function csrf_get_tokens() { $has_cookies = !empty($_COOKIE); // if the user hasn't sent any cookies. $secret = csrf_get_secret(); if (!$has_cookies && $secret) { $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']); } else { $ip = ''; } csrf_start(); if (session_id()) { return 'sid:' . csrf_hash(session_id()) . $ip; } if ($GLOBALS['csrf']['cookie']) { $val = csrf_generate_secret(); setcookie($GLOBALS['csrf']['cookie'], $val); return 'cookie:' . csrf_hash($val) . $ip; } if ($GLOBALS['csrf']['key']) { return 'key:' . csrf_hash($GLOBALS['csrf']['key']) . $ip; } if (!$secret) { return 'invalid'; } if ($GLOBALS['csrf']['user'] !== false) { return 'user:'******'csrf']['user']); } if ($GLOBALS['csrf']['allow-ip']) { return ltrim($ip, ';'); } return 'invalid'; }
/** * Retrieves a valid token(s) for a particular context. Tokens are separated * by semicolons. */ function csrf_get_tokens() { $has_cookies = !empty($_COOKIE); // $ip implements a composite key, which is sent if the user hasn't sent // any cookies. It may or may not be used, depending on whether or not // the cookies "stick" $secret = csrf_get_secret(); if (!$has_cookies && $secret && isset($_SERVER['IP_ADDRESS'])) { // :TODO: Harden this against proxy-spoofing attacks $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']); } else { $ip = ''; } csrf_start(); // These are "strong" algorithms that don't require per se a secret if (session_id()) { return 'sid:' . csrf_hash(session_id()) . $ip; } if ($GLOBALS['csrf']['cookie']) { $val = csrf_generate_secret(); setcookie($GLOBALS['csrf']['cookie'], $val); return 'cookie:' . csrf_hash($val) . $ip; } if ($GLOBALS['csrf']['key']) { return 'key:' . csrf_hash($GLOBALS['csrf']['key']) . $ip; } // These further algorithms require a server-side secret if (!$secret) { return 'invalid'; } if ($GLOBALS['csrf']['user'] !== false) { return 'user:'******'csrf']['user']); } if ($GLOBALS['csrf']['allow-ip']) { return ltrim($ip, ';'); } return 'invalid'; }
$site_sess->set_session_var("rated_imgs", $session_info['rated_imgs']); $cookie_rated[] = $id; $cookie_expire = time() + 60 * 60 * 24 * 4; setcookie($cookie_name . 'rated', implode(" ", $cookie_rated), $cookie_expire, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE); update_image_rating($id, $rating); $msg = $lang['voting_success']; } else { $msg = $lang['already_voted']; } } else { $msg = $lang['voting_error']; } } //----------------------------------------------------- //--- User Box ---------------------------------------- //----------------------------------------------------- if ($user_info['user_level'] >= USER) { $site_template->register_vars("lang_loggedin_msg", preg_replace("/" . $site_template->start . "loggedin_user_name" . $site_template->end . "/siU", format_text($user_info['user_name'], 2), $lang['lang_loggedin_msg'])); $user_box = $site_template->parse_template("user_logininfo"); $site_template->register_vars(array("user_box" => $user_box, "user_loggedin" => 1, "user_loggedout" => 0, "is_admin" => $user_info['user_level'] == ADMIN ? 1 : 0)); $site_template->un_register_vars("user_logininfo"); unset($user_box); } else { $user_box = $site_template->parse_template("user_loginform"); $site_template->register_vars(array("user_box" => $user_box, "user_loggedin" => 0, "user_loggedout" => 1, "is_admin" => 0)); $site_template->un_register_vars("user_loginform"); unset($user_box); } if ($csrf_protection_enable && $csrf_protection_frontend) { csrf_start(true); }
* Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz- * * bedingungen (Lizenz.txt) für weitere Informationen. * * --------------------------------------------------------------- * * This script is NOT freeware! Please read the Copyright Notice * * (Licence.txt) for further information. * * * *************************************************************************/ if (!defined('ROOT_PATH')) { die("Security violation"); } define('GET_CACHES', 1); include_once ROOT_PATH . 'global.php'; include_once ROOT_PATH . 'includes/sessions.php'; include_once ROOT_PATH . 'admin/admin_functions.php'; if ($csrf_protection_enable && $csrf_protection_backend) { csrf_start(); } if (isset($HTTP_GET_VARS['redirect']) || isset($HTTP_POST_VARS['redirect'])) { $redirect = isset($HTTP_GET_VARS['redirect']) ? trim($HTTP_GET_VARS['redirect']) : trim($HTTP_POST_VARS['redirect']); } else { $redirect = ""; } if (isset($HTTP_GET_VARS['goto']) || isset($HTTP_POST_VARS['goto'])) { $goto = isset($HTTP_GET_VARS['goto']) ? trim($HTTP_GET_VARS['goto']) : trim($HTTP_POST_VARS['goto']); } else { $goto = ""; } if (isset($PHP_SELF) && preg_match("/\\/plugins\\//i", $PHP_SELF)) { $self_url = "plugins/" . $self_url; } if ($goto != "") {