diff options
Diffstat (limited to 'include/functions.inc.php')
-rw-r--r-- | include/functions.inc.php | 42 |
1 files changed, 27 insertions, 15 deletions
diff --git a/include/functions.inc.php b/include/functions.inc.php index a994fdb95..61db92ab5 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1333,25 +1333,37 @@ function secure_directory($dir) } /** - * returns a "secret key" that is to be sent back when a user enters a comment + * returns a "secret key" that is to be sent back when a user posts a form * - * @param int image_id + * @param int valid_after_seconds - key validity start time from now */ -function get_comment_post_key($image_id) +function get_ephemeral_key($valid_after_seconds, $aditionnal_data_to_hash = '') { - global $conf; - - $time = time(); + global $conf; + $time = round(microtime(true), 1); + return $time.':'.$valid_after_seconds.':' + .hash_hmac( + 'md5', + $time.substr($_SERVER['REMOTE_ADDR'],0,5).$valid_after_seconds.$aditionnal_data_to_hash, + $conf['secret_key']); +} - return sprintf( - '%s:%s', - $time, - hash_hmac( - 'md5', - $time.':'.$image_id, - $conf['secret_key'] - ) - ); +function verify_ephemeral_key($key, $aditionnal_data_to_hash = '') +{ + global $conf; + $time = microtime(true); + $key = explode( ':', @$key ); + if ( count($key)!=3 + or $key[0]>$time-(float)$key[1] // page must have been retrieved more than X sec ago + or $key[0]<$time-3600 // 60 minutes expiration + or hash_hmac( + 'md5', $key[0].substr($_SERVER['REMOTE_ADDR'],0,5).$key[1].$aditionnal_data_to_hash, $conf['secret_key'] + ) != $key[2] + ) + { + return false; + } + return true; } /** |