[geeklog-cvs] geeklog: Merged with "better token handling" feature branch
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Tue Dec 29 08:00:39 EST 2009
changeset 7555:d68c71bfd62f
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/d68c71bfd62f
user: Dirk Haun <dirk at haun-online.de>
date: Tue Dec 29 11:38:51 2009 +0100
description:
Merged with "better token handling" feature branch
diffstat:
language/english.php | 9 +-
language/english_utf-8.php | 11 +-
language/german.php | 9 +-
language/german_formal.php | 9 +-
language/german_formal_utf-8.php | 9 +-
language/german_utf-8.php | 9 +-
public_html/admin/story.php | 2 +
public_html/admin/topic.php | 4 +-
public_html/users.php | 180 ++++++++++++++++++++++++++++-
system/classes/upload.class.php | 11 +-
system/lib-security.php | 231 +++++++++++++++++++++++++++++++++++++-
11 files changed, 449 insertions(+), 35 deletions(-)
diffs (truncated from 710 to 300 lines):
diff -r 45315295756f -r d68c71bfd62f language/english.php
--- a/language/english.php Mon Dec 28 11:37:47 2009 +0100
+++ b/language/english.php Tue Dec 29 11:38:51 2009 +0100
@@ -383,7 +383,9 @@
159 => 'This email was generated automatically. Please do not reply to this email.',
160 => '(max. %d x %d pixels, %d bytes; %s)',
161 => 'will be scaled down',
- 162 => 'will not be scaled'
+ 162 => 'will not be scaled',
+ 163 => 'Re-Authentication Failed',
+ 164 => 'You have exceeded the number of allowed attempts for re-authentication. The operation has been aborted and your recent changes were lost, sorry.'
);
###############################################################################
@@ -1601,7 +1603,10 @@
'meta_description' => 'Meta Description',
'meta_keywords' => 'Meta Keywords',
'na' => 'N/A',
- 'token_expiry' => 'You have until %s to make changes. After that time, the security token embedded into this page will expire and you will lose your changes.'
+ 'token_expiry' => 'You have until %s to make changes. After that time, the security token embedded into this page will expire and you will lose your changes.',
+ 'token_expired' => 'The security token for this operation has expired. Please authenticate again to continue.',
+ 'reauth_msg' => 'The security token for this operation has expired. If you want to continue with this operation, then please authenticate again below. This will ensure that the changes you just made will not be lost.',
+ 'authenticate' => 'Authenticate'
);
# Localisation of the texts for the various drop-down menus that are actually
diff -r 45315295756f -r d68c71bfd62f language/english_utf-8.php
--- a/language/english_utf-8.php Mon Dec 28 11:37:47 2009 +0100
+++ b/language/english_utf-8.php Tue Dec 29 11:38:51 2009 +0100
@@ -383,7 +383,9 @@
159 => 'This email was generated automatically. Please do not reply to this email.',
160 => '(max. %d x %d pixels, %d bytes; %s)',
161 => 'will be scaled down',
- 162 => 'will not be scaled'
+ 162 => 'will not be scaled',
+ 163 => 'Re-Authentication Failed',
+ 164 => 'You have exceeded the number of allowed attempts for re-authentication. The operation has been aborted and your recent changes were lost, sorry.'
);
###############################################################################
@@ -428,7 +430,7 @@
9 => 'User URL',
10 => 'Send mail to',
11 => 'Your Name:',
- 12 => 'Your Email Address:',
+ 12 => 'Your Email Address',
13 => 'Subject:',
14 => 'Message:',
15 => 'HTML will not be translated.',
@@ -1601,7 +1603,10 @@
'meta_description' => 'Meta Description',
'meta_keywords' => 'Meta Keywords',
'na' => 'N/A',
- 'token_expiry' => 'You have until %s to make changes. After that time, the security token embedded into this page will expire and you will lose your changes.'
+ 'token_expiry' => 'You have until %s to make changes. After that time, the security token embedded into this page will expire and you will lose your changes.',
+ 'token_expired' => 'The security token for this operation has expired. Please authenticate again to continue.',
+ 'reauth_msg' => 'The security token for this operation has expired. If you want to continue with this operation, then please authenticate again below. This will ensure that the changes you just made will not be lost.',
+ 'authenticate' => 'Authenticate'
);
# Localisation of the texts for the various drop-down menus that are actually
diff -r 45315295756f -r d68c71bfd62f language/german.php
--- a/language/german.php Mon Dec 28 11:37:47 2009 +0100
+++ b/language/german.php Tue Dec 29 11:38:51 2009 +0100
@@ -386,7 +386,9 @@
159 => 'Diese E-Mail wurde automatisch generiert. Bitte nicht auf diese E-Mail antworten.',
160 => '(max. %d x %d Pixel, %d Bytes; %s)',
161 => 'wird ggfs. skaliert',
- 162 => 'wird nicht skaliert'
+ 162 => 'wird nicht skaliert',
+ 163 => 'Re-Authentication Failed',
+ 164 => 'You have exceeded the number of allowed attempts for re-authentication. The operation has been aborted and your recent changes were lost, sorry.'
);
###############################################################################
@@ -1602,7 +1604,10 @@
'meta_description' => 'Metatag Description',
'meta_keywords' => 'Metatag Keywords',
'na' => 'n/v',
- 'token_expiry' => 'Achtung, zeitgesteuerte Sicherheitsfunktion (Security-Token). Nach %s lässt sich diese Seite nicht mehr speichern. Änderungen gehen verloren.'
+ 'token_expiry' => 'Achtung, zeitgesteuerte Sicherheitsfunktion (Security-Token). Nach %s lässt sich diese Seite nicht mehr speichern. Änderungen gehen verloren.',
+ 'token_expired' => 'The security token for this operation has expired. Please authenticate again to continue.',
+ 'reauth_msg' => 'The security token for this operation has expired. If you want to continue with this operation, then please authenticate again below. This will ensure that the changes you just made will not be lost.',
+ 'authenticate' => 'Authenticate'
);
# Localisation of the texts for the various drop-down menus that are actually
diff -r 45315295756f -r d68c71bfd62f language/german_formal.php
--- a/language/german_formal.php Mon Dec 28 11:37:47 2009 +0100
+++ b/language/german_formal.php Tue Dec 29 11:38:51 2009 +0100
@@ -387,7 +387,9 @@
159 => 'Diese E-Mail wurde automatisch generiert. Bitte nicht auf diese E-Mail antworten.',
160 => '(max. %d x %d Pixel, %d Bytes; %s)',
161 => 'wird ggfs. skaliert',
- 162 => 'wird nicht skaliert'
+ 162 => 'wird nicht skaliert',
+ 163 => 'Re-Authentication Failed',
+ 164 => 'You have exceeded the number of allowed attempts for re-authentication. The operation has been aborted and your recent changes were lost, sorry.'
);
###############################################################################
@@ -1603,7 +1605,10 @@
'meta_description' => 'Metatag Description',
'meta_keywords' => 'Metatag Keywords',
'na' => 'n/v',
- 'token_expiry' => 'Achtung, zeitgesteuerte Sicherheitsfunktion (Security-Token). Nach %s lässt sich diese Seite nicht mehr speichern. Änderungen gehen verloren.'
+ 'token_expiry' => 'Achtung, zeitgesteuerte Sicherheitsfunktion (Security-Token). Nach %s lässt sich diese Seite nicht mehr speichern. Änderungen gehen verloren.',
+ 'token_expired' => 'The security token for this operation has expired. Please authenticate again to continue.',
+ 'reauth_msg' => 'The security token for this operation has expired. If you want to continue with this operation, then please authenticate again below. This will ensure that the changes you just made will not be lost.',
+ 'authenticate' => 'Authenticate'
);
# Localisation of the texts for the various drop-down menus that are actually
diff -r 45315295756f -r d68c71bfd62f language/german_formal_utf-8.php
--- a/language/german_formal_utf-8.php Mon Dec 28 11:37:47 2009 +0100
+++ b/language/german_formal_utf-8.php Tue Dec 29 11:38:51 2009 +0100
@@ -387,7 +387,9 @@
159 => 'Diese E-Mail wurde automatisch generiert. Bitte nicht auf diese E-Mail antworten.',
160 => '(max. %d x %d Pixel, %d Bytes; %s)',
161 => 'wird ggfs. skaliert',
- 162 => 'wird nicht skaliert'
+ 162 => 'wird nicht skaliert',
+ 163 => 'Re-Authentication Failed',
+ 164 => 'You have exceeded the number of allowed attempts for re-authentication. The operation has been aborted and your recent changes were lost, sorry.'
);
###############################################################################
@@ -1603,7 +1605,10 @@
'meta_description' => 'Metatag Description',
'meta_keywords' => 'Metatag Keywords',
'na' => 'n/v',
- 'token_expiry' => 'Achtung, zeitgesteuerte Sicherheitsfunktion (Security-Token). Nach %s lässt sich diese Seite nicht mehr speichern. Änderungen gehen verloren.'
+ 'token_expiry' => 'Achtung, zeitgesteuerte Sicherheitsfunktion (Security-Token). Nach %s lässt sich diese Seite nicht mehr speichern. Änderungen gehen verloren.',
+ 'token_expired' => 'The security token for this operation has expired. Please authenticate again to continue.',
+ 'reauth_msg' => 'The security token for this operation has expired. If you want to continue with this operation, then please authenticate again below. This will ensure that the changes you just made will not be lost.',
+ 'authenticate' => 'Authenticate'
);
# Localisation of the texts for the various drop-down menus that are actually
diff -r 45315295756f -r d68c71bfd62f language/german_utf-8.php
--- a/language/german_utf-8.php Mon Dec 28 11:37:47 2009 +0100
+++ b/language/german_utf-8.php Tue Dec 29 11:38:51 2009 +0100
@@ -386,7 +386,9 @@
159 => 'Diese E-Mail wurde automatisch generiert. Bitte nicht auf diese E-Mail antworten.',
160 => '(max. %d x %d Pixel, %d Bytes; %s)',
161 => 'wird ggfs. skaliert',
- 162 => 'wird nicht skaliert'
+ 162 => 'wird nicht skaliert',
+ 163 => 'Re-Authentication Failed',
+ 164 => 'You have exceeded the number of allowed attempts for re-authentication. The operation has been aborted and your recent changes were lost, sorry.'
);
###############################################################################
@@ -1602,7 +1604,10 @@
'meta_description' => 'Metatag Description',
'meta_keywords' => 'Metatag Keywords',
'na' => 'n/v',
- 'token_expiry' => 'Achtung, zeitgesteuerte Sicherheitsfunktion (Security-Token). Nach %s lässt sich diese Seite nicht mehr speichern. Änderungen gehen verloren.'
+ 'token_expiry' => 'Achtung, zeitgesteuerte Sicherheitsfunktion (Security-Token). Nach %s lässt sich diese Seite nicht mehr speichern. Änderungen gehen verloren.',
+ 'token_expired' => 'The security token for this operation has expired. Please authenticate again to continue.',
+ 'reauth_msg' => 'The security token for this operation has expired. If you want to continue with this operation, then please authenticate again below. This will ensure that the changes you just made will not be lost.',
+ 'authenticate' => 'Authenticate'
);
# Localisation of the texts for the various drop-down menus that are actually
diff -r 45315295756f -r d68c71bfd62f public_html/admin/story.php
--- a/public_html/admin/story.php Mon Dec 28 11:37:47 2009 +0100
+++ b/public_html/admin/story.php Tue Dec 29 11:38:51 2009 +0100
@@ -801,6 +801,8 @@
}
}
+ SECINT_recreateFilesArray();
+
/* ANY FURTHER PROCESSING on POST variables - COM_stripslashes etc.
* Do it HERE on $args */
diff -r 45315295756f -r d68c71bfd62f public_html/admin/topic.php
--- a/public_html/admin/topic.php Mon Dec 28 11:37:47 2009 +0100
+++ b/public_html/admin/topic.php Tue Dec 29 11:38:51 2009 +0100
@@ -614,6 +614,8 @@
echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
} elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken()) {
+ SECINT_recreateFilesArray();
+
if (empty ($_FILES['newicon']['name'])){
$imageurl = COM_applyFilter ($_POST['imageurl']);
} else {
@@ -638,7 +640,7 @@
$_POST['perm_owner'], $_POST['perm_group'],
$_POST['perm_members'], $_POST['perm_anon'],
$is_default, $is_archive);
-} else if ($mode == 'edit') {
+} elseif ($mode == 'edit') {
$display .= COM_siteHeader('menu', $LANG27[1]);
$tid = '';
if (isset($_GET['tid'])) {
diff -r 45315295756f -r d68c71bfd62f public_html/users.php
--- a/public_html/users.php Mon Dec 28 11:37:47 2009 +0100
+++ b/public_html/users.php Tue Dec 29 11:38:51 2009 +0100
@@ -837,10 +837,110 @@
}
// don't return
- exit();
+ exit;
}
+/**
+* Re-send a request after successful re-authentication
+*
+* Re-creates a GET or POST request based on data passed along in a form. Used
+* in case of an expired security token so that the user doesn't lose changes.
+*
+*/
+function resend_request()
+{
+ global $_CONF;
+
+ require_once 'HTTP/Request.php';
+
+ $method = '';
+ if (isset($_POST['token_requestmethod'])) {
+ $method = COM_applyFilter($_POST['token_requestmethod']);
+ }
+ $returnurl = '';
+ if (isset($_POST['token_returnurl'])) {
+ $returnurl = urldecode($_POST['token_returnurl']);
+ if (substr($returnurl, 0, strlen($_CONF['site_url'])) !=
+ $_CONF['site_url']) {
+ // only accept URLs on our site
+ $returnurl = '';
+ }
+ }
+ $postdata = '';
+ if (isset($_POST['token_postdata'])) {
+ $postdata = urldecode($_POST['token_postdata']);
+ }
+ $getdata = '';
+ if (isset($_POST['token_getdata'])) {
+ $getdata = urldecode($_POST['token_getdata']);
+ }
+ $files = '';
+ if (isset($_POST['token_files'])) {
+ $files = urldecode($_POST['token_files']);
+ }
+
+ if (SECINT_checkToken() && !empty($method) && !empty($returnurl) &&
+ ((($method == 'POST') && !empty($postdata)) ||
+ (($method == 'GET') && !empty($getdata)))) {
+
+ $req = new HTTP_Request($returnurl);
+ if ($method == 'POST') {
+ $req->setMethod(HTTP_REQUEST_METHOD_POST);
+ $data = unserialize($postdata);
+ foreach ($data as $key => $value) {
+ if ($key == CSRF_TOKEN) {
+ $req->addPostData($key, SEC_createToken());
+ } else {
+ $req->addPostData($key, $value);
+ }
+ }
+ if (! empty($files)) {
+ $files = unserialize($files);
+ }
+ if (! empty($files)) {
+ foreach ($files as $key => $value) {
+ $req->addPostData('_files_' . $key, $value);
+ }
+ }
+ } else {
+ $req->setMethod(HTTP_REQUEST_METHOD_GET);
+ $data = unserialize($getdata);
+ foreach ($data as $key => $value) {
+ if ($key == CSRF_TOKEN) {
+ $req->addQueryString($key, SEC_createToken());
+ } else {
+ $req->addQueryString($key, $value);
+ }
+ }
+ }
+ $req->addHeader('User-Agent', 'Geeklog/' . VERSION);
+ // need to fake the referrer so the new token matches
+ $req->addHeader('Referer', COM_getCurrentUrl());
+ foreach ($_COOKIE as $cookie => $value) {
+ $req->addCookie($cookie, $value);
+ }
+ $response = $req->sendRequest();
+
+ if (PEAR::isError($response)) {
+ if (! empty($files)) {
+ SECINT_cleanupFiles($files);
+ }
+ trigger_error("Resending $method request failed: " . $response->getMessage());
+ } else {
+ COM_output($req->getResponseBody());
+ }
+ } else {
More information about the geeklog-cvs
mailing list