diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/constants.php | 3 | ||||
-rw-r--r-- | include/functions.inc.php | 76 | ||||
-rw-r--r-- | include/functions_comment.inc.php | 22 | ||||
-rw-r--r-- | include/picture_comment.inc.php | 3 | ||||
-rw-r--r-- | include/ws_functions.inc.php | 66 |
5 files changed, 131 insertions, 39 deletions
diff --git a/include/constants.php b/include/constants.php index 99a4816e7..2c828702a 100644 --- a/include/constants.php +++ b/include/constants.php @@ -38,6 +38,9 @@ define('ACCESS_ADMINISTRATOR', 3); define('ACCESS_WEBMASTER', 4); define('ACCESS_CLOSED', 5); +// Sanity checks +define('PATTERN_ID', '/^\d+$/'); + // Table names if (!defined('CATEGORIES_TABLE')) define('CATEGORIES_TABLE', $prefixeTable.'categories'); diff --git a/include/functions.inc.php b/include/functions.inc.php index 273d63776..6685bba99 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1492,4 +1492,80 @@ function get_comment_post_key($image_id) ) ); } + +/* + * breaks the script execution if the given value doesn't match the given + * pattern. This should happen only during hacking attempts. + * + * @param string param_name + * @param mixed param_value + * @param boolean is_array + * @param string pattern + * + * @return void + */ +function check_input_parameter($param_name, $param_value, $is_array, $pattern) +{ + // it's ok if the input parameter is null + if (empty($param_value)) + { + return true; + } + + if ($is_array) + { + if (!is_array($param_value)) + { + die('[Hacking attempt] the input parameter "'.$param_name.'" should be an array'); + } + + foreach ($param_value as $item_to_check) + { + if (!preg_match($pattern, $item_to_check)) + { + die('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"'); + } + } + } + else + { + if (!preg_match($pattern, $param_value)) + { + die('[Hacking attempt] the input parameter "'.$param_name.'" is not valid'); + } + } +} + +/** + * check token comming from form posted or get params to prevent csrf attacks + * if pwg_token is empty action doesn't require token + * else pwg_token is compare to server token + * + * @return void access denied if token given is not equal to server token + */ +function check_pwg_token() +{ + $valid_token = get_pwg_token(); + $given_token = null; + + if (!empty($_POST['pwg_token'])) + { + $given_token = $_POST['pwg_token']; + } + elseif (!empty($_GET['pwg_token'])) + { + $given_token = $_GET['pwg_token']; + } + if ($given_token != $valid_token) + { + access_denied(); + } +} + +function get_pwg_token() +{ + global $conf; + + return hash_hmac('md5', session_id(), $conf['secret_key']); +} ?>
\ No newline at end of file diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php index c8dd6f3e0..53cf4660a 100644 --- a/include/functions_comment.inc.php +++ b/include/functions_comment.inc.php @@ -166,33 +166,25 @@ INSERT INTO '.COMMENTS_TABLE.' $comm['id'] = mysql_insert_id(); - if - ( - ($comment_action=='validate' and $conf['email_admin_on_comment']) - or - ($comment_action!='validate' and $conf['email_admin_on_comment_validation']) - ) + if ($conf['email_admin_on_comment'] + or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action)) { include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php'); - $del_url = - get_absolute_root_url().'comments.php?delete='.$comm['id']; + $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id']; $keyargs_content = array ( get_l10n_args('Author: %s', $comm['author']), get_l10n_args('Comment: %s', $comm['content']), get_l10n_args('', ''), - get_l10n_args('Delete: %s', $del_url) + get_l10n_args('Manage this user comment: %s', $comment_url) ); - if ($comment_action!='validate') + if ('moderate' == $comment_action) { - $keyargs_content[] = - get_l10n_args('', ''); - $keyargs_content[] = - get_l10n_args('Validate: %s', - get_absolute_root_url().'comments.php?validate='.$comm['id']); + $keyargs_content[] = get_l10n_args('', ''); + $keyargs_content[] = get_l10n_args('(!) This comment requires validation', ''); } pwg_mail_notification_admins diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php index 73b245b6b..af14cb050 100644 --- a/include/picture_comment.inc.php +++ b/include/picture_comment.inc.php @@ -149,7 +149,8 @@ SELECT id,author,date,image_id,content $url_self, array( 'action'=>'delete_comment', - 'comment_to_delete'=>$row['id'] + 'comment_to_delete'=>$row['id'], + 'pwg_token'=>get_pwg_token(), ) ); } diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php index 7b25a045f..6e13af641 100644 --- a/include/ws_functions.inc.php +++ b/include/ws_functions.inc.php @@ -855,6 +855,10 @@ function ws_images_setPrivacyLevel($params, &$service) { return new PwgError(401, 'Access denied'); } + if (!$service->isPost()) + { + return new PwgError(405, "This method requires HTTP POST"); + } $params['image_id'] = array_map( 'intval',$params['image_id'] ); if ( empty($params['image_id']) ) { @@ -865,6 +869,7 @@ function ws_images_setPrivacyLevel($params, &$service) { return new PwgError(WS_ERR_INVALID_PARAM, "Invalid level"); } + $query = ' UPDATE '.IMAGES_TABLE.' SET level='.(int)$params['level'].' @@ -885,12 +890,17 @@ function ws_images_add_chunk($params, &$service) // original_sum // type {thumb, file, high} // position - + if (!is_admin() || is_adviser() ) { return new PwgError(401, 'Access denied'); } + if (!$service->isPost()) + { + return new PwgError(405, "This method requires HTTP POST"); + } + $upload_dir = PHPWG_ROOT_PATH.'upload/buffer'; // create the upload directory tree if not exists @@ -945,18 +955,18 @@ function merge_chunks($output_filepath, $original_sum, $type) if (is_file($output_filepath)) { unlink($output_filepath); - + if (is_file($output_filepath)) { new PwgError(500, '[merge_chunks] error while trying to remove existing '.$output_filepath); exit(); } } - + $upload_dir = PHPWG_ROOT_PATH.'upload/buffer'; $pattern = '/'.$original_sum.'-'.$type.'/'; $chunks = array(); - + if ($handle = opendir($upload_dir)) { while (false !== ($file = readdir($handle))) @@ -977,21 +987,21 @@ function merge_chunks($output_filepath, $original_sum, $type) } $i = 0; - + foreach ($chunks as $chunk) { $string = file_get_contents($chunk); - + if (function_exists('memory_get_usage')) { ws_logfile('[merge_chunks] memory_get_usage on chunk '.++$i.': '.memory_get_usage()); } - + if (!file_put_contents($output_filepath, $string, FILE_APPEND)) { new PwgError(500, '[merge_chunks] error while writting chunks for '.$output_filepath); exit(); } - + unlink($chunk); } @@ -1009,7 +1019,7 @@ function add_file($file_path, $type, $original_sum, $file_sum) $file_path = file_path_for_type($file_path, $type); $upload_dir = dirname($file_path); - + if (!is_dir($upload_dir)) { umask(0000); $recursive = true; @@ -1096,7 +1106,7 @@ SELECT // update basic metadata from file // $update = array(); - + if ('high' == $params['type']) { $update['high_filesize'] = $infos['filesize']; @@ -1115,7 +1125,7 @@ SELECT if (count($update) > 0) { $update['id'] = $params['image_id']; - + include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); mass_updates( IMAGES_TABLE, @@ -1665,6 +1675,11 @@ function ws_images_setInfo($params, &$service) return new PwgError(401, 'Access denied'); } + if (!$service->isPost()) + { + return new PwgError(405, "This method requires HTTP POST"); + } + $params['image_id'] = (int)$params['image_id']; if ($params['image_id'] <= 0) { @@ -1829,7 +1844,7 @@ function ws_add_image_category_relations($image_id, $categories_string, $replace ); exit(); } - + $query = ' SELECT id @@ -1847,9 +1862,9 @@ SELECT ); exit(); } - + $to_update_cat_ids = array(); - + // in case of replace mode, we first check the existing associations $query = ' SELECT @@ -1874,13 +1889,13 @@ DELETE update_category($to_remove_cat_ids); } } - + $new_cat_ids = array_diff($cat_ids, $existing_cat_ids); if (count($new_cat_ids) == 0) { return true; } - + if ($search_current_ranks) { $query = ' @@ -1904,16 +1919,16 @@ SELECT { $current_rank_of[$cat_id] = 0; } - + if ('auto' == $rank_on_category[$cat_id]) { $rank_on_category[$cat_id] = $current_rank_of[$cat_id] + 1; } } } - + $inserts = array(); - + foreach ($new_cat_ids as $cat_id) { array_push( @@ -1925,14 +1940,14 @@ SELECT ) ); } - + include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); mass_inserts( IMAGE_CATEGORY_TABLE, array_keys($inserts[0]), $inserts ); - + update_category($new_cat_ids); } @@ -1944,6 +1959,11 @@ function ws_categories_setInfo($params, &$service) return new PwgError(401, 'Access denied'); } + if (!$service->isPost()) + { + return new PwgError(405, "This method requires HTTP POST"); + } + // category_id // name // comment @@ -1986,7 +2006,7 @@ function ws_categories_setInfo($params, &$service) array($update) ); } - + } function ws_logfile($string) @@ -1996,7 +2016,7 @@ function ws_logfile($string) if (!$conf['ws_enable_log']) { return true; } - + file_put_contents( $conf['ws_log_filepath'], '['.date('c').'] '.$string."\n", |