From c695136e4d75695178a9fc848a7cf6bfa2b9346c Mon Sep 17 00:00:00 2001 From: plegall Date: Fri, 19 Mar 2010 22:25:39 +0000 Subject: bug 1328: backport the pwg_token on trunk bug 1329: backport the check_input_parameter on trunk feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring on this feature to make the code simpler and easier to maintain (I hope). git-svn-id: http://piwigo.org/svn/trunk@5195 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/include/functions.php | 28 ---------------------------- admin/include/uploadify/uploadify.php | 2 +- 2 files changed, 1 insertion(+), 29 deletions(-) (limited to 'admin/include') diff --git a/admin/include/functions.php b/admin/include/functions.php index c7b8bf5f1..e3522702f 100644 --- a/admin/include/functions.php +++ b/admin/include/functions.php @@ -23,34 +23,6 @@ include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php'); -/** - * check token comming from form posted or get params to prevent csrf attacks - * if pwg_token is empty action doesn't require token - * else pwg_token is compare to server token - * - * @return void access denied if token given is not equal to server token - */ -function check_token() -{ - global $conf; - - $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']); - $given_token = null; - - if (!empty($_POST['pwg_token'])) - { - $given_token = $_POST['pwg_token']; - } - elseif (!empty($_GET['pwg_token'])) - { - $given_token = $_GET['pwg_token']; - } - if ($given_token != $valid_token) - { - access_denied(); - } -} - // The function delete_site deletes a site and call the function // delete_categories for each primary category of the site function delete_site( $id ) diff --git a/admin/include/uploadify/uploadify.php b/admin/include/uploadify/uploadify.php index eddcc12b0..306b492da 100644 --- a/admin/include/uploadify/uploadify.php +++ b/admin/include/uploadify/uploadify.php @@ -8,7 +8,7 @@ include_once(PHPWG_ROOT_PATH.'include/common.inc.php'); include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); include_once(PHPWG_ROOT_PATH.'admin/include/functions_upload.inc.php'); -// check_pwg_token(); +check_pwg_token(); ob_start(); print_r($_FILES); -- cgit v1.2.3