
-      $time.':'.$image_id,
-      $conf['secret_key']
-      )
-    );
+function verify_ephemeral_key($key, $aditionnal_data_to_hash = '')
+{
+	global $conf;
+	$time = microtime(true);
+	$key = explode( ':', @$key );
+	if ( count($key)!=3
+		or $key[0]>$time-(float)$key[1] // page must have been retrieved more than X sec ago
+		or $key[0]<$time-3600 // 60 minutes expiration
+		or hash_hmac(
+			  'md5', $key[0].substr($_SERVER['REMOTE_ADDR'],0,5).$key[1].$aditionnal_data_to_hash, $conf['secret_key']
+			) != $key[2]
+	  )
+	{
+		return false;
+	}
+	return true;
 }
 
 /**
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php
index 7f2fd9257..d5b403b8e 100644
--- a/include/functions_comment.inc.php
+++ b/include/functions_comment.inc.php
@@ -119,14 +119,7 @@ SELECT COUNT(*) AS user_exists
     $comment_action='reject';
   }
 
-  $key = explode( ':', @$key );
-  if ( count($key)!=2
-        or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
-        or $key[0]<time()-3600 // 60 minutes expiration
-        or hash_hmac(
-              'md5', $key[0].':'.$comm['image_id'], $conf['secret_key']
-            ) != $key[1]
-      )
+  if ( !verify_ephemeral_key(@$key, $comm['image_id']) )
   {
     $comment_action='reject';
   }
@@ -248,13 +241,7 @@ function update_user_comment($comment, $post_key)
 
   $comment_action = 'validate';
 
-  $key = explode( ':', $post_key );
-  if ( count($key)!=2
-       or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
-       or $key[0]<time()-3600 // 60 minutes expiration
-       or hash_hmac('md5', $key[0].':'.$comment['image_id'], $conf['secret_key']
-		    ) != $key[1]
-       )
+  if ( !verify_ephemeral_key($post_key, $comment['image_id']) )
   {
     $comment_action='reject';
   }
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php
index cc4970a34..adf928bbb 100644
--- a/include/picture_comment.inc.php
+++ b/include/picture_comment.inc.php
@@ -198,7 +198,7 @@ SELECT
 	if (isset($edit_comment) and ($row['id'] == $edit_comment))
 	{
 	  $tpl_comment['IN_EDIT'] = true;
-	  $key = get_comment_post_key($page['image_id']);
+	  $key = get_comment_post_key(2, $page['image_id']);
 	  $tpl_comment['KEY'] = $key;
 	  $tpl_comment['CONTENT'] = $row['content'];
 	}
@@ -233,7 +233,7 @@ SELECT
 
   if ($show_add_comment_form)
   {
-    $key = get_comment_post_key($page['image_id']);
+    $key = get_ephemeral_key(3, $page['image_id']);
     $content = '';
     if ('reject'===@$comment_action)
     {
diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php
index ec9227d49..3cc0fc3a3 100644
--- a/include/ws_functions.inc.php
+++ b/include/ws_functions.inc.php
@@ -725,7 +725,7 @@ SELECT id, date, author, content
       )
   {
     $comment_post_data['author'] = stripslashes($user['username']);
-    $comment_post_data['key'] = get_comment_post_key($params['image_id']);
+    $comment_post_data['key'] = get_ephemeral_key(2, $params['image_id']);
   }
 
   $ret = $image_row;
diff --git a/register.php b/register.php
index 98e76d916..81fd85c78 100644
--- a/register.php
+++ b/register.php
@@ -40,13 +40,19 @@ if (!$conf['allow_user_registration'])
 $errors = array();
 if (isset($_POST['submit']))
 {
+  if (!verify_ephemeral_key(@$_POST['key']))
+  {
+		set_status_header(403);
+    array_push($errors, 'Invalid/expired form key');
+  }
+
   if ($_POST['password'] != $_POST['password_conf'])
   {
     array_push($errors, l10n('please enter your password again'));
   }
 
   $errors =
-      register_user(htmlspecialchars($_POST['login'],ENT_COMPAT,'utf-8'),
+      register_user($_POST['login'],
                     $_POST['password'],
                     $_POST['mail_address'],
                     true,
@@ -58,10 +64,15 @@ if (isset($_POST['submit']))
     log_user($user_id, false);
     redirect(make_index_url());
   }
+	$registration_post_key = get_ephemeral_key(2);
+}
+else
+{
+	$registration_post_key = get_ephemeral_key(6);
 }
 
-$login = !empty($_POST['login'])?$_POST['login']:'';
-$email = !empty($_POST['mail_address'])?$_POST['mail_address']:'';
+$login = !empty($_POST['login'])?htmlspecialchars(stripslashes($_POST['login'])):'';
+$email = !empty($_POST['mail_address'])?htmlspecialchars(stripslashes($_POST['mail_address'])):'';
 
 //----------------------------------------------------- template initialization
 //
@@ -74,10 +85,10 @@ include(PHPWG_ROOT_PATH.'include/page_header.php');
 $template->set_filenames( array('register'=>'register.tpl') );
 $template->assign(array(
   'U_HOME' => make_index_url(),
-
+	'F_KEY' => $registration_post_key,
   'F_ACTION' => 'register.php',
-  'F_LOGIN' => htmlspecialchars($login, ENT_QUOTES, 'utf-8'),
-  'F_EMAIL' => htmlspecialchars($email, ENT_QUOTES, 'utf-8')
+  'F_LOGIN' => $login,
+  'F_EMAIL' => $email
   ));
 
 //-------------------------------------------------------------- errors display
diff --git a/themes/default/template/register.tpl b/themes/default/template/register.tpl
index 6eb32251a..4d97be09d 100644
--- a/themes/default/template/register.tpl
+++ b/themes/default/template/register.tpl
@@ -54,6 +54,7 @@
   </fieldset>
 
   <p class="bottomButtons">
+		<input type="hidden" name="key" value="{$F_KEY}" >
     <input class="submit" type="submit" name="submit" value="{'Register'|@translate}">
     <input class="submit" type="reset" value="{'Reset'|@translate}">
   </p>
-- 
cgit v1.2.3