/** * Check a security token. * Checks the POST and GET data for a security token, if one exists, validates * that it's for this user and URL. If the token is not valid, it asks the user * to re-authenticate and resends the request if authentication was successful. * * @return boolean true if the token is valid; does not return if not! * @see SECINT_checkToken * @link http://wiki.geeklog.net/index.php/Re-Authentication_for_expired_Tokens */ function SEC_checkToken() { global $_CONF, $LANG20, $LANG_ADMIN; if (SECINT_checkToken()) { // if this was a recreated request, recreate $_FILES array, too SECINT_recreateFilesArray(); return true; } /** * Token not valid (probably expired): Ask user to authenticate again */ $returnurl = COM_getCurrentUrl(); $method = strtoupper($_SERVER['REQUEST_METHOD']); $postdata = serialize($_POST); $getdata = serialize($_GET); $files = ''; if (!empty($_FILES)) { // rescue uploaded files foreach ($_FILES as $key => $f) { if (!empty($f['name'])) { $filename = basename($f['tmp_name']); move_uploaded_file($f['tmp_name'], $_CONF['path_data'] . $filename); $_FILES[$key]['tmp_name'] = $filename; // drop temp. dir } } $files = serialize($_FILES); } $display = COM_showMessageText($LANG_ADMIN['token_expired']) . SECINT_authform($returnurl, $method, $postdata, $getdata, $files); $display = COM_createHTMLDocument($display, array('pagetitle' => $LANG20[1])); COM_output($display); exit; // we don't return from here }
protected function _saveUserPhoto($from, $to) { $ret = ''; require_once 'HTTP/Request.php'; $req = new HTTP_Request($from); $req->addHeader('User-Agent', 'Geeklog/' . VERSION); $req->addHeader('Referer', COM_getCurrentUrl()); $res = $req->sendRequest(); if (!PEAR::isError($res)) { $img = $req->getResponseBody(); $ret = file_put_contents($to, $img); } return $ret; }
/** * Re-send a request after successful re-authentication * Re-creates a GET or POST request based on data passed along in a form. Used * in case of an expired security token so that the user doesn't lose changes. */ function resend_request() { global $_CONF; $method = ''; if (isset($_POST['token_requestmethod'])) { $method = COM_applyFilter($_POST['token_requestmethod']); } $returnUrl = ''; if (isset($_POST['token_returnurl'])) { $returnUrl = urldecode($_POST['token_returnurl']); if (substr($returnUrl, 0, strlen($_CONF['site_url'])) != $_CONF['site_url']) { // only accept URLs on our site $returnUrl = ''; } } $postData = ''; if (isset($_POST['token_postdata'])) { $postData = urldecode($_POST['token_postdata']); } $getData = ''; if (isset($_POST['token_getdata'])) { $getData = urldecode($_POST['token_getdata']); } $files = ''; if (isset($_POST['token_files'])) { $files = urldecode($_POST['token_files']); } if (SECINT_checkToken() && !empty($method) && !empty($returnUrl) && ($method === 'POST' && !empty($postData) || $method === 'GET' && !empty($getData))) { $magic = get_magic_quotes_gpc(); if ($method === 'POST') { $req = new HTTP_Request2($returnUrl, HTTP_Request2::METHOD_POST); $data = unserialize($postData); foreach ($data as $key => $value) { if ($key == CSRF_TOKEN) { $req->addPostParameter($key, SEC_createToken()); } else { if ($magic) { $value = stripslashes_gpc_recursive($value); } $req->addPostParameter($key, $value); } } if (!empty($files)) { $files = unserialize($files); } if (!empty($files)) { foreach ($files as $key => $value) { $req->addPostParameter('_files_' . $key, $value); } } } else { $data = unserialize($getData); foreach ($data as $key => &$value) { if ($key == CSRF_TOKEN) { $value = SEC_createToken(); } else { if ($magic) { $value = stripslashes_gpc_recursive($value); } } } $returnUrl = $returnUrl . '?' . http_build_query($data); $req = new HTTP_Request2($returnUrl, HTTP_Request2::METHOD_GET); } $req->setHeader('User-Agent', 'Geeklog/' . VERSION); // need to fake the referrer so the new token matches $req->setHeader('Referer', COM_getCurrentUrl()); foreach ($_COOKIE as $cookie => $value) { $req->addCookie($cookie, $value); } try { $response = $req->send(); $status = $response->getStatus(); if ($status == 200) { COM_output($response->getBody()); } else { throw new HTTP_Request2_Exception('HTTP error: status code = ' . $status); } } catch (HTTP_Request2_Exception $e) { if (!empty($files)) { SECINT_cleanupFiles($files); } trigger_error("Resending {$method} request failed: " . $e->getMessage()); } } else { if (!empty($files)) { SECINT_cleanupFiles($files); } COM_redirect($_CONF['site_url'] . '/index.php'); } // don't return exit; }
protected function _saveUserPhoto($from, $to) { // Use Pear HTTP Request 2 since first Facebook url to profile picture redirects to a new location $ret = ''; $request = new HTTP_Request2($from, HTTP_Request2::METHOD_GET); $request->setConfig(array('adapter' => 'HTTP_Request2_Adapter_Socket', 'connect_timeout' => 15, 'timeout' => 30, 'follow_redirects' => TRUE, 'max_redirects' => 5, 'ssl_verify_peer' => false, 'ssl_verify_host' => false)); $request->setHeader('User-Agent', 'Geeklog/' . VERSION); $request->setHeader('Referer', COM_getCurrentUrl()); $response = $request->send(); if (200 == $response->getStatus()) { $img = $response->getBody(); $ret = file_put_contents($to, $img); } return $ret; }
/** * Re-send a request after successful re-authentication * * Re-creates a GET or POST request based on data passed along in a form. Used * in case of an expired security token so that the user doesn't lose changes. * */ function resend_request() { global $_CONF; require_once 'HTTP/Request.php'; $method = ''; if (isset($_POST['token_requestmethod'])) { $method = COM_applyFilter($_POST['token_requestmethod']); } $returnurl = ''; if (isset($_POST['token_returnurl'])) { $returnurl = urldecode($_POST['token_returnurl']); if (substr($returnurl, 0, strlen($_CONF['site_url'])) != $_CONF['site_url']) { // only accept URLs on our site $returnurl = ''; } } $postdata = ''; if (isset($_POST['token_postdata'])) { $postdata = urldecode($_POST['token_postdata']); } $getdata = ''; if (isset($_POST['token_getdata'])) { $getdata = urldecode($_POST['token_getdata']); } $files = ''; if (isset($_POST['token_files'])) { $files = urldecode($_POST['token_files']); } if (SECINT_checkToken() && !empty($method) && !empty($returnurl) && ($method == 'POST' && !empty($postdata) || $method == 'GET' && !empty($getdata))) { $magic = get_magic_quotes_gpc(); $req = new HTTP_Request($returnurl); if ($method == 'POST') { $req->setMethod(HTTP_REQUEST_METHOD_POST); $data = unserialize($postdata); foreach ($data as $key => $value) { if ($key == CSRF_TOKEN) { $req->addPostData($key, SEC_createToken()); } else { if ($magic) { $value = stripslashes_gpc_recursive($value); } $req->addPostData($key, $value); } } if (!empty($files)) { $files = unserialize($files); } if (!empty($files)) { foreach ($files as $key => $value) { $req->addPostData('_files_' . $key, $value); } } } else { $req->setMethod(HTTP_REQUEST_METHOD_GET); $data = unserialize($getdata); foreach ($data as $key => $value) { if ($key == CSRF_TOKEN) { $req->addQueryString($key, SEC_createToken()); } else { if ($magic) { $value = stripslashes_gpc_recursive($value); } $req->addQueryString($key, $value); } } } $req->addHeader('User-Agent', 'Geeklog/' . VERSION); // need to fake the referrer so the new token matches $req->addHeader('Referer', COM_getCurrentUrl()); foreach ($_COOKIE as $cookie => $value) { $req->addCookie($cookie, $value); } $response = $req->sendRequest(); if (PEAR::isError($response)) { if (!empty($files)) { SECINT_cleanupFiles($files); } trigger_error("Resending {$method} request failed: " . $response->getMessage()); } else { COM_output($req->getResponseBody()); } } else { if (!empty($files)) { SECINT_cleanupFiles($files); } echo COM_refresh($_CONF['site_url'] . '/index.php'); } // don't return exit; }