[geeklog-cvs] Geeklog-1.x/system lib-security.php,1.69,1.70
Michael Jervis
mjervis at qs1489.pair.com
Sat May 24 12:16:16 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/system
In directory qs1489.pair.com:/tmp/cvs-serv2515/system
Modified Files:
lib-security.php
Log Message:
TTL For CSRF
Index: lib-security.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-security.php,v
retrieving revision 1.69
retrieving revision 1.70
diff -C2 -d -r1.69 -r1.70
*** lib-security.php 2 May 2008 12:12:06 -0000 1.69
--- lib-security.php 24 May 2008 16:16:14 -0000 1.70
***************
*** 1073,1079 ****
* that the admin user really wanted to do that...
*
* @return string Generated token, it'll be an MD5 hash (32chars)
*/
! function SEC_createToken()
{
global $_USER, $_TABLES;
--- 1073,1081 ----
* that the admin user really wanted to do that...
*
+ * @param $ttl integer Time to live for token in seconds. Default is 20 minutes.
+ *
* @return string Generated token, it'll be an MD5 hash (32chars)
*/
! function SEC_createToken($ttl = 1200)
{
global $_USER, $_TABLES;
***************
*** 1088,1094 ****
/* Destroy exired tokens: */
/* Note: TTL not yet implemented! So commented out */
! // $sql = "DELETE FROM {$_TABLES['tokens']} WHERE (DATE_ADD(created, INTERVAL ttl SECOND) < NOW())"
! // . " AND (ttl > 0)";
! // DB_Query($sql);
/* Destroy tokens for this user/url combination */
--- 1090,1096 ----
/* Destroy exired tokens: */
/* Note: TTL not yet implemented! So commented out */
! $sql = "DELETE FROM {$_TABLES['tokens']} WHERE (DATE_ADD(created, INTERVAL ttl SECOND) < NOW())"
! . " AND (ttl > 0)";
! DB_Query($sql);
/* Destroy tokens for this user/url combination */
***************
*** 1099,1103 ****
/* NOTE: TTL mapping for PageURL not yet implemented */
$sql = "INSERT INTO {$_TABLES['tokens']} (token, created, owner_id, urlfor, ttl) "
! . "VALUES ('$token', NOW(), {$_USER['uid']}, '$pageURL', 0)";
DB_Query($sql);
--- 1101,1105 ----
/* NOTE: TTL mapping for PageURL not yet implemented */
$sql = "INSERT INTO {$_TABLES['tokens']} (token, created, owner_id, urlfor, ttl) "
! . "VALUES ('$token', NOW(), {$_USER['uid']}, '$pageURL', $ttl)";
DB_Query($sql);
More information about the geeklog-cvs
mailing list