aboutsummaryrefslogtreecommitdiffstats
path: root/include/functions.inc.php
diff options
context:
space:
mode:
authorrvelices <rv-github@modusoptimus.com>2010-10-30 11:32:11 +0000
committerrvelices <rv-github@modusoptimus.com>2010-10-30 11:32:11 +0000
commitd8ec9b9fdd6fb5a29e762ecd95d440f8942ca382 (patch)
tree97fb4e7424278f37020d6ad4951480a474dd8b8a /include/functions.inc.php
parent6f841013d93c3252ffb022594118b96aef25ea69 (diff)
feature 1915: add protection on user registration against robots
git-svn-id: http://piwigo.org/svn/trunk@7495 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include/functions.inc.php')
-rw-r--r--include/functions.inc.php42
1 files changed, 27 insertions, 15 deletions
diff --git a/include/functions.inc.php b/include/functions.inc.php
index a994fdb95..61db92ab5 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1333,25 +1333,37 @@ function secure_directory($dir)
}
/**
- * returns a "secret key" that is to be sent back when a user enters a comment
+ * returns a "secret key" that is to be sent back when a user posts a form
*
- * @param int image_id
+ * @param int valid_after_seconds - key validity start time from now
*/
-function get_comment_post_key($image_id)
+function get_ephemeral_key($valid_after_seconds, $aditionnal_data_to_hash = '')
{
- global $conf;
-
- $time = time();
+ global $conf;
+ $time = round(microtime(true), 1);
+ return $time.':'.$valid_after_seconds.':'
+ .hash_hmac(
+ 'md5',
+ $time.substr($_SERVER['REMOTE_ADDR'],0,5).$valid_after_seconds.$aditionnal_data_to_hash,
+ $conf['secret_key']);
+}
- return sprintf(
- '%s:%s',
- $time,
- hash_hmac(
- 'md5',
- $time.':'.$image_id,
- $conf['secret_key']
- )
- );
+function verify_ephemeral_key($key, $aditionnal_data_to_hash = '')
+{
+ global $conf;
+ $time = microtime(true);
+ $key = explode( ':', @$key );
+ if ( count($key)!=3
+ or $key[0]>$time-(float)$key[1] // page must have been retrieved more than X sec ago
+ or $key[0]<$time-3600 // 60 minutes expiration
+ or hash_hmac(
+ 'md5', $key[0].substr($_SERVER['REMOTE_ADDR'],0,5).$key[1].$aditionnal_data_to_hash, $conf['secret_key']
+ ) != $key[2]
+ )
+ {
+ return false;
+ }
+ return true;
}
/**