iarv/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-03-28 17:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

feature 1915: add protection on user registration against robots

Browse Source 
git-svn-id: http://piwigo.org/svn/trunk@7495 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
rvelices
2010-10-30 11:32:11 +00:00
parent 6f841013d9
commit d8ec9b9fdd
7 changed files with 51 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
comments.php
View File

@@ -504,7 +504,7 @@ SELECT c.id, name, permalink, uppercats, com.id as comment_id
if (isset($edit_comment) and ($comment['comment_id'] == $edit_comment))
{
$tpl_comment['IN_EDIT'] = true;
$key = get_comment_post_key($comment['image_id']);
$key = get_ephemeral_key(2, $comment['image_id']);
$tpl_comment['KEY'] = $key;
$tpl_comment['IMAGE_ID'] = $comment['image_id'];
$tpl_comment['CONTENT'] = $comment['content'];

42
include/functions.inc.php
View File

@@ -1333,25 +1333,37 @@ function secure_directory($dir)
}
/**
* returns a "secret key" that is to be sent back when a user enters a comment
* returns a "secret key" that is to be sent back when a user posts a form
*
* @param int image_id
* @param int valid_after_seconds - key validity start time from now
*/
function get_comment_post_key($image_id)
function get_ephemeral_key($valid_after_seconds, $aditionnal_data_to_hash = '')
{
global $conf;
global $conf;
$time = round(microtime(true), 1);
return $time.':'.$valid_after_seconds.':'
.hash_hmac(
'md5',
$time.substr($_SERVER['REMOTE_ADDR'],0,5).$valid_after_seconds.$aditionnal_data_to_hash,
$conf['secret_key']);
}
$time = time();
return sprintf(
'%s:%s',
$time,
hash_hmac(
'md5',
$time.':'.$image_id,
$conf['secret_key']
)
);
function verify_ephemeral_key($key, $aditionnal_data_to_hash = '')
{
global $conf;
$time = microtime(true);
$key = explode( ':', @$key );
if ( count($key)!=3
or $key[0]>$time-(float)$key[1] // page must have been retrieved more than X sec ago
or $key[0]<$time-3600 // 60 minutes expiration
or hash_hmac(
'md5', $key[0].substr($_SERVER['REMOTE_ADDR'],0,5).$key[1].$aditionnal_data_to_hash, $conf['secret_key']
) != $key[2]
)
{
return false;
}
return true;
}
/**

17
include/functions_comment.inc.php
View File

@@ -119,14 +119,7 @@ SELECT COUNT(*) AS user_exists
$comment_action='reject';
}
$key = explode( ':', @$key );
if ( count($key)!=2
or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
or $key[0]<time()-3600 // 60 minutes expiration
or hash_hmac(
'md5', $key[0].':'.$comm['image_id'], $conf['secret_key']
) != $key[1]
)
if ( !verify_ephemeral_key(@$key, $comm['image_id']) )
{
$comment_action='reject';
}
@@ -248,13 +241,7 @@ function update_user_comment($comment, $post_key)
$comment_action = 'validate';
$key = explode( ':', $post_key );
if ( count($key)!=2
or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
or $key[0]<time()-3600 // 60 minutes expiration
or hash_hmac('md5', $key[0].':'.$comment['image_id'], $conf['secret_key']
) != $key[1]
)
if ( !verify_ephemeral_key($post_key, $comment['image_id']) )
{
$comment_action='reject';
}

4
include/picture_comment.inc.php
View File

@@ -198,7 +198,7 @@ SELECT
if (isset($edit_comment) and ($row['id'] == $edit_comment))
{
$tpl_comment['IN_EDIT'] = true;
$key = get_comment_post_key($page['image_id']);
$key = get_comment_post_key(2, $page['image_id']);
$tpl_comment['KEY'] = $key;
$tpl_comment['CONTENT'] = $row['content'];
}
@@ -233,7 +233,7 @@ SELECT
if ($show_add_comment_form)
{
$key = get_comment_post_key($page['image_id']);
$key = get_ephemeral_key(3, $page['image_id']);
$content = '';
if ('reject'===@$comment_action)
{

2
include/ws_functions.inc.php
View File

@@ -725,7 +725,7 @@ SELECT id, date, author, content
)
{
$comment_post_data['author'] = stripslashes($user['username']);
$comment_post_data['key'] = get_comment_post_key($params['image_id']);
$comment_post_data['key'] = get_ephemeral_key(2, $params['image_id']);
}
$ret = $image_row;

23
register.php
View File

@@ -40,13 +40,19 @@ if (!$conf['allow_user_registration'])
$errors = array();
if (isset($_POST['submit']))
{
if (!verify_ephemeral_key(@$_POST['key']))
{
set_status_header(403);
array_push($errors, 'Invalid/expired form key');
}
if ($_POST['password'] != $_POST['password_conf'])
{
array_push($errors, l10n('please enter your password again'));
}
$errors =
register_user(htmlspecialchars($_POST['login'],ENT_COMPAT,'utf-8'),
register_user($_POST['login'],
$_POST['password'],
$_POST['mail_address'],
true,
@@ -58,10 +64,15 @@ if (isset($_POST['submit']))
log_user($user_id, false);
redirect(make_index_url());
}
$registration_post_key = get_ephemeral_key(2);
}
else
{
$registration_post_key = get_ephemeral_key(6);
}
$login = !empty($_POST['login'])?$_POST['login']:'';
$email = !empty($_POST['mail_address'])?$_POST['mail_address']:'';
$login = !empty($_POST['login'])?htmlspecialchars(stripslashes($_POST['login'])):'';
$email = !empty($_POST['mail_address'])?htmlspecialchars(stripslashes($_POST['mail_address'])):'';
//----------------------------------------------------- template initialization
//
@@ -74,10 +85,10 @@ include(PHPWG_ROOT_PATH.'include/page_header.php');
$template->set_filenames( array('register'=>'register.tpl') );
$template->assign(array(
'U_HOME' => make_index_url(),
'F_KEY' => $registration_post_key,
'F_ACTION' => 'register.php',
'F_LOGIN' => htmlspecialchars($login, ENT_QUOTES, 'utf-8'),
'F_EMAIL' => htmlspecialchars($email, ENT_QUOTES, 'utf-8')
'F_LOGIN' => $login,
'F_EMAIL' => $email
));
//-------------------------------------------------------------- errors display

1
themes/default/template/register.tpl
View File

@@ -54,6 +54,7 @@
</fieldset>
<p class="bottomButtons">
<input type="hidden" name="key" value="{$F_KEY}" >
<input class="submit" type="submit" name="submit" value="{'Register'|@translate}">
<input class="submit" type="reset" value="{'Reset'|@translate}">
</p>