From aca87d534d3ac2ab88a8cfb6b1cafc9906c0fb86 Mon Sep 17 00:00:00 2001 From: plegall Date: Tue, 15 Dec 2009 22:53:51 +0000 Subject: merge r4492 from trunk to branch 2.0 Bug 1328 add function to check token git-svn-id: http://piwigo.org/svn/branches/2.0@4501 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/include/functions.php | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'admin/include') diff --git a/admin/include/functions.php b/admin/include/functions.php index 66d7b52ec..1538a98ae 100644 --- a/admin/include/functions.php +++ b/admin/include/functions.php @@ -23,6 +23,28 @@ include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php'); +/** + * check token comming from form posted or get params to prevent csrf attacks + * if pwg_token is empty action doesn't require token + * else pwg_token is compare to server token + * + * @return void access denied if token given is not equal to server token + */ +function check_token() +{ + global $conf; + + $token = hash_hmac('md5', session_id(), $conf['secret_key']); + + if (!empty($_POST['pwg_token']) && ($_POST['pwg_token'] != $token)) + { + access_denied(); + } + elseif (!empty($_GET['pwg_token']) && ($_GET['pwg_token'] != $token)) + { + access_denied(); + } +} // The function delete_site deletes a site and call the function // delete_categories for each primary category of the site -- cgit v1.2.3 From 5d017241d30f70eaedd502255271a78eeef55d00 Mon Sep 17 00:00:00 2001 From: plegall Date: Tue, 15 Dec 2009 22:54:11 +0000 Subject: merge r4493 from trunk to branch 2.0 Bug 1328 : improve check function git-svn-id: http://piwigo.org/svn/branches/2.0@4502 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/include/functions.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'admin/include') diff --git a/admin/include/functions.php b/admin/include/functions.php index 1538a98ae..39e2e5d35 100644 --- a/admin/include/functions.php +++ b/admin/include/functions.php @@ -34,13 +34,18 @@ function check_token() { global $conf; - $token = hash_hmac('md5', session_id(), $conf['secret_key']); + $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']); + $given_token = null; - if (!empty($_POST['pwg_token']) && ($_POST['pwg_token'] != $token)) + if (!empty($_POST['pwg_token'])) { - access_denied(); + $given_token = $_POST['pwg_token']; + } + elseif (!empty($_GET['pwg_token'])) + { + $given_token = $_GET['pwg_token']; } - elseif (!empty($_GET['pwg_token']) && ($_GET['pwg_token'] != $token)) + if ($given_token != $valid_token) { access_denied(); } -- cgit v1.2.3 From 54ed1bfcdb463c931c190045a65438931ebd9cff Mon Sep 17 00:00:00 2001 From: plegall Date: Tue, 15 Dec 2009 23:22:49 +0000 Subject: bug 1328: first specific implementation of the check_pwg_token for the admin/tags page (all actions : add/edit/delete). The "check_token" function was renammed into check_pwg_token because the word "token" is too much generic. git-svn-id: http://piwigo.org/svn/branches/2.0@4503 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/include/functions.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'admin/include') diff --git a/admin/include/functions.php b/admin/include/functions.php index 39e2e5d35..b0013b29b 100644 --- a/admin/include/functions.php +++ b/admin/include/functions.php @@ -30,11 +30,9 @@ include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php'); * * @return void access denied if token given is not equal to server token */ -function check_token() +function check_pwg_token() { - global $conf; - - $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']); + $valid_token = get_pwg_token(); $given_token = null; if (!empty($_POST['pwg_token'])) @@ -51,6 +49,13 @@ function check_token() } } +function get_pwg_token() +{ + global $conf; + + return hash_hmac('md5', session_id(), $conf['secret_key']); +} + // The function delete_site deletes a site and call the function // delete_categories for each primary category of the site function delete_site( $id ) -- cgit v1.2.3 From 2119631cd7e390cb13899f657c9bb96518cae870 Mon Sep 17 00:00:00 2001 From: plegall Date: Thu, 17 Dec 2009 22:47:31 +0000 Subject: bug 1328: implement check_pwg_token for emails on user comments management. The check_pwg_token and get_pwg_token functions were moved to the public side (for use on comments.php) The email sent to admins on new user comment does not directly includes validate/delete actions. git-svn-id: http://piwigo.org/svn/branches/2.0@4508 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/include/functions.php | 33 --------------------------------- 1 file changed, 33 deletions(-) (limited to 'admin/include') diff --git a/admin/include/functions.php b/admin/include/functions.php index b0013b29b..1081c9f3d 100644 --- a/admin/include/functions.php +++ b/admin/include/functions.php @@ -23,39 +23,6 @@ include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php'); -/** - * check token comming from form posted or get params to prevent csrf attacks - * if pwg_token is empty action doesn't require token - * else pwg_token is compare to server token - * - * @return void access denied if token given is not equal to server token - */ -function check_pwg_token() -{ - $valid_token = get_pwg_token(); - $given_token = null; - - if (!empty($_POST['pwg_token'])) - { - $given_token = $_POST['pwg_token']; - } - elseif (!empty($_GET['pwg_token'])) - { - $given_token = $_GET['pwg_token']; - } - if ($given_token != $valid_token) - { - access_denied(); - } -} - -function get_pwg_token() -{ - global $conf; - - return hash_hmac('md5', session_id(), $conf['secret_key']); -} - // The function delete_site deletes a site and call the function // delete_categories for each primary category of the site function delete_site( $id ) -- cgit v1.2.3