aboutsummaryrefslogtreecommitdiffstats
path: root/include/picture_comment.inc.php
diff options
context:
space:
mode:
authorrvelices <rv-github@modusoptimus.com>2007-01-23 01:22:52 +0000
committerrvelices <rv-github@modusoptimus.com>2007-01-23 01:22:52 +0000
commite90aaffbd551a2e80b67cb67362519b16ee61203 (patch)
tree1f449b20b66d1321860db9762b126ed8d48068dc /include/picture_comment.inc.php
parent767064c9fe94e28acb77a1123c2853281d13f2d1 (diff)
- revert feature 564: log the login of each user; but add the possibility to be
done by a plugin - create a "standard" way to define PHP functions that we use but might not be available in the current php version - when a comment is rejected (spam, anti-flood etc), put the content back to the browser in case there is a real user behind it - now a comment can be entered only if the page was retrieved between 2 seconds ago and 1 hour ago git-svn-id: http://piwigo.org/svn/trunk@1744 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r--include/picture_comment.inc.php38
1 files changed, 10 insertions, 28 deletions
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php
index fbbe80d50..faf1d9d7d 100644
--- a/include/picture_comment.inc.php
+++ b/include/picture_comment.inc.php
@@ -30,32 +30,6 @@
*
*/
-if (!function_exists('hash_hmac'))
-{
-function hash_hmac($algo, $data, $key, $raw_output=false)
-{
- /* md5 and sha1 only */
- $algo=strtolower($algo);
- $p=array('md5'=>'H32','sha1'=>'H40');
- if ( !isset($p[$algo]) or !function_exists($algo) )
- {
- $algo = 'md5';
- }
- if(strlen($key)>64) $key=pack($p[$algo],$algo($key));
- if(strlen($key)<64) $key=str_pad($key,64,chr(0));
-
- $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64);
- $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64);
-
- $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data)));
- if ($raw_output)
- {
- $ret = pack('H*', $ret);
- }
- return $ret;
-}
-}
-
//returns string action to perform on a new comment: validate, moderate, reject
function user_comment_check($action, $comment, $picture)
{
@@ -166,7 +140,8 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) )
$key = explode(':', @$_POST['key']);
if ( count($key)!=2
- or $key[0]>time() or $key[0]<time()-1800 // 30 minutes expiration
+ or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
+ or $key[0]<time()-3600 // 60 minutes expiration
or hash_hmac('md5', $key[0], $conf['secret_key'])!=$key[1]
)
{
@@ -257,6 +232,7 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) )
}
else
{
+ set_status_header(403);
$template->assign_block_vars('information',
array('INFORMATION'=>l10n('comment_not_added') )
);
@@ -354,9 +330,15 @@ SELECT id,author,date,image_id,content
{
$key = time();
$key .= ':'.hash_hmac('md5', $key, $conf['secret_key']);
+ $content = '';
+ if ('reject'===@$comment_action)
+ {
+ $content = htmlspecialchars($comm['content']);
+ }
$template->assign_block_vars('comments.add_comment',
array(
- 'key' => $key
+ 'KEY' => $key,
+ 'CONTENT' => $content
));
// display author field if the user is not logged in
if ($user['is_the_guest'])