From c76b39da6fa606dc6c39ef40a333a69d1a887378 Mon Sep 17 00:00:00 2001 From: nikrou Date: Mon, 14 Dec 2009 22:16:52 +0000 Subject: [PATCH] Bug 1328 add function to check token git-svn-id: http://piwigo.org/svn/trunk@4492 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/include/functions.php | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/admin/include/functions.php b/admin/include/functions.php index 20cb6e534..0e5a2b5d8 100644 --- a/admin/include/functions.php +++ b/admin/include/functions.php @@ -23,6 +23,28 @@ include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php'); +/** + * check token comming from form posted or get params to prevent csrf attacks + * if pwg_token is empty action doesn't require token + * else pwg_token is compare to server token + * + * @return void access denied if token given is not equal to server token + */ +function check_token() +{ + global $conf; + + $token = hash_hmac('md5', session_id(), $conf['secret_key']); + + if (!empty($_POST['pwg_token']) && ($_POST['pwg_token'] != $token)) + { + access_denied(); + } + elseif (!empty($_GET['pwg_token']) && ($_GET['pwg_token'] != $token)) + { + access_denied(); + } +} // The function delete_site deletes a site and call the function // delete_categories for each primary category of the site