diff options
author | plegall <plg@piwigo.org> | 2009-12-17 22:47:31 +0000 |
---|---|---|
committer | plegall <plg@piwigo.org> | 2009-12-17 22:47:31 +0000 |
commit | 2119631cd7e390cb13899f657c9bb96518cae870 (patch) | |
tree | fa9fe76cd6acd80cc12596234e27562c018906ff /include | |
parent | 587aaa02102e97f71a7dfb07ec48efc36593b924 (diff) |
bug 1328: implement check_pwg_token for emails on user comments management.
The check_pwg_token and get_pwg_token functions were moved to the public side
(for use on comments.php)
The email sent to admins on new user comment does not directly includes
validate/delete actions.
git-svn-id: http://piwigo.org/svn/branches/2.0@4508 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r-- | include/functions.inc.php | 33 | ||||
-rw-r--r-- | include/functions_comment.inc.php | 22 |
2 files changed, 40 insertions, 15 deletions
diff --git a/include/functions.inc.php b/include/functions.inc.php index dbcaf6a97..6685bba99 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1535,4 +1535,37 @@ function check_input_parameter($param_name, $param_value, $is_array, $pattern) } } } + +/** + * check token comming from form posted or get params to prevent csrf attacks + * if pwg_token is empty action doesn't require token + * else pwg_token is compare to server token + * + * @return void access denied if token given is not equal to server token + */ +function check_pwg_token() +{ + $valid_token = get_pwg_token(); + $given_token = null; + + if (!empty($_POST['pwg_token'])) + { + $given_token = $_POST['pwg_token']; + } + elseif (!empty($_GET['pwg_token'])) + { + $given_token = $_GET['pwg_token']; + } + if ($given_token != $valid_token) + { + access_denied(); + } +} + +function get_pwg_token() +{ + global $conf; + + return hash_hmac('md5', session_id(), $conf['secret_key']); +} ?>
\ No newline at end of file diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php index c8dd6f3e0..53cf4660a 100644 --- a/include/functions_comment.inc.php +++ b/include/functions_comment.inc.php @@ -166,33 +166,25 @@ INSERT INTO '.COMMENTS_TABLE.' $comm['id'] = mysql_insert_id(); - if - ( - ($comment_action=='validate' and $conf['email_admin_on_comment']) - or - ($comment_action!='validate' and $conf['email_admin_on_comment_validation']) - ) + if ($conf['email_admin_on_comment'] + or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action)) { include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php'); - $del_url = - get_absolute_root_url().'comments.php?delete='.$comm['id']; + $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id']; $keyargs_content = array ( get_l10n_args('Author: %s', $comm['author']), get_l10n_args('Comment: %s', $comm['content']), get_l10n_args('', ''), - get_l10n_args('Delete: %s', $del_url) + get_l10n_args('Manage this user comment: %s', $comment_url) ); - if ($comment_action!='validate') + if ('moderate' == $comment_action) { - $keyargs_content[] = - get_l10n_args('', ''); - $keyargs_content[] = - get_l10n_args('Validate: %s', - get_absolute_root_url().'comments.php?validate='.$comm['id']); + $keyargs_content[] = get_l10n_args('', ''); + $keyargs_content[] = get_l10n_args('(!) This comment requires validation', ''); } pwg_mail_notification_admins |