diff options
Diffstat (limited to 'include/functions.inc.php')
-rw-r--r-- | include/functions.inc.php | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/include/functions.inc.php b/include/functions.inc.php index 91738090f..092fe15a4 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1482,4 +1482,86 @@ function get_icon($date, $is_child_date = false) return $cache['get_icon'][$date] ? $icon : array(); } + +/** + * check token comming from form posted or get params to prevent csrf attacks + * if pwg_token is empty action doesn't require token + * else pwg_token is compare to server token + * + * @return void access denied if token given is not equal to server token + */ +function check_pwg_token() +{ + $valid_token = get_pwg_token(); + $given_token = null; + + if (!empty($_POST['pwg_token'])) + { + $given_token = $_POST['pwg_token']; + } + elseif (!empty($_GET['pwg_token'])) + { + $given_token = $_GET['pwg_token']; + } + if ($given_token != $valid_token) + { + access_denied(); + } +} + +function get_pwg_token() +{ + global $conf; + + return hash_hmac('md5', session_id(), $conf['secret_key']); +} + +/* + * breaks the script execution if the given value doesn't match the given + * pattern. This should happen only during hacking attempts. + * + * @param string param_name + * @param array param_array + * @param boolean is_array + * @param string pattern + * + * @return void + */ +function check_input_parameter($param_name, $param_array, $is_array, $pattern) +{ + $param_value = null; + if (isset($param_array[$param_name])) + { + $param_value = $param_array[$param_name]; + } + + // it's ok if the input parameter is null + if (empty($param_value)) + { + return true; + } + + if ($is_array) + { + if (!is_array($param_value)) + { + fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" should be an array'); + } + + foreach ($param_value as $item_to_check) + { + if (!preg_match($pattern, $item_to_check)) + { + fatal_error('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"'); + } + } + } + else + { + if (!preg_match($pattern, $param_value)) + { + fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" is not valid'); + } + } +} ?>
\ No newline at end of file |