diff options
-rw-r--r-- | engine/lib/actions.php | 11 | ||||
-rw-r--r-- | views/default/input/form.php | 3 |
2 files changed, 5 insertions, 9 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 26d56104b..bc8b09589 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -119,14 +119,13 @@ function action_gatekeeper() { $token = get_input('__elgg_token'); - $action = get_input('__elgg_action'); $ts = get_input('__elgg_ts'); $session_id = session_id(); - if (($token) && ($action) && ($ts) && ($session_id)) + if (($token) && ($ts) && ($session_id)) { // generate token, check with input and forward if invalid - $generated_token = generate_action_token($action, $ts); + $generated_token = generate_action_token($ts); // Validate token if (strcmp($token, $generated_token)==0) @@ -140,7 +139,6 @@ $returnval = true; // We have already got this far, so unless anything else says something to the contry we assume we're ok return trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array( - 'action' => $action, 'token' => $token, 'time' => $ts ), $returnval); @@ -161,10 +159,9 @@ /** * Generate a token for the current user suitable for being placed in a hidden field in action forms. * - * @param string $action The action being called * @param int $timestamp Unix timestamp */ - function generate_action_token($action, $timestamp) + function generate_action_token($timestamp) { // Get input values $site_secret = get_site_secret(); @@ -173,7 +170,7 @@ $session_id = session_id(); if (($site_secret) && ($session_id)) - return md5($site_secret.$action.$timestamp.$session_id); + return md5($site_secret.$timestamp.$session_id); return false; } diff --git a/views/default/input/form.php b/views/default/input/form.php index 2bbc0e473..e3cc46c27 100644 --- a/views/default/input/form.php +++ b/views/default/input/form.php @@ -25,9 +25,8 @@ // Generate a security header $ts = time(); - $token = generate_action_token($action, $ts); + $token = generate_action_token($ts); $security_header = elgg_view('input/hidden', array('internalname' => '__elgg_token', 'value' => $token)); - $security_header .= elgg_view('input/hidden', array('internalname' => '__elgg_action', 'value' => $action)); $security_header .= elgg_view('input/hidden', array('internalname' => '__elgg_ts', 'value' => $ts)); ?> <form action="<?php echo $action; ?>" method="<?php echo $method; ?>" <?php if ($enctype!="") echo "enctype=\"$enctype\""; ?>> |