diff options
author | plegall <plg@piwigo.org> | 2010-03-19 22:25:39 +0000 |
---|---|---|
committer | plegall <plg@piwigo.org> | 2010-03-19 22:25:39 +0000 |
commit | c695136e4d75695178a9fc848a7cf6bfa2b9346c (patch) | |
tree | efba21de4995d7bd6b2f792e6d118a8e6e6bd405 /include | |
parent | ff7e537e2b4bceaef241096a377d12af4b917c43 (diff) |
bug 1328: backport the pwg_token on trunk
bug 1329: backport the check_input_parameter on trunk
feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring
on this feature to make the code simpler and easier to maintain (I hope).
git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include')
-rw-r--r-- | include/constants.php | 3 | ||||
-rw-r--r-- | include/functions.inc.php | 82 | ||||
-rw-r--r-- | include/functions_comment.inc.php | 55 | ||||
-rw-r--r-- | include/functions_user.inc.php | 39 | ||||
-rw-r--r-- | include/picture_comment.inc.php | 44 |
5 files changed, 185 insertions, 38 deletions
diff --git a/include/constants.php b/include/constants.php index ea5378e94..69b746474 100644 --- a/include/constants.php +++ b/include/constants.php @@ -40,6 +40,9 @@ define('ACCESS_ADMINISTRATOR', 3); define('ACCESS_WEBMASTER', 4); define('ACCESS_CLOSED', 5); +// Sanity checks +define('PATTERN_ID', '/^\d+$/'); + // Table names if (!defined('CATEGORIES_TABLE')) define('CATEGORIES_TABLE', $prefixeTable.'categories'); diff --git a/include/functions.inc.php b/include/functions.inc.php index 91738090f..092fe15a4 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1482,4 +1482,86 @@ function get_icon($date, $is_child_date = false) return $cache['get_icon'][$date] ? $icon : array(); } + +/** + * check token comming from form posted or get params to prevent csrf attacks + * if pwg_token is empty action doesn't require token + * else pwg_token is compare to server token + * + * @return void access denied if token given is not equal to server token + */ +function check_pwg_token() +{ + $valid_token = get_pwg_token(); + $given_token = null; + + if (!empty($_POST['pwg_token'])) + { + $given_token = $_POST['pwg_token']; + } + elseif (!empty($_GET['pwg_token'])) + { + $given_token = $_GET['pwg_token']; + } + if ($given_token != $valid_token) + { + access_denied(); + } +} + +function get_pwg_token() +{ + global $conf; + + return hash_hmac('md5', session_id(), $conf['secret_key']); +} + +/* + * breaks the script execution if the given value doesn't match the given + * pattern. This should happen only during hacking attempts. + * + * @param string param_name + * @param array param_array + * @param boolean is_array + * @param string pattern + * + * @return void + */ +function check_input_parameter($param_name, $param_array, $is_array, $pattern) +{ + $param_value = null; + if (isset($param_array[$param_name])) + { + $param_value = $param_array[$param_name]; + } + + // it's ok if the input parameter is null + if (empty($param_value)) + { + return true; + } + + if ($is_array) + { + if (!is_array($param_value)) + { + fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" should be an array'); + } + + foreach ($param_value as $item_to_check) + { + if (!preg_match($pattern, $item_to_check)) + { + fatal_error('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"'); + } + } + } + else + { + if (!preg_match($pattern, $param_value)) + { + fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" is not valid'); + } + } +} ?>
\ No newline at end of file diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php index a35c8ad60..0fadeb1f2 100644 --- a/include/functions_comment.inc.php +++ b/include/functions_comment.inc.php @@ -170,28 +170,25 @@ INSERT INTO '.COMMENTS_TABLE.' $comm['id'] = pwg_db_insert_id(COMMENTS_TABLE); - if (($comment_action=='validate' and $conf['email_admin_on_comment']) or - ($comment_action!='validate' and $conf['email_admin_on_comment_validation'])) + if ($conf['email_admin_on_comment'] + or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action)) { include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php'); - $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id']; + $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id']; $keyargs_content = array ( get_l10n_args('Author: %s', stripslashes($comm['author']) ), get_l10n_args('Comment: %s', stripslashes($comm['content']) ), get_l10n_args('', ''), - get_l10n_args('Delete: %s', $del_url) + get_l10n_args('Manage this user comment: %s', $comment_url) ); - if ($comment_action!='validate') + if ('moderate' == $comment_action) { - $keyargs_content[] = - get_l10n_args('', ''); - $keyargs_content[] = - get_l10n_args('Validate: %s', - get_absolute_root_url().'comments.php?validate='.$comm['id']); + $keyargs_content[] = get_l10n_args('', ''); + $keyargs_content[] = get_l10n_args('(!) This comment requires validation', ''); } pwg_mail_notification_admins @@ -212,7 +209,6 @@ INSERT INTO '.COMMENTS_TABLE.' * * @param comment_id */ - function delete_user_comment($comment_id) { $user_where_clause = ''; if (!is_admin()) @@ -337,4 +333,41 @@ function email_admin($action, $comment) $keyargs_content ); } + +function get_comment_author_id($comment_id, $die_on_error=true) +{ + $query = ' +SELECT + author_id + FROM '.COMMENTS_TABLE.' + WHERE id = '.$comment_id.' +;'; + $result = pwg_query($query); + if (pwg_db_num_rows($result) == 0) + { + if ($die_on_error) + { + fatal_error('Unknown comment identifier'); + } + else + { + return false; + } + } + + list($author_id) = pwg_db_fetch_row($result); + + return $author_id; +} + +function validate_user_comment($comment_id) +{ + $query = ' +UPDATE '.COMMENTS_TABLE.' + SET validated = "true" + , validation_date = NOW() + WHERE id = '.$comment_id.' +;'; + pwg_query($query); +} ?>
\ No newline at end of file diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php index f3eb0b172..4488294f7 100644 --- a/include/functions_user.inc.php +++ b/include/functions_user.inc.php @@ -1246,19 +1246,44 @@ function is_adviser() } /* - * Return if current user can edit/delete a comment - * @param action edit/delete + * Return if current user can edit/delete/validate a comment + * @param action edit/delete/validate * @return bool */ function can_manage_comment($action, $comment_author_id) { - if (!in_array($action, array('delete','edit'))) { + global $user, $conf; + + if (is_a_guest()) + { + return false; + } + + if (!in_array($action, array('delete','edit', 'validate'))) + { return false; } - return (is_admin() || - (($GLOBALS['user']['id'] == $comment_author_id) - && !is_a_guest() - && $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)])); + + if (is_admin()) + { + return true; + } + + if ('edit' == $action and $conf['user_can_edit_comment']) + { + if ($comment_author_id == $user['id']) { + return true; + } + } + + if ('delete' == $action and $conf['user_can_delete_comment']) + { + if ($comment_author_id == $user['id']) { + return true; + } + } + + return false; } /* diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php index 35f686453..439546329 100644 --- a/include/picture_comment.inc.php +++ b/include/picture_comment.inc.php @@ -166,23 +166,25 @@ $validated_clause.' if (can_manage_comment('delete', $row['author_id'])) { - $tpl_comment['U_DELETE'] = - add_url_params($url_self, - array( - 'action'=>'delete_comment', - 'comment_to_delete'=>$row['id'] - ) - ); + $tpl_comment['U_DELETE'] = add_url_params( + $url_self, + array( + 'action'=>'delete_comment', + 'comment_to_delete'=>$row['id'], + 'pwg_token' => get_pwg_token(), + ) + ); } if (can_manage_comment('edit', $row['author_id'])) { - $tpl_comment['U_EDIT'] = - add_url_params($url_self, - array( - 'action'=>'edit_comment', - 'comment_to_edit'=>$row['id'] - ) - ); + $tpl_comment['U_EDIT'] = add_url_params( + $url_self, + array( + 'action'=>'edit_comment', + 'comment_to_edit'=>$row['id'], + 'pwg_token' => get_pwg_token(), + ) + ); if (isset($edit_comment) and ($row['id'] == $edit_comment)) { $tpl_comment['IN_EDIT'] = true; @@ -195,12 +197,14 @@ $validated_clause.' { if ($row['validated'] != 'true') { - $tpl_comment['U_VALIDATE'] = - add_url_params($url_self, - array('action' => 'validate_comment', - 'comment_to_validate' => $row['id'] - ) - ); + $tpl_comment['U_VALIDATE'] = add_url_params( + $url_self, + array( + 'action' => 'validate_comment', + 'comment_to_validate' => $row['id'], + 'pwg_token' => get_pwg_token(), + ) + ); } } $template->append('comments', $tpl_comment); |