[geeklog-cvs] geeklog: Call SECINT_recreateFilesArray() in SEC_checkToken(). S...

geeklog-cvs at lists.geeklog.net geeklog-cvs at lists.geeklog.net
Wed Dec 30 04:09:36 EST 2009 

changeset 7559:61269490cda0
url:  http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/61269490cda0
user: Dirk Haun <dirk at haun-online.de>
date: Wed Dec 30 09:50:45 2009 +0100
description:
Call SECINT_recreateFilesArray() in SEC_checkToken(). So now the re-authentication is fully transparent!

diffstat:

 public_html/admin/story.php |   2 --
 public_html/admin/topic.php |   1 -
 system/lib-security.php     |  43 +++++++++++++++++++++++++++++--------------
 3 files changed, 29 insertions(+), 17 deletions(-)

diffs (126 lines):

diff -r 2c12010829c8 -r 61269490cda0 public_html/admin/story.php
--- a/public_html/admin/story.php	Tue Dec 29 18:26:13 2009 +0100
+++ b/public_html/admin/story.php	Wed Dec 30 09:50:45 2009 +0100
@@ -801,8 +801,6 @@
         }
     }
 
-    SECINT_recreateFilesArray();
-
     /* ANY FURTHER PROCESSING on POST variables - COM_stripslashes etc.
      * Do it HERE on $args */
 
diff -r 2c12010829c8 -r 61269490cda0 public_html/admin/topic.php
--- a/public_html/admin/topic.php	Tue Dec 29 18:26:13 2009 +0100
+++ b/public_html/admin/topic.php	Wed Dec 30 09:50:45 2009 +0100
@@ -614,7 +614,6 @@
         echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
     }
 } elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken()) {
-    SECINT_recreateFilesArray();
 
     if (empty ($_FILES['newicon']['name'])){
         $imageurl = COM_applyFilter ($_POST['imageurl']);
diff -r 2c12010829c8 -r 61269490cda0 system/lib-security.php
--- a/system/lib-security.php	Tue Dec 29 18:26:13 2009 +0100
+++ b/system/lib-security.php	Wed Dec 30 09:50:45 2009 +0100
@@ -14,6 +14,7 @@
 // |          Mark Limburg     - mlimburg AT users DOT sourceforge DOT net     |
 // |          Vincent Furia    - vmf AT abtech DOT org                         |
 // |          Michael Jervis   - mike AT fuckingbrit DOT com                   |
+// |          Dirk Haun        - dirk AT haun-online DOT de
 // +---------------------------------------------------------------------------+
 // |                                                                           |
 // | This program is free software; you can redistribute it and/or             |
@@ -1071,19 +1072,20 @@
 }
 
 /**
-  * Generate a security token.
-  *
-  * This generates and stores a one time security token. Security tokens are
-  * added to forms and urls in the admin section as a non-cookie double-check
-  * that the admin user really wanted to do that...
-  *
-  * @param $ttl int Time to live for token in seconds. Default is 20 minutes.
-  *
-  * @return string  Generated token, it'll be an MD5 hash (32chars)
-  */
+* Generate a security token.
+*
+* This generates and stores a one time security token. Security tokens are
+* added to forms and urls in the admin section as a non-cookie double-check
+* that the admin user really wanted to do that...
+*
+* @param  int  $ttl  Time to live for token in seconds. Default is 20 minutes.
+* @return string  Generated token, it'll be an MD5 hash (32chars)
+* @see SEC_checkToken
+*
+*/
 function SEC_createToken($ttl = 1200)
 {
-    global $_USER, $_TABLES, $_DB_dbms;
+    global $_TABLES, $_USER;
 
     static $last_token;
 
@@ -1124,9 +1126,11 @@
 *
 * Checks the POST and GET data for a security token, if one exists, validates
 * that it's for this user and URL. If the token is not valid, it asks the user
-* to re-authenticate and re-sends the request if authentication was successful.
+* to re-authenticate and resends the request if authentication was successful.
 *
 * @return   boolean     true if the token is valid; does not return if not!
+* @see      SECINT_checkToken
+* @link http://wiki.geeklog.net/index.php/Re-Authentication_for_expired_Tokens
 *
 */
 function SEC_checkToken()
@@ -1134,6 +1138,10 @@
     global $_CONF, $LANG20, $LANG_ADMIN;
 
     if (SECINT_checkToken()) {
+
+        // if this was a recreated request, recreate $_FILES array, too
+        SECINT_recreateFilesArray();
+
         return true;
     }
 
@@ -1174,12 +1182,13 @@
 *
 * @return   boolean     true if the token is valid and for this user.
 * @access   private
+* @see      SEC_checkToken
 *
 */
 function SECINT_checkToken()
 {
-    global $_USER, $_TABLES, $_DB_dbms;
-    
+    global $_TABLES, $_USER;
+
     $token = ''; // Default to no token.
     $return = false; // Default to fail.
     
@@ -1347,6 +1356,11 @@
                     }
                     $_FILES[$file][$kk] = $kv;
                 }
+                if (! file_exists($_FILES[$file]['tmp_name'])) {
+                    // whoops!?
+                    COM_errorLog("Uploaded file {$_FILES[$file]['name']} not found when recreating $_FILES array");
+                    unset($_FILES[$file]);
+                }
                 unset($_POST[$key]);
             }
         }
@@ -1362,6 +1376,7 @@
 *
 * @param    mixed   $files  original or recreated $_FILES array
 * @return   void
+* @access   private
 *
 */
 function SECINT_cleanupFiles($files)

More information about the geeklog-cvs mailing list