From 2119631cd7e390cb13899f657c9bb96518cae870 Mon Sep 17 00:00:00 2001 From: plegall Date: Thu, 17 Dec 2009 22:47:31 +0000 Subject: bug 1328: implement check_pwg_token for emails on user comments management. The check_pwg_token and get_pwg_token functions were moved to the public side (for use on comments.php) The email sent to admins on new user comment does not directly includes validate/delete actions. git-svn-id: http://piwigo.org/svn/branches/2.0@4508 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/include/functions.php | 33 ------------- comments.php | 99 +++++++++++++++++++++++++++++---------- include/functions.inc.php | 33 +++++++++++++ include/functions_comment.inc.php | 22 +++------ 4 files changed, 113 insertions(+), 74 deletions(-) diff --git a/admin/include/functions.php b/admin/include/functions.php index b0013b29b..1081c9f3d 100644 --- a/admin/include/functions.php +++ b/admin/include/functions.php @@ -23,39 +23,6 @@ include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php'); -/** - * check token comming from form posted or get params to prevent csrf attacks - * if pwg_token is empty action doesn't require token - * else pwg_token is compare to server token - * - * @return void access denied if token given is not equal to server token - */ -function check_pwg_token() -{ - $valid_token = get_pwg_token(); - $given_token = null; - - if (!empty($_POST['pwg_token'])) - { - $given_token = $_POST['pwg_token']; - } - elseif (!empty($_GET['pwg_token'])) - { - $given_token = $_GET['pwg_token']; - } - if ($given_token != $valid_token) - { - access_denied(); - } -} - -function get_pwg_token() -{ - global $conf; - - return hash_hmac('md5', session_id(), $conf['secret_key']); -} - // The function delete_site deletes a site and call the function // delete_categories for each primary category of the site function delete_site( $id ) diff --git a/comments.php b/comments.php index 1f0221c08..b30db9fa8 100644 --- a/comments.php +++ b/comments.php @@ -113,6 +113,26 @@ if (!empty($_GET['author'])) $page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\''; } +// search a specific comment (if you're coming directly from an admin +// notification email) +if (!empty($_GET['comment_id'])) +{ + check_input_parameter('comment_id', $_GET['comment_id'], false, PATTERN_ID); + + // currently, the $_GET['comment_id'] is only used by admins from email + // for management purpose (validate/delete) + if (!is_admin()) + { + $login_url = + get_root_url().'identification.php?redirect=' + .urlencode(urlencode($_SERVER['REQUEST_URI'])) + ; + redirect($login_url); + } + + $page['where_clauses'][] = 'com.id = '.$_GET['comment_id']; +} + // search a substring among comments content if (!empty($_GET['keyword'])) { @@ -152,28 +172,46 @@ $page['where_clauses'][] = get_sql_condition_FandF // +-----------------------------------------------------------------------+ // | comments management | // +-----------------------------------------------------------------------+ -if (isset($_GET['delete']) and is_numeric($_GET['delete']) - and !is_adviser() ) -{// comments deletion - check_status(ACCESS_ADMINISTRATOR); - $query = ' -DELETE FROM '.COMMENTS_TABLE.' - WHERE id='.$_GET['delete'].' + +if (isset($_GET['delete']) or isset($_GET['validate'])) +{ + check_pwg_token(); + + if (!is_adviser()) + { + check_status(ACCESS_ADMINISTRATOR); + + if (isset($_GET['delete'])) + { + check_input_parameter('delete', $_GET['delete'], false, PATTERN_ID); + + $query = ' +DELETE + FROM '.COMMENTS_TABLE.' + WHERE id = '.$_GET['delete'].' ;'; - pwg_query($query); -} + pwg_query($query); + } -if (isset($_GET['validate']) and is_numeric($_GET['validate']) - and !is_adviser() ) -{ // comments validation - check_status(ACCESS_ADMINISTRATOR); - $query = ' + if (isset($_GET['validate'])) + { + check_input_parameter('validate', $_GET['validate'], false, PATTERN_ID); + + $query = ' UPDATE '.COMMENTS_TABLE.' - SET validated = \'true\' - , validation_date = NOW() - WHERE id='.$_GET['validate'].' + SET validated = "true" + , validation_date = NOW() + WHERE id = '.$_GET['validate'].' ;'; - pwg_query($query); + pwg_query($query); + } + + $redirect_url = + PHPWG_ROOT_PATH + .'comments.php' + .get_query_string_diff(array('delete','validate','pwg_token')); + redirect($redirect_url); + } } // +-----------------------------------------------------------------------+ @@ -268,7 +306,7 @@ list($counter) = mysql_fetch_row(pwg_query($query)); $url = PHPWG_ROOT_PATH .'comments.php' - .get_query_string_diff(array('start','delete','validate')); + .get_query_string_diff(array('start','delete','validate','pwg_token')); $navbar = create_navigation_bar($url, $counter, @@ -380,16 +418,25 @@ SELECT id, name, permalink, uppercats if ( is_admin() ) { - $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate')); - $tpl_comment['U_DELETE'] = add_url_params($url, - array('delete'=>$comment['comment_id']) - ); + $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate','pwg_token')); + + $tpl_comment['U_DELETE'] = add_url_params( + $url, + array( + 'delete' => $comment['comment_id'], + 'pwg_token' => get_pwg_token(), + ) + ); if ($comment['validated'] != 'true') { - $tpl_comment['U_VALIDATE'] = add_url_params($url, - array('validate'=>$comment['comment_id']) - ); + $tpl_comment['U_VALIDATE'] = add_url_params( + $url, + array( + 'validate' => $comment['comment_id'], + 'pwg_token' => get_pwg_token(), + ) + ); } } $template->append('comments', $tpl_comment); diff --git a/include/functions.inc.php b/include/functions.inc.php index dbcaf6a97..6685bba99 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1535,4 +1535,37 @@ function check_input_parameter($param_name, $param_value, $is_array, $pattern) } } } + +/** + * check token comming from form posted or get params to prevent csrf attacks + * if pwg_token is empty action doesn't require token + * else pwg_token is compare to server token + * + * @return void access denied if token given is not equal to server token + */ +function check_pwg_token() +{ + $valid_token = get_pwg_token(); + $given_token = null; + + if (!empty($_POST['pwg_token'])) + { + $given_token = $_POST['pwg_token']; + } + elseif (!empty($_GET['pwg_token'])) + { + $given_token = $_GET['pwg_token']; + } + if ($given_token != $valid_token) + { + access_denied(); + } +} + +function get_pwg_token() +{ + global $conf; + + return hash_hmac('md5', session_id(), $conf['secret_key']); +} ?> \ No newline at end of file diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php index c8dd6f3e0..53cf4660a 100644 --- a/include/functions_comment.inc.php +++ b/include/functions_comment.inc.php @@ -166,33 +166,25 @@ INSERT INTO '.COMMENTS_TABLE.' $comm['id'] = mysql_insert_id(); - if - ( - ($comment_action=='validate' and $conf['email_admin_on_comment']) - or - ($comment_action!='validate' and $conf['email_admin_on_comment_validation']) - ) + if ($conf['email_admin_on_comment'] + or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action)) { include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php'); - $del_url = - get_absolute_root_url().'comments.php?delete='.$comm['id']; + $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id']; $keyargs_content = array ( get_l10n_args('Author: %s', $comm['author']), get_l10n_args('Comment: %s', $comm['content']), get_l10n_args('', ''), - get_l10n_args('Delete: %s', $del_url) + get_l10n_args('Manage this user comment: %s', $comment_url) ); - if ($comment_action!='validate') + if ('moderate' == $comment_action) { - $keyargs_content[] = - get_l10n_args('', ''); - $keyargs_content[] = - get_l10n_args('Validate: %s', - get_absolute_root_url().'comments.php?validate='.$comm['id']); + $keyargs_content[] = get_l10n_args('', ''); + $keyargs_content[] = get_l10n_args('(!) This comment requires validation', ''); } pwg_mail_notification_admins -- cgit v1.2.3