aboutsummaryrefslogtreecommitdiffstats
path: root/include/functions.inc.php
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2009-12-17 22:47:31 +0000
committerplegall <plg@piwigo.org>2009-12-17 22:47:31 +0000
commit2119631cd7e390cb13899f657c9bb96518cae870 (patch)
treefa9fe76cd6acd80cc12596234e27562c018906ff /include/functions.inc.php
parent587aaa02102e97f71a7dfb07ec48efc36593b924 (diff)
bug 1328: implement check_pwg_token for emails on user comments management.
The check_pwg_token and get_pwg_token functions were moved to the public side (for use on comments.php) The email sent to admins on new user comment does not directly includes validate/delete actions. git-svn-id: http://piwigo.org/svn/branches/2.0@4508 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include/functions.inc.php')
-rw-r--r--include/functions.inc.php33
1 files changed, 33 insertions, 0 deletions
diff --git a/include/functions.inc.php b/include/functions.inc.php
index dbcaf6a97..6685bba99 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1535,4 +1535,37 @@ function check_input_parameter($param_name, $param_value, $is_array, $pattern)
}
}
}
+
+/**
+ * check token comming from form posted or get params to prevent csrf attacks
+ * if pwg_token is empty action doesn't require token
+ * else pwg_token is compare to server token
+ *
+ * @return void access denied if token given is not equal to server token
+ */
+function check_pwg_token()
+{
+ $valid_token = get_pwg_token();
+ $given_token = null;
+
+ if (!empty($_POST['pwg_token']))
+ {
+ $given_token = $_POST['pwg_token'];
+ }
+ elseif (!empty($_GET['pwg_token']))
+ {
+ $given_token = $_GET['pwg_token'];
+ }
+ if ($given_token != $valid_token)
+ {
+ access_denied();
+ }
+}
+
+function get_pwg_token()
+{
+ global $conf;
+
+ return hash_hmac('md5', session_id(), $conf['secret_key']);
+}
?> \ No newline at end of file