diff options
| author | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-08-08 12:34:35 +0000 |
|---|---|---|
| committer | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-08-08 12:34:35 +0000 |
| commit | b717746b48b00e7e0a128a60ed2bf496f3806f18 (patch) | |
| tree | dca054a55136d32247271abc52fa2209a23960f1 /engine | |
| parent | 10f233a2e2a11416413585ceadafa0d7b07988bc (diff) | |
| download | elgg-b717746b48b00e7e0a128a60ed2bf496f3806f18.tar.gz elgg-b717746b48b00e7e0a128a60ed2bf496f3806f18.tar.bz2 | |
Closes #220: Removed action from hash. Timestamp should make this unpredictable enough.
git-svn-id: https://code.elgg.org/elgg/trunk@1791 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine')
| -rw-r--r-- | engine/lib/actions.php | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 26d56104b..bc8b09589 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -119,14 +119,13 @@ function action_gatekeeper() { $token = get_input('__elgg_token'); - $action = get_input('__elgg_action'); $ts = get_input('__elgg_ts'); $session_id = session_id(); - if (($token) && ($action) && ($ts) && ($session_id)) + if (($token) && ($ts) && ($session_id)) { // generate token, check with input and forward if invalid - $generated_token = generate_action_token($action, $ts); + $generated_token = generate_action_token($ts); // Validate token if (strcmp($token, $generated_token)==0) @@ -140,7 +139,6 @@ $returnval = true; // We have already got this far, so unless anything else says something to the contry we assume we're ok return trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array( - 'action' => $action, 'token' => $token, 'time' => $ts ), $returnval); @@ -161,10 +159,9 @@ /** * Generate a token for the current user suitable for being placed in a hidden field in action forms. * - * @param string $action The action being called * @param int $timestamp Unix timestamp */ - function generate_action_token($action, $timestamp) + function generate_action_token($timestamp) { // Get input values $site_secret = get_site_secret(); @@ -173,7 +170,7 @@ $session_id = session_id(); if (($site_secret) && ($session_id)) - return md5($site_secret.$action.$timestamp.$session_id); + return md5($site_secret.$timestamp.$session_id); return false; } |