diff options
author | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-05-12 10:04:23 +0000 |
---|---|---|
committer | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-05-12 10:04:23 +0000 |
commit | 58254f21da64258d2025b15615d7848ef9257e8c (patch) | |
tree | 42e1662bc6a86f9a850d9506ead561947ea1d0d3 /engine | |
parent | b87ecf4dd98157b6c963e4249de6797deb6d560d (diff) | |
download | elgg-58254f21da64258d2025b15615d7848ef9257e8c.tar.gz elgg-58254f21da64258d2025b15615d7848ef9257e8c.tar.bz2 |
Closes #749: Warning message on missing token.
git-svn-id: https://code.elgg.org/elgg/trunk@3281 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine')
-rw-r--r-- | engine/lib/actions.php | 52 |
1 files changed, 40 insertions, 12 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 8935a324a..88dfde97c 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -23,7 +23,8 @@ function action($action, $forwarder = "") {
- global $CONFIG;
+ global $CONFIG; +
$query = parse_url($_SERVER['REQUEST_URI']);
if (isset($query['query'])) {
@@ -61,7 +62,19 @@ // Include action if ($event_result) // Event_result being false doesn't produce an error - since i assume this will be handled in the hook itself. TODO make this better! - {
+ { + /** Refs #749: We now warn if action token is missing. Later this will be replaced with action_gatekeeper() as detailed in #750 */ + if (!validate_action_token()) + { + // Display a temporary warning message - in future versions this will be a hard fail via an action gatekeeper. + $message = "WARNING: Action $action was called without an action token. It is stongly recommended that you consider doing this. Plugin authors should use 'input/form' or pass is_action=true to 'output/confirmlink' or 'output/url'."; + + //if ((!isset($CONFIG->disable_action_token_warning)) || (!$CONFIG->disable_action_token_warning)) + // register_error($message); + + error_log($message); + } +
if (@include($CONFIG->actions[$action]['file'])) {
} else {
register_error(sprintf(elgg_echo('actionundefined'),$action));
@@ -73,7 +86,9 @@ }
} else {
register_error(sprintf(elgg_echo('actionundefined'),$action));
- }
+ } + +
forward($CONFIG->url . $forwarder);
}
@@ -117,15 +132,13 @@ register_action("error");
return true;
} - - /** - * Action gatekeeper. - * This function verifies form input for security features (like a generated token), and forwards - * the page if they are invalid. - * - * Place at the head of actions. - */ - function action_gatekeeper() + + /** + * Validate an action token, returning true if valid and false if not + * + * @return unknown + */ + function validate_action_token() { $token = get_input('__elgg_token'); $ts = get_input('__elgg_ts'); @@ -166,6 +179,21 @@ else register_error(elgg_echo('actiongatekeeper:missingfields')); + return false; + } + + /** + * Action gatekeeper. + * This function verifies form input for security features (like a generated token), and forwards + * the page if they are invalid. + * + * Place at the head of actions. + */ + function action_gatekeeper() + { + if (validate_action_token()) + return true; + forward(); exit; } |