aboutsummaryrefslogtreecommitdiff
path: root/engine/lib
diff options
context:
space:
mode:
authormarcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>2008-08-08 12:34:35 +0000
committermarcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>2008-08-08 12:34:35 +0000
commitb717746b48b00e7e0a128a60ed2bf496f3806f18 (patch)
treedca054a55136d32247271abc52fa2209a23960f1 /engine/lib
parent10f233a2e2a11416413585ceadafa0d7b07988bc (diff)
downloadelgg-b717746b48b00e7e0a128a60ed2bf496f3806f18.tar.gz
elgg-b717746b48b00e7e0a128a60ed2bf496f3806f18.tar.bz2
Closes #220: Removed action from hash. Timestamp should make this unpredictable enough.
git-svn-id: https://code.elgg.org/elgg/trunk@1791 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib')
-rw-r--r--engine/lib/actions.php11
1 files changed, 4 insertions, 7 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 26d56104b..bc8b09589 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -119,14 +119,13 @@
function action_gatekeeper()
{
$token = get_input('__elgg_token');
- $action = get_input('__elgg_action');
$ts = get_input('__elgg_ts');
$session_id = session_id();
- if (($token) && ($action) && ($ts) && ($session_id))
+ if (($token) && ($ts) && ($session_id))
{
// generate token, check with input and forward if invalid
- $generated_token = generate_action_token($action, $ts);
+ $generated_token = generate_action_token($ts);
// Validate token
if (strcmp($token, $generated_token)==0)
@@ -140,7 +139,6 @@
$returnval = true; // We have already got this far, so unless anything else says something to the contry we assume we're ok
return trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array(
- 'action' => $action,
'token' => $token,
'time' => $ts
), $returnval);
@@ -161,10 +159,9 @@
/**
* Generate a token for the current user suitable for being placed in a hidden field in action forms.
*
- * @param string $action The action being called
* @param int $timestamp Unix timestamp
*/
- function generate_action_token($action, $timestamp)
+ function generate_action_token($timestamp)
{
// Get input values
$site_secret = get_site_secret();
@@ -173,7 +170,7 @@
$session_id = session_id();
if (($site_secret) && ($session_id))
- return md5($site_secret.$action.$timestamp.$session_id);
+ return md5($site_secret.$timestamp.$session_id);
return false;
}