aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--engine/lib/actions.php15
1 files changed, 12 insertions, 3 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 26611e2d8..1a26018ab 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -201,6 +201,8 @@ function elgg_register_action($action, $filename = "", $access = 'logged_in') {
* @link http://docs.elgg.org/Actions/Tokens
*/
function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) {
+ global $CONFIG;
+
if (!$token) {
$token = get_input('__elgg_token');
}
@@ -209,6 +211,13 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL)
$ts = get_input('__elgg_ts');
}
+ if (!isset($CONFIG->action_token_timeout)) {
+ // default to 2 hours
+ $timeout = 2;
+ } else {
+ $timeout = $CONFIG->action_token_timeout;
+ }
+
$session_id = session_id();
if (($token) && ($ts) && ($session_id)) {
@@ -218,10 +227,11 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL)
// Validate token
if ($token == $generated_token) {
$hour = 60 * 60;
+ $timeout = $timeout * $hour;
$now = time();
// Validate time to ensure its not crazy
- if (($ts > $now - $hour) && ($ts < $now + $hour)) {
+ if ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout)) {
// We have already got this far, so unless anything
// else says something to the contry we assume we're ok
$returnval = true;
@@ -266,8 +276,7 @@ function action_gatekeeper() {
return TRUE;
}
- forward('', 'csrf');
- exit;
+ forward(REFERER, 'csrf');
}
/**