Menu
▾
▴
[mxbb-commits] core/includes/shared/phpbb3/includes functions.php, 1.24, 1.25
|
From: FlorinCB <ory...@us...> - 2009-07-08 15:29:12
|
Update of /cvsroot/mxbb/core/includes/shared/phpbb3/includes In directory 23jxhf1.ch3.sourceforge.com:/tmp/cvs-serv12577 Modified Files: functions.php Log Message: syncro Index: functions.php =================================================================== RCS file: /cvsroot/mxbb/core/includes/shared/phpbb3/includes/functions.php,v retrieving revision 1.24 retrieving revision 1.25 diff -C2 -d -r1.24 -r1.25 *** functions.php 31 Oct 2008 18:55:14 -0000 1.24 --- functions.php 8 Jul 2009 15:29:05 -0000 1.25 *************** *** 2411,2414 **** --- 2411,2511 ---- ); } + + /** + * Add a secret hash for use in links/GET requests + * @param string $link_name The name of the link; has to match the name used in check_link_hash, otherwise no restrictions apply + * @return string the hash + + */ + public static function generate_link_hash($link_name) + { + global $user; + + if (!isset($user->data["hash_$link_name"])) + { + $user->data["hash_$link_name"] = substr(sha1($user->data['user_form_salt'] . $link_name), 0, 8); + } + + return $user->data["hash_$link_name"]; + } + + + /** + * checks a link hash - for GET requests + * @param string $token the submitted token + * @param string $link_name The name of the link + * @return boolean true if all is fine + */ + public static function check_link_hash($token, $link_name) + { + return $token === generate_link_hash($link_name); + } + + /** + * Add a secret token to the form (requires the S_FORM_TOKEN template variable) + * @param string $form_name The name of the form; has to match the name used in check_form_key, otherwise no restrictions apply + */ + public static function add_form_key($form_name) + { + global $config, $template, $user; + + $now = time(); + $token_sid = ($user->data['user_id'] == ANONYMOUS && !empty($config['form_token_sid_guests'])) ? $user->session_id : ''; + $token = sha1($now . $user->data['user_form_salt'] . $form_name . $token_sid); + + $s_fields = build_hidden_fields(array( + 'creation_time' => $now, + 'form_token' => $token, + )); + + $template->assign_vars(array( + 'S_FORM_TOKEN' => $s_fields, + )); + } + + /** + * Check the form key. Required for all altering actions not secured by confirm_box + * @param string $form_name The name of the form; has to match the name used in add_form_key, otherwise no restrictions apply + * @param int $timespan The maximum acceptable age for a submitted form in seconds. Defaults to the config setting. + * @param string $return_page The address for the return link + * @param bool $trigger If true, the function will triger an error when encountering an invalid form + */ + public static function check_form_key($form_name, $timespan = false, $return_page = '', $trigger = false) + { + global $config, $user; + + if ($timespan === false) + { + // we enforce a minimum value of half a minute here. + $timespan = ($config['form_token_lifetime'] == -1) ? -1 : max(30, $config['form_token_lifetime']); + } + + if (isset($_POST['creation_time']) && isset($_POST['form_token'])) + { + $creation_time = abs(request_var('creation_time', 0)); + $token = request_var('form_token', ''); + + $diff = time() - $creation_time; + + // If creation_time and the time() now is zero we can assume it was not a human doing this (the check for if ($diff)... + if ($diff && ($diff <= $timespan || $timespan === -1)) + { + $token_sid = ($user->data['user_id'] == ANONYMOUS && !empty($config['form_token_sid_guests'])) ? $user->session_id : ''; + $key = sha1($creation_time . $user->data['user_form_salt'] . $form_name . $token_sid); + + if ($key === $token) + { + return true; + } + } + } + + if ($trigger) + { + trigger_error($user->lang['FORM_INVALID'] . $return_page); + } + + return false; + } // Message/Login boxes |
