From 428cf8e4d0012a01247fc8365d25a3a83cf45ccc Mon Sep 17 00:00:00 2001 From: brettp Date: Sun, 20 Feb 2011 19:13:32 +0000 Subject: Refs #2833, #2956. Merged 1.7's action timeout changes to 1.8. git-svn-id: http://code.elgg.org/elgg/trunk@8366 36083f99-b078-4883-b0ff-0f9b5a30f544 --- engine/lib/actions.php | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'engine/lib/actions.php') diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 26611e2d8..1a26018ab 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -201,6 +201,8 @@ function elgg_register_action($action, $filename = "", $access = 'logged_in') { * @link http://docs.elgg.org/Actions/Tokens */ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) { + global $CONFIG; + if (!$token) { $token = get_input('__elgg_token'); } @@ -209,6 +211,13 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) $ts = get_input('__elgg_ts'); } + if (!isset($CONFIG->action_token_timeout)) { + // default to 2 hours + $timeout = 2; + } else { + $timeout = $CONFIG->action_token_timeout; + } + $session_id = session_id(); if (($token) && ($ts) && ($session_id)) { @@ -218,10 +227,11 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) // Validate token if ($token == $generated_token) { $hour = 60 * 60; + $timeout = $timeout * $hour; $now = time(); // Validate time to ensure its not crazy - if (($ts > $now - $hour) && ($ts < $now + $hour)) { + if ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout)) { // We have already got this far, so unless anything // else says something to the contry we assume we're ok $returnval = true; @@ -266,8 +276,7 @@ function action_gatekeeper() { return TRUE; } - forward('', 'csrf'); - exit; + forward(REFERER, 'csrf'); } /** -- cgit v1.2.3