aboutsummaryrefslogtreecommitdiff
path: root/engine/lib
diff options
context:
space:
mode:
authorbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-01-21 01:30:09 +0000
committerbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-01-21 01:30:09 +0000
commit0c5b4c242b0805c55ca3b1a887eb222844a66400 (patch)
treef3455e9dcac50226d33ab3048a691f90ee82d5c5 /engine/lib
parent3d9fb93c8c91e45b88dfeb816960049e0cb33231 (diff)
downloadelgg-0c5b4c242b0805c55ca3b1a887eb222844a66400.tar.gz
elgg-0c5b4c242b0805c55ca3b1a887eb222844a66400.tar.bz2
Fixes #750: All actions require __elgg_ts and __elgg_token.
git-svn-id: http://code.elgg.org/elgg/trunk@3821 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib')
-rw-r--r--engine/lib/actions.php33
1 files changed, 15 insertions, 18 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index ac4d70555..ad5f0c208 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -21,6 +21,15 @@
function action($action, $forwarder = "") {
global $CONFIG;
+ // All actions require a token.
+ if (!action_gatekeeper()) {
+ $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins.";
+
+ error_log($message);
+ register_error($message);
+ forward();
+ }
+
// if there are any query parameters, make them available from get_input
if (strpos($_SERVER['REQUEST_URI'], '?') !== FALSE) {
$query = substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], '?') + 1);
@@ -34,7 +43,7 @@ function action($action, $forwarder = "") {
}
}
}
-
+
$forwarder = str_replace($CONFIG->url, "", $forwarder);
$forwarder = str_replace("http://", "", $forwarder);
$forwarder = str_replace("@", "", $forwarder);
@@ -56,18 +65,6 @@ function action($action, $forwarder = "") {
// since i assume this will be handled in the hook itself.
// TODO make this better!
if ($event_result) {
- /** Refs #749: We now warn if action token is missing. Later this will be replaced with action_gatekeeper() as detailed in #750 */
- if (!validate_action_token(false)) {
- // Display a temporary warning message -
- // in future versions this will be a hard fail via an action gatekeeper.
- $message = "WARNING: Action $action was called without an action token. It is stongly recommended that you consider doing this. Plugin authors should use 'input/form' or pass is_action=true to 'output/confirmlink' or 'output/url'.";
-
- //if ((!isset($CONFIG->disable_action_token_warning)) || (!$CONFIG->disable_action_token_warning))
- // register_error($message);
-
- error_log($message);
- }
-
if (!include($CONFIG->actions[$action]['file'])) {
register_error(sprintf(elgg_echo('actionundefined'),$action));
}
@@ -138,7 +135,7 @@ function validate_action_token($visibleerrors = true) {
$generated_token = generate_action_token($ts);
// Validate token
- if (strcmp($token, $generated_token)==0) {
+ if ($token == $generated_token) {
$hour = 60*60;
$now = time();
@@ -169,7 +166,7 @@ function validate_action_token($visibleerrors = true) {
register_error(elgg_echo('actiongatekeeper:missingfields'));
}
- return false;
+ return FALSE;
}
/**
@@ -181,7 +178,7 @@ function validate_action_token($visibleerrors = true) {
*/
function action_gatekeeper() {
if (validate_action_token()) {
- return true;
+ return TRUE;
}
forward();
@@ -210,7 +207,7 @@ function generate_action_token($timestamp) {
return md5($site_secret.$timestamp.$session_id.$ua.$st);
}
- return false;
+ return FALSE;
}
/**
@@ -223,7 +220,7 @@ function init_site_secret() {
return $secret;
}
- return false;
+ return FALSE;
}
/**