diff options
| author | plegall <plg@piwigo.org> | 2009-12-17 22:47:31 +0000 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2009-12-17 22:47:31 +0000 |
| commit | 2119631cd7e390cb13899f657c9bb96518cae870 (patch) | |
| tree | fa9fe76cd6acd80cc12596234e27562c018906ff /include/functions.inc.php | |
| parent | 587aaa02102e97f71a7dfb07ec48efc36593b924 (diff) | |
bug 1328: implement check_pwg_token for emails on user comments management.
The check_pwg_token and get_pwg_token functions were moved to the public side
(for use on comments.php)
The email sent to admins on new user comment does not directly includes
validate/delete actions.
git-svn-id: http://piwigo.org/svn/branches/2.0@4508 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
| -rw-r--r-- | include/functions.inc.php | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/include/functions.inc.php b/include/functions.inc.php index dbcaf6a97..6685bba99 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1535,4 +1535,37 @@ function check_input_parameter($param_name, $param_value, $is_array, $pattern) } } } + +/** + * check token comming from form posted or get params to prevent csrf attacks + * if pwg_token is empty action doesn't require token + * else pwg_token is compare to server token + * + * @return void access denied if token given is not equal to server token + */ +function check_pwg_token() +{ + $valid_token = get_pwg_token(); + $given_token = null; + + if (!empty($_POST['pwg_token'])) + { + $given_token = $_POST['pwg_token']; + } + elseif (!empty($_GET['pwg_token'])) + { + $given_token = $_GET['pwg_token']; + } + if ($given_token != $valid_token) + { + access_denied(); + } +} + +function get_pwg_token() +{ + global $conf; + + return hash_hmac('md5', session_id(), $conf['secret_key']); +} ?>
\ No newline at end of file |