[geeklog-cvs] Geeklog-1.x/system lib-admin.php, 1.127, 1.128 lib-security.php, 1.62, 1.63
Michael Jervis
mjervis at qs1489.pair.com
Thu Feb 21 14:52:55 EST 2008
Update of /cvsroot/geeklog/Geeklog-1.x/system
In directory qs1489.pair.com:/tmp/cvs-serv78690/system
Modified Files:
lib-admin.php lib-security.php
Log Message:
Security changes.
Index: lib-security.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-security.php,v
retrieving revision 1.62
retrieving revision 1.63
diff -C2 -d -r1.62 -r1.63
*** lib-security.php 20 Feb 2008 20:07:59 -0000 1.62
--- lib-security.php 21 Feb 2008 19:52:53 -0000 1.63
***************
*** 1037,1039 ****
--- 1037,1144 ----
}
+ /**
+ * Generate a security token.
+ *
+ * This generates and stores a one time security token. Security tokens are
+ * added to forms and urls in the admin section as a non-cookie double-check
+ * that the admin user really wanted to do that...
+ *
+ * @return string Generated token, it'll be an MD5 hash (32chars)
+ */
+ function SEC_createToken()
+ {
+ global $_USER, $_TABLES;
+
+ /* Figure out the full url to the current page */
+ $pageURL = 'http';
+ if ($_SERVER["HTTPS"] == "on") {
+ $pageURL .= "s";
+ }
+ $pageURL .= "://";
+ if ($_SERVER["SERVER_PORT"] != "80") {
+ $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
+ } else {
+ $pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
+ }
+
+ /* Generate the token */
+ $token = md5($_USER['uid'].$pageURL.uniqid (rand (), 1));
+ $pageURL = addslashes($pageURL);
+
+ /* Destroy exired tokens: */
+ /* Note: TTL not yet implemented! So commented out */
+ // $sql = "DELETE FROM {$_TABLES['tokens']} WHERE (DATE_ADD(created, INTERVAL ttl SECOND) < NOW())"
+ // . " AND (ttl > 0)";
+ // DB_Query($sql);
+
+ /* Destroy tokens for this user/url combination */
+ $sql = "DELETE FROM {$_TABLES['tokens']} WHERE owner_id={$_USER['uid']} AND urlfor='$pageURL'";
+ DB_Query($sql);
+
+ /* Create a token for this user/url combination */
+ /* NOTE: TTL mapping for PageURL not yet implemented */
+ $sql = "INSERT INTO {$_TABLES['tokens']} (token, created, owner_id, urlfor, ttl) "
+ . "VALUES ('$token', NOW(), {$_USER['uid']}, '$pageURL', 0)";
+ DB_Query($sql);
+
+ /* And return the token to the user */
+ return $token;
+ }
+
+ /**
+ * Check a security token.
+ *
+ * Checks the POST and GET data for a security token, if one exists, validates that it's for this
+ * user and URL.
+ *
+ * @return bool true iff the token is valid and for this user.
+ */
+ function SEC_checkToken()
+ {
+ global $_USER, $_TABLES;
+
+ $token = ''; // Default to no token.
+ $return = false; // Default to fail.
+
+ if(array_key_exists('token', $_GET)) {
+ $token = COM_applyFilter($_GET['token']);
+ } else if(array_key_exists('token', $_POST)) {
+ $token = COM_applyFilter($_POST['token']);
+ }
+
+ if(trim($token) != '') {
+ $sql = "SELECT ((DATE_ADD(created, INTERVAL ttl SECOND) < NOW()) AND ttl > 0) as expired, owner_id, urlfor FROM "
+ . "{$_TABLES['tokens']} WHERE token='$token'";
+ $tokens = DB_Query($sql);
+ $numberOfTokens = DB_numRows($tokens);
+ if($numberOfTokens != 1) {
+ $return = false; // none, or multiple tokens. Both are invalid. (token is unique key...)
+ } else {
+ $tokendata = DB_fetchArray($tokens);
+ /* Check that:
+ * token's user is the current user.
+ * token is not expired.
+ * the http referer is the url for which the token was created.
+ */
+ if( $_USER['uid'] != $tokendata['owner_id'] ) {
+ $return = false;
+ } else if($tokendata['urlfor'] != $_SERVER['HTTP_REFERER']) {
+ $return = false;
+ } else if($tokendata['expired']) {
+ $return = false;
+ } else {
+ $return = true; // Everything is AOK in only one condition...
+ }
+
+ // It's a one time token. So eat it.
+ $sql = "DELETE FROM {$_TABLES['tokens']} WHERE token='$token'";
+ DB_Query($sql);
+ }
+ } else {
+ $return = false; // no token.
+ }
+
+ return $return;
+ }
+
?>
Index: lib-admin.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-admin.php,v
retrieving revision 1.127
retrieving revision 1.128
diff -C2 -d -r1.127 -r1.128
*** lib-admin.php 20 Feb 2008 20:07:59 -0000 1.127
--- lib-admin.php 21 Feb 2008 19:52:53 -0000 1.128
***************
*** 590,594 ****
! function ADMIN_getListField_blocks($fieldname, $fieldvalue, $A, $icon_arr)
{
global $_CONF, $LANG_ADMIN, $LANG21, $_IMAGE_TYPE;
--- 590,594 ----
! function ADMIN_getListField_blocks($fieldname, $fieldvalue, $A, $icon_arr, $token)
{
global $_CONF, $LANG_ADMIN, $LANG21, $_IMAGE_TYPE;
***************
*** 639,645 ****
$retval.="<img src=\"{$_CONF['layout_url']}/images/admin/$blockcontrol_image\" width=\"45\" height=\"20\" usemap=\"#arrow{$A['bid']}\" alt=\"\"" . XHTML . ">"
."<map id=\"arrow{$A['bid']}\" name=\"arrow{$A['bid']}\">"
! ."<area coords=\"0,0,12,20\" title=\"{$LANG21[58]}\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=up\" alt=\"{$LANG21[58]}\"" . XHTML . ">"
! ."<area coords=\"13,0,29,20\" title=\"$moveTitleMsg\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=$switchside\" alt=\"$moveTitleMsg\"" . XHTML . ">"
! ."<area coords=\"30,0,43,20\" title=\"{$LANG21[57]}\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=dn\" alt=\"{$LANG21[57]}\"" . XHTML . ">"
."</map>";
}
--- 639,645 ----
$retval.="<img src=\"{$_CONF['layout_url']}/images/admin/$blockcontrol_image\" width=\"45\" height=\"20\" usemap=\"#arrow{$A['bid']}\" alt=\"\"" . XHTML . ">"
."<map id=\"arrow{$A['bid']}\" name=\"arrow{$A['bid']}\">"
! ."<area coords=\"0,0,12,20\" title=\"{$LANG21[58]}\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=up&token={$token}\" alt=\"{$LANG21[58]}\"" . XHTML . ">"
! ."<area coords=\"13,0,29,20\" title=\"$moveTitleMsg\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=$switchside&token={$token}\" alt=\"$moveTitleMsg\"" . XHTML . ">"
! ."<area coords=\"30,0,43,20\" title=\"{$LANG21[57]}\" href=\"{$_CONF['site_admin_url']}/block.php?mode=move&bid={$A['bid']}&where=dn&token={$token}\" alt=\"{$LANG21[57]}\"" . XHTML . ">"
."</map>";
}
More information about the geeklog-cvs
mailing list