bug 1328: backport the pwg_token on trunk
bug 1329: backport the check_input_parameter on trunk feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring on this feature to make the code simpler and easier to maintain (I hope). git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
plegall
parent
ff7e537e2b
commit
c695136e4d
26 changed files with 433 additions and 170 deletions
|
|
@ -23,34 +23,6 @@
|
|||
|
||||
include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
|
||||
|
||||
/**
|
||||
* check token comming from form posted or get params to prevent csrf attacks
|
||||
* if pwg_token is empty action doesn't require token
|
||||
* else pwg_token is compare to server token
|
||||
*
|
||||
* @return void access denied if token given is not equal to server token
|
||||
*/
|
||||
function check_token()
|
||||
{
|
||||
global $conf;
|
||||
|
||||
$valid_token = hash_hmac('md5', session_id(), $conf['secret_key']);
|
||||
$given_token = null;
|
||||
|
||||
if (!empty($_POST['pwg_token']))
|
||||
{
|
||||
$given_token = $_POST['pwg_token'];
|
||||
}
|
||||
elseif (!empty($_GET['pwg_token']))
|
||||
{
|
||||
$given_token = $_GET['pwg_token'];
|
||||
}
|
||||
if ($given_token != $valid_token)
|
||||
{
|
||||
access_denied();
|
||||
}
|
||||
}
|
||||
|
||||
// The function delete_site deletes a site and call the function
|
||||
// delete_categories for each primary category of the site
|
||||
function delete_site( $id )
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue