diff options
| author | plegall <plg@piwigo.org> | 2009-12-19 21:46:19 +0000 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2009-12-19 21:46:19 +0000 |
| commit | aa42c1556ddd72b6c8daf944febe406406278385 (patch) | |
| tree | 3e0f735be710a0ad844e755ee073cd4144727f61 /include/functions.inc.php | |
| parent | 86d300541b8dc1a5d25d7a34134608c02245a218 (diff) | |
| parent | 4a272ac9504d9fe7b98df5d33d5534b314dc0527 (diff) | |
Create release 2.0.7 from branch 2.0 r4533
git-svn-id: http://piwigo.org/svn/tags/2.0.7@4534 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include/functions.inc.php')
| -rw-r--r-- | include/functions.inc.php | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/include/functions.inc.php b/include/functions.inc.php index 273d63776..6685bba99 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1492,4 +1492,80 @@ function get_comment_post_key($image_id) ) ); } + +/* + * breaks the script execution if the given value doesn't match the given + * pattern. This should happen only during hacking attempts. + * + * @param string param_name + * @param mixed param_value + * @param boolean is_array + * @param string pattern + * + * @return void + */ +function check_input_parameter($param_name, $param_value, $is_array, $pattern) +{ + // it's ok if the input parameter is null + if (empty($param_value)) + { + return true; + } + + if ($is_array) + { + if (!is_array($param_value)) + { + die('[Hacking attempt] the input parameter "'.$param_name.'" should be an array'); + } + + foreach ($param_value as $item_to_check) + { + if (!preg_match($pattern, $item_to_check)) + { + die('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"'); + } + } + } + else + { + if (!preg_match($pattern, $param_value)) + { + die('[Hacking attempt] the input parameter "'.$param_name.'" is not valid'); + } + } +} + +/** + * check token comming from form posted or get params to prevent csrf attacks + * if pwg_token is empty action doesn't require token + * else pwg_token is compare to server token + * + * @return void access denied if token given is not equal to server token + */ +function check_pwg_token() +{ + $valid_token = get_pwg_token(); + $given_token = null; + + if (!empty($_POST['pwg_token'])) + { + $given_token = $_POST['pwg_token']; + } + elseif (!empty($_GET['pwg_token'])) + { + $given_token = $_GET['pwg_token']; + } + if ($given_token != $valid_token) + { + access_denied(); + } +} + +function get_pwg_token() +{ + global $conf; + + return hash_hmac('md5', session_id(), $conf['secret_key']); +} ?>
\ No newline at end of file |