From d8ec9b9fdd6fb5a29e762ecd95d440f8942ca382 Mon Sep 17 00:00:00 2001 From: rvelices Date: Sat, 30 Oct 2010 11:32:11 +0000 Subject: feature 1915: add protection on user registration against robots git-svn-id: http://piwigo.org/svn/trunk@7495 68402e56-0260-453c-a942-63ccdbb3a9ee --- include/functions.inc.php | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) (limited to 'include/functions.inc.php') diff --git a/include/functions.inc.php b/include/functions.inc.php index a994fdb95..61db92ab5 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1333,25 +1333,37 @@ function secure_directory($dir) } /** - * returns a "secret key" that is to be sent back when a user enters a comment + * returns a "secret key" that is to be sent back when a user posts a form * - * @param int image_id + * @param int valid_after_seconds - key validity start time from now */ -function get_comment_post_key($image_id) +function get_ephemeral_key($valid_after_seconds, $aditionnal_data_to_hash = '') { - global $conf; - - $time = time(); + global $conf; + $time = round(microtime(true), 1); + return $time.':'.$valid_after_seconds.':' + .hash_hmac( + 'md5', + $time.substr($_SERVER['REMOTE_ADDR'],0,5).$valid_after_seconds.$aditionnal_data_to_hash, + $conf['secret_key']); +} - return sprintf( - '%s:%s', - $time, - hash_hmac( - 'md5', - $time.':'.$image_id, - $conf['secret_key'] - ) - ); +function verify_ephemeral_key($key, $aditionnal_data_to_hash = '') +{ + global $conf; + $time = microtime(true); + $key = explode( ':', @$key ); + if ( count($key)!=3 + or $key[0]>$time-(float)$key[1] // page must have been retrieved more than X sec ago + or $key[0]<$time-3600 // 60 minutes expiration + or hash_hmac( + 'md5', $key[0].substr($_SERVER['REMOTE_ADDR'],0,5).$key[1].$aditionnal_data_to_hash, $conf['secret_key'] + ) != $key[2] + ) + { + return false; + } + return true; } /** -- cgit v1.2.3