From d8ec9b9fdd6fb5a29e762ecd95d440f8942ca382 Mon Sep 17 00:00:00 2001
From: rvelices <rv-github@modusoptimus.com>
Date: Sat, 30 Oct 2010 11:32:11 +0000
Subject: feature 1915: add protection on user registration against robots

git-svn-id: http://piwigo.org/svn/trunk@7495 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 register.php | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

(limited to 'register.php')

diff --git a/register.php b/register.php
index 98e76d916..81fd85c78 100644
--- a/register.php
+++ b/register.php
@@ -40,13 +40,19 @@ if (!$conf['allow_user_registration'])
 $errors = array();
 if (isset($_POST['submit']))
 {
+  if (!verify_ephemeral_key(@$_POST['key']))
+  {
+		set_status_header(403);
+    array_push($errors, 'Invalid/expired form key');
+  }
+
   if ($_POST['password'] != $_POST['password_conf'])
   {
     array_push($errors, l10n('please enter your password again'));
   }
 
   $errors =
-      register_user(htmlspecialchars($_POST['login'],ENT_COMPAT,'utf-8'),
+      register_user($_POST['login'],
                     $_POST['password'],
                     $_POST['mail_address'],
                     true,
@@ -58,10 +64,15 @@ if (isset($_POST['submit']))
     log_user($user_id, false);
     redirect(make_index_url());
   }
+	$registration_post_key = get_ephemeral_key(2);
+}
+else
+{
+	$registration_post_key = get_ephemeral_key(6);
 }
 
-$login = !empty($_POST['login'])?$_POST['login']:'';
-$email = !empty($_POST['mail_address'])?$_POST['mail_address']:'';
+$login = !empty($_POST['login'])?htmlspecialchars(stripslashes($_POST['login'])):'';
+$email = !empty($_POST['mail_address'])?htmlspecialchars(stripslashes($_POST['mail_address'])):'';
 
 //----------------------------------------------------- template initialization
 //
@@ -74,10 +85,10 @@ include(PHPWG_ROOT_PATH.'include/page_header.php');
 $template->set_filenames( array('register'=>'register.tpl') );
 $template->assign(array(
   'U_HOME' => make_index_url(),
-
+	'F_KEY' => $registration_post_key,
   'F_ACTION' => 'register.php',
-  'F_LOGIN' => htmlspecialchars($login, ENT_QUOTES, 'utf-8'),
-  'F_EMAIL' => htmlspecialchars($email, ENT_QUOTES, 'utf-8')
+  'F_LOGIN' => $login,
+  'F_EMAIL' => $email
   ));
 
 //-------------------------------------------------------------- errors display
-- 
cgit v1.2.3