aboutsummaryrefslogtreecommitdiff
path: root/engine
diff options
context:
space:
mode:
Diffstat (limited to 'engine')
-rw-r--r--engine/lib/actions.php52
1 files changed, 40 insertions, 12 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 8935a324a..88dfde97c 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -23,7 +23,8 @@
function action($action, $forwarder = "") {
- global $CONFIG;
+ global $CONFIG;
+
$query = parse_url($_SERVER['REQUEST_URI']);
if (isset($query['query'])) {
@@ -61,7 +62,19 @@
// Include action
if ($event_result) // Event_result being false doesn't produce an error - since i assume this will be handled in the hook itself. TODO make this better!
- {
+ {
+ /** Refs #749: We now warn if action token is missing. Later this will be replaced with action_gatekeeper() as detailed in #750 */
+ if (!validate_action_token())
+ {
+ // Display a temporary warning message - in future versions this will be a hard fail via an action gatekeeper.
+ $message = "WARNING: Action $action was called without an action token. It is stongly recommended that you consider doing this. Plugin authors should use 'input/form' or pass is_action=true to 'output/confirmlink' or 'output/url'.";
+
+ //if ((!isset($CONFIG->disable_action_token_warning)) || (!$CONFIG->disable_action_token_warning))
+ // register_error($message);
+
+ error_log($message);
+ }
+
if (@include($CONFIG->actions[$action]['file'])) {
} else {
register_error(sprintf(elgg_echo('actionundefined'),$action));
@@ -73,7 +86,9 @@
}
} else {
register_error(sprintf(elgg_echo('actionundefined'),$action));
- }
+ }
+
+
forward($CONFIG->url . $forwarder);
}
@@ -117,15 +132,13 @@
register_action("error");
return true;
}
-
- /**
- * Action gatekeeper.
- * This function verifies form input for security features (like a generated token), and forwards
- * the page if they are invalid.
- *
- * Place at the head of actions.
- */
- function action_gatekeeper()
+
+ /**
+ * Validate an action token, returning true if valid and false if not
+ *
+ * @return unknown
+ */
+ function validate_action_token()
{
$token = get_input('__elgg_token');
$ts = get_input('__elgg_ts');
@@ -166,6 +179,21 @@
else
register_error(elgg_echo('actiongatekeeper:missingfields'));
+ return false;
+ }
+
+ /**
+ * Action gatekeeper.
+ * This function verifies form input for security features (like a generated token), and forwards
+ * the page if they are invalid.
+ *
+ * Place at the head of actions.
+ */
+ function action_gatekeeper()
+ {
+ if (validate_action_token())
+ return true;
+
forward();
exit;
}