bug 1328: backport the pwg_token on trunk

bug 1329: backport the check_input_parameter on trunk

feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring
on this feature to make the code simpler and easier to maintain (I hope).

git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee

2 files changed, 1 insertions, 29 deletions

diff --git a/admin/include/functions.php b/admin/include/functions.php
index c7b8bf5f1..e3522702f 100644
--- a/admin/include/functions.php
+++ b/admin/include/functions.php
@@ -23,34 +23,6 @@
 
 include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
 
-/**
- * check token comming from form posted or get params to prevent csrf attacks
- * if pwg_token is empty action doesn't require token
- * else pwg_token is compare to server token
- *
- * @return void access denied if token given is not equal to server token 
- */
-function check_token()
-{
-  global $conf;
-
-  $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']);
-  $given_token = null;
-
-  if (!empty($_POST['pwg_token']))
-  {
-    $given_token = $_POST['pwg_token'];
-  }
-  elseif (!empty($_GET['pwg_token']))
-  {
-    $given_token = $_GET['pwg_token'];
-  }
-  if ($given_token != $valid_token)
-  {
-    access_denied();    
-  }
-}
-
 // The function delete_site deletes a site and call the function
 // delete_categories for each primary category of the site
 function delete_site( $id )
diff --git a/admin/include/uploadify/uploadify.php b/admin/include/uploadify/uploadify.php
index eddcc12b0..306b492da 100644
--- a/admin/include/uploadify/uploadify.php
+++ b/admin/include/uploadify/uploadify.php
@@ -8,7 +8,7 @@ include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
 include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 include_once(PHPWG_ROOT_PATH.'admin/include/functions_upload.inc.php');
 
-// check_pwg_token();
+check_pwg_token();
 
 ob_start();
 print_r($_FILES);