5 files changed, 131 insertions, 39 deletions

diff --git a/include/constants.php b/include/constants.php
index 99a4816e7..2c828702a 100644
--- a/include/constants.php
+++ b/include/constants.php
@@ -38,6 +38,9 @@ define('ACCESS_ADMINISTRATOR', 3);
 define('ACCESS_WEBMASTER', 4);
 define('ACCESS_CLOSED', 5);
 
+// Sanity checks
+define('PATTERN_ID', '/^\d+$/');
+
 // Table names
 if (!defined('CATEGORIES_TABLE'))
   define('CATEGORIES_TABLE', $prefixeTable.'categories');
diff --git a/include/functions.inc.php b/include/functions.inc.php
index 273d63776..6685bba99 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1492,4 +1492,80 @@ function get_comment_post_key($image_id)
       )
     );
 }
+
+/*
+ * breaks the script execution if the given value doesn't match the given
+ * pattern. This should happen only during hacking attempts.
+ *
+ * @param string param_name
+ * @param mixed param_value
+ * @param boolean is_array
+ * @param string pattern
+ *
+ * @return void
+ */
+function check_input_parameter($param_name, $param_value, $is_array, $pattern)
+{
+  // it's ok if the input parameter is null
+  if (empty($param_value))
+  {
+    return true;
+  }
+  
+  if ($is_array)
+  {
+    if (!is_array($param_value))
+    {
+      die('[Hacking attempt] the input parameter "'.$param_name.'" should be an array');
+    }
+
+    foreach ($param_value as $item_to_check)
+    {
+      if (!preg_match($pattern, $item_to_check))
+      {
+        die('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"');
+      }
+    }
+  }
+  else
+  {
+    if (!preg_match($pattern, $param_value))
+    {
+      die('[Hacking attempt] the input parameter "'.$param_name.'" is not valid');
+    }
+  }
+}
+
+/**
+ * check token comming from form posted or get params to prevent csrf attacks
+ * if pwg_token is empty action doesn't require token
+ * else pwg_token is compare to server token
+ *
+ * @return void access denied if token given is not equal to server token 
+ */
+function check_pwg_token()
+{
+  $valid_token = get_pwg_token();
+  $given_token = null;
+
+  if (!empty($_POST['pwg_token']))
+  {
+    $given_token = $_POST['pwg_token'];
+  }
+  elseif (!empty($_GET['pwg_token']))
+  {
+    $given_token = $_GET['pwg_token'];
+  }
+  if ($given_token != $valid_token)
+  {
+    access_denied();    
+  }
+}
+
+function get_pwg_token()
+{
+  global $conf;
+
+  return hash_hmac('md5', session_id(), $conf['secret_key']);
+}
 ?>
\ No newline at end of file
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php
index c8dd6f3e0..53cf4660a 100644
--- a/include/functions_comment.inc.php
+++ b/include/functions_comment.inc.php
@@ -166,33 +166,25 @@ INSERT INTO '.COMMENTS_TABLE.'
 
     $comm['id'] = mysql_insert_id();
 
-    if
-      (
-        ($comment_action=='validate' and $conf['email_admin_on_comment'])
-        or
-        ($comment_action!='validate' and $conf['email_admin_on_comment_validation'])
-      )
+    if ($conf['email_admin_on_comment']
+        or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
     {
       include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
 
-      $del_url =
-          get_absolute_root_url().'comments.php?delete='.$comm['id'];
+      $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
 
       $keyargs_content = array
       (
         get_l10n_args('Author: %s', $comm['author']),
         get_l10n_args('Comment: %s', $comm['content']),
         get_l10n_args('', ''),
-        get_l10n_args('Delete: %s', $del_url)
+        get_l10n_args('Manage this user comment: %s', $comment_url)
       );
 
-      if ($comment_action!='validate')
+      if ('moderate' == $comment_action)
       {
-        $keyargs_content[] =
-          get_l10n_args('', '');
-        $keyargs_content[] =
-          get_l10n_args('Validate: %s',
-            get_absolute_root_url().'comments.php?validate='.$comm['id']);
+        $keyargs_content[] = get_l10n_args('', '');
+        $keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
       }
 
       pwg_mail_notification_admins
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php
index 73b245b6b..af14cb050 100644
--- a/include/picture_comment.inc.php
+++ b/include/picture_comment.inc.php
@@ -149,7 +149,8 @@ SELECT id,author,date,image_id,content
                   $url_self,
                   array(
                     'action'=>'delete_comment',
-                    'comment_to_delete'=>$row['id']
+                    'comment_to_delete'=>$row['id'],
+                    'pwg_token'=>get_pwg_token(),
                   )
               );
       }
diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php
index 7b25a045f..6e13af641 100644
--- a/include/ws_functions.inc.php
+++ b/include/ws_functions.inc.php
@@ -855,6 +855,10 @@ function ws_images_setPrivacyLevel($params, &$service)
   {
     return new PwgError(401, 'Access denied');
   }
+  if (!$service->isPost())
+  {
+    return new PwgError(405, "This method requires HTTP POST");
+  }
   $params['image_id'] = array_map( 'intval',$params['image_id'] );
   if ( empty($params['image_id']) )
   {
@@ -865,6 +869,7 @@ function ws_images_setPrivacyLevel($params, &$service)
   {
     return new PwgError(WS_ERR_INVALID_PARAM, "Invalid level");
   }
+
   $query = '
 UPDATE '.IMAGES_TABLE.'
   SET level='.(int)$params['level'].'
@@ -885,12 +890,17 @@ function ws_images_add_chunk($params, &$service)
   // original_sum
   // type {thumb, file, high}
   // position
-  
+
   if (!is_admin() || is_adviser() )
   {
     return new PwgError(401, 'Access denied');
   }
 
+  if (!$service->isPost())
+  {
+    return new PwgError(405, "This method requires HTTP POST");
+  }
+
   $upload_dir = PHPWG_ROOT_PATH.'upload/buffer';
 
   // create the upload directory tree if not exists
@@ -945,18 +955,18 @@ function merge_chunks($output_filepath, $original_sum, $type)
   if (is_file($output_filepath))
   {
     unlink($output_filepath);
-    
+
     if (is_file($output_filepath))
     {
       new PwgError(500, '[merge_chunks] error while trying to remove existing '.$output_filepath);
       exit();
     }
   }
-  
+
   $upload_dir = PHPWG_ROOT_PATH.'upload/buffer';
   $pattern = '/'.$original_sum.'-'.$type.'/';
   $chunks = array();
-  
+
   if ($handle = opendir($upload_dir))
   {
     while (false !== ($file = readdir($handle)))
@@ -977,21 +987,21 @@ function merge_chunks($output_filepath, $original_sum, $type)
   }
 
   $i = 0;
-  
+
   foreach ($chunks as $chunk)
   {
     $string = file_get_contents($chunk);
-    
+
     if (function_exists('memory_get_usage')) {
       ws_logfile('[merge_chunks] memory_get_usage on chunk '.++$i.': '.memory_get_usage());
     }
-    
+
     if (!file_put_contents($output_filepath, $string, FILE_APPEND))
     {
       new PwgError(500, '[merge_chunks] error while writting chunks for '.$output_filepath);
       exit();
     }
-    
+
     unlink($chunk);
   }
 
@@ -1009,7 +1019,7 @@ function add_file($file_path, $type, $original_sum, $file_sum)
   $file_path = file_path_for_type($file_path, $type);
 
   $upload_dir = dirname($file_path);
-  
+
   if (!is_dir($upload_dir)) {
     umask(0000);
     $recursive = true;
@@ -1096,7 +1106,7 @@ SELECT
   // update basic metadata from file
   //
   $update = array();
-  
+
   if ('high' == $params['type'])
   {
     $update['high_filesize'] = $infos['filesize'];
@@ -1115,7 +1125,7 @@ SELECT
   if (count($update) > 0)
   {
     $update['id'] = $params['image_id'];
-    
+
     include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
     mass_updates(
       IMAGES_TABLE,
@@ -1665,6 +1675,11 @@ function ws_images_setInfo($params, &$service)
     return new PwgError(401, 'Access denied');
   }
 
+  if (!$service->isPost())
+  {
+    return new PwgError(405, "This method requires HTTP POST");
+  }
+
   $params['image_id'] = (int)$params['image_id'];
   if ($params['image_id'] <= 0)
   {
@@ -1829,7 +1844,7 @@ function ws_add_image_category_relations($image_id, $categories_string, $replace
       );
     exit();
   }
-  
+
   $query = '
 SELECT
     id
@@ -1847,9 +1862,9 @@ SELECT
       );
     exit();
   }
-  
+
   $to_update_cat_ids = array();
-    
+
   // in case of replace mode, we first check the existing associations
   $query = '
 SELECT
@@ -1874,13 +1889,13 @@ DELETE
       update_category($to_remove_cat_ids);
     }
   }
-  
+
   $new_cat_ids = array_diff($cat_ids, $existing_cat_ids);
   if (count($new_cat_ids) == 0)
   {
     return true;
   }
-    
+
   if ($search_current_ranks)
   {
     $query = '
@@ -1904,16 +1919,16 @@ SELECT
       {
         $current_rank_of[$cat_id] = 0;
       }
-      
+
       if ('auto' == $rank_on_category[$cat_id])
       {
         $rank_on_category[$cat_id] = $current_rank_of[$cat_id] + 1;
       }
     }
   }
-  
+
   $inserts = array();
-  
+
   foreach ($new_cat_ids as $cat_id)
   {
     array_push(
@@ -1925,14 +1940,14 @@ SELECT
         )
       );
   }
-  
+
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
   mass_inserts(
     IMAGE_CATEGORY_TABLE,
     array_keys($inserts[0]),
     $inserts
     );
-  
+
   update_category($new_cat_ids);
 }
 
@@ -1944,6 +1959,11 @@ function ws_categories_setInfo($params, &$service)
     return new PwgError(401, 'Access denied');
   }
 
+  if (!$service->isPost())
+  {
+    return new PwgError(405, "This method requires HTTP POST");
+  }
+
   // category_id
   // name
   // comment
@@ -1986,7 +2006,7 @@ function ws_categories_setInfo($params, &$service)
       array($update)
       );
   }
-  
+
 }
 
 function ws_logfile($string)
@@ -1996,7 +2016,7 @@ function ws_logfile($string)
   if (!$conf['ws_enable_log']) {
     return true;
   }
-  
+
   file_put_contents(
     $conf['ws_log_filepath'],
     '['.date('c').'] '.$string."\n",