[geeklog-cvs] geeklog: Call SECINT_recreateFilesArray() in SEC_checkToken(). S...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Wed Dec 30 04:09:36 EST 2009
changeset 7559:61269490cda0
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/61269490cda0
user: Dirk Haun <dirk at haun-online.de>
date: Wed Dec 30 09:50:45 2009 +0100
description:
Call SECINT_recreateFilesArray() in SEC_checkToken(). So now the re-authentication is fully transparent!
diffstat:
public_html/admin/story.php | 2 --
public_html/admin/topic.php | 1 -
system/lib-security.php | 43 +++++++++++++++++++++++++++++--------------
3 files changed, 29 insertions(+), 17 deletions(-)
diffs (126 lines):
diff -r 2c12010829c8 -r 61269490cda0 public_html/admin/story.php
--- a/public_html/admin/story.php Tue Dec 29 18:26:13 2009 +0100
+++ b/public_html/admin/story.php Wed Dec 30 09:50:45 2009 +0100
@@ -801,8 +801,6 @@
}
}
- SECINT_recreateFilesArray();
-
/* ANY FURTHER PROCESSING on POST variables - COM_stripslashes etc.
* Do it HERE on $args */
diff -r 2c12010829c8 -r 61269490cda0 public_html/admin/topic.php
--- a/public_html/admin/topic.php Tue Dec 29 18:26:13 2009 +0100
+++ b/public_html/admin/topic.php Wed Dec 30 09:50:45 2009 +0100
@@ -614,7 +614,6 @@
echo COM_refresh($_CONF['site_admin_url'] . '/index.php');
}
} elseif (($mode == $LANG_ADMIN['save']) && !empty($LANG_ADMIN['save']) && SEC_checkToken()) {
- SECINT_recreateFilesArray();
if (empty ($_FILES['newicon']['name'])){
$imageurl = COM_applyFilter ($_POST['imageurl']);
diff -r 2c12010829c8 -r 61269490cda0 system/lib-security.php
--- a/system/lib-security.php Tue Dec 29 18:26:13 2009 +0100
+++ b/system/lib-security.php Wed Dec 30 09:50:45 2009 +0100
@@ -14,6 +14,7 @@
// | Mark Limburg - mlimburg AT users DOT sourceforge DOT net |
// | Vincent Furia - vmf AT abtech DOT org |
// | Michael Jervis - mike AT fuckingbrit DOT com |
+// | Dirk Haun - dirk AT haun-online DOT de
// +---------------------------------------------------------------------------+
// | |
// | This program is free software; you can redistribute it and/or |
@@ -1071,19 +1072,20 @@
}
/**
- * Generate a security token.
- *
- * This generates and stores a one time security token. Security tokens are
- * added to forms and urls in the admin section as a non-cookie double-check
- * that the admin user really wanted to do that...
- *
- * @param $ttl int Time to live for token in seconds. Default is 20 minutes.
- *
- * @return string Generated token, it'll be an MD5 hash (32chars)
- */
+* Generate a security token.
+*
+* This generates and stores a one time security token. Security tokens are
+* added to forms and urls in the admin section as a non-cookie double-check
+* that the admin user really wanted to do that...
+*
+* @param int $ttl Time to live for token in seconds. Default is 20 minutes.
+* @return string Generated token, it'll be an MD5 hash (32chars)
+* @see SEC_checkToken
+*
+*/
function SEC_createToken($ttl = 1200)
{
- global $_USER, $_TABLES, $_DB_dbms;
+ global $_TABLES, $_USER;
static $last_token;
@@ -1124,9 +1126,11 @@
*
* Checks the POST and GET data for a security token, if one exists, validates
* that it's for this user and URL. If the token is not valid, it asks the user
-* to re-authenticate and re-sends the request if authentication was successful.
+* to re-authenticate and resends the request if authentication was successful.
*
* @return boolean true if the token is valid; does not return if not!
+* @see SECINT_checkToken
+* @link http://wiki.geeklog.net/index.php/Re-Authentication_for_expired_Tokens
*
*/
function SEC_checkToken()
@@ -1134,6 +1138,10 @@
global $_CONF, $LANG20, $LANG_ADMIN;
if (SECINT_checkToken()) {
+
+ // if this was a recreated request, recreate $_FILES array, too
+ SECINT_recreateFilesArray();
+
return true;
}
@@ -1174,12 +1182,13 @@
*
* @return boolean true if the token is valid and for this user.
* @access private
+* @see SEC_checkToken
*
*/
function SECINT_checkToken()
{
- global $_USER, $_TABLES, $_DB_dbms;
-
+ global $_TABLES, $_USER;
+
$token = ''; // Default to no token.
$return = false; // Default to fail.
@@ -1347,6 +1356,11 @@
}
$_FILES[$file][$kk] = $kv;
}
+ if (! file_exists($_FILES[$file]['tmp_name'])) {
+ // whoops!?
+ COM_errorLog("Uploaded file {$_FILES[$file]['name']} not found when recreating $_FILES array");
+ unset($_FILES[$file]);
+ }
unset($_POST[$key]);
}
}
@@ -1362,6 +1376,7 @@
*
* @param mixed $files original or recreated $_FILES array
* @return void
+* @access private
*
*/
function SECINT_cleanupFiles($files)
More information about the geeklog-cvs
mailing list