From e2100a57c6bbaaadfed1bfc64ea69ab67ead027a Mon Sep 17 00:00:00 2001 From: marcus Date: Wed, 6 Aug 2008 11:28:01 +0000 Subject: Refs #210 and #211 git-svn-id: https://code.elgg.org/elgg/trunk@1731 36083f99-b078-4883-b0ff-0f9b5a30f544 --- engine/lib/actions.php | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) (limited to 'engine') diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 682e13b55..0779e5d6a 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -107,6 +107,89 @@ function actions_init($event, $object_type, $object) { register_action("error"); return true; + } + + /** + * Action gatekeeper. + * This function verifies form input for security features (like a generated token), and forwards + * the page if they are invalid. + * + * Place at the head of actions. + */ + function action_gatekeeper() + { + $token = get_input('__elgg_token'); + $action = get_input('__elgg_action'); + $ts = get_input('__elgg_ts'); + $session_id = session_id(); + + if (($token) && ($action) && ($ts) && ($session_id)) + { + // generate token, check with input and forward if invalid + $generated_token = generate_action_token($action, $ts); + + // Validate token + if (strcmp($token, $generated_token)==0) + { + + // TODO: Validate time to ensure its not crazy + + + return true; + } + else + register_error(elgg_echo('actiongatekeeper:tokeninvalid')); + } + else + register_error(elgg_echo('actiongatekeeper:missingfields')); + + forward(); + exit; + } + + /** + * Generate a token for the current user suitable for being placed in a hidden field in action forms. + * + * @param string $action The action being called + * @param int $timestamp Unix timestamp + */ + function generate_action_token($action, $timestamp) + { + // Get input values + $site_secret = get_site_secret(); + + // Current session id + $session_id = session_id(); + + if (($site_secret) && ($session_id)) + return md5($site_secret.$action.$timestamp.$session_id); + + return false; + } + + /** + * Initialise the site secret. + * + */ + function init_site_secret() + { + $secret = md5(rand().microtime()); + if (datalist_set('__site_secret__', $secret)) + return $secret; + + return false; + } + + /** + * Retrieve the site secret. + * + */ + function get_site_secret() + { + $secret = datalist_get('__site_secret__'); + if (!$secret) $secret = init_site_secret(); + + return $secret; } // Register some actions *************************************************** -- cgit v1.2.3