public static function create(\Member $member)
{
$nonce = new Nonce();
$now = time() + 60;
$nonce->setNonce($member->getId() . $member->getHash() . $now . uniqid())->setMember($member)->setDate($now)->save();
return $nonce;
}
function lookup_nonce($consumer, $token, $nonce, $timestamp)
{
$n = new Nonce();
$n->consumer_key = $consumer->key;
$n->ts = common_sql_date($timestamp);
$n->nonce = $nonce;
if ($n->find(true)) {
return true;
} else {
$n->created = DB_DataObject_Cast::dateTime();
$n->insert();
return false;
}
}
public function action_index()
{
$login = Session::getLogin();
if (!$login) {
throw new PermissionDeniedException();
}
$nonce = \Nonce::create($login);
$url = Config::get('simple.system.url') . "?mod=guide&nonce=" . $nonce->getNonce();
return new ControllerActionRedirect($url);
}
static function validate($nonce, $action = '', $user = '')
{
/*
* Function validates the nonce generated by self::create
* $nonce string the nonce that is to be validated
* $action string the action for which the nonce was made
* $user string the user for whome the nonce was made
*/
if (substr(Nonce::generate($action . $user), -12, 10) == $nonce) {
return true;
}
return false;
}
/**
* Updates the post votes via an HTTP request.
*
* @wp-hook template_redirect
*
* @return void
*/
public function update_http()
{
if (!is_user_logged_in()) {
return;
}
if (!$this->nonce->is_valid()) {
return;
}
if (!$this->update()) {
return;
}
$url = filter_input(INPUT_POST, '_wp_http_referer');
$url = urldecode($url);
$url = esc_url($url);
wp_safe_redirect($url);
}
<?php
require "_inc/functions.php";
//Redirect to members page if logged in
if ($auth->logged_in) {
header("Location: members.php");
}
$nonce = new Nonce("login_action");
require "_inc/header.php";
?>
<div class="post">
<div class="post-bgtop">
<div class="post-bgbtm">
<h2 class="title"><a href="#">Welcome to hackme </a></h2>
<div class="entry">
<?php
if (!$auth->logged_in) {
?>
<form method="post" action="members.php">
<h2>LOGIN</h2>
<table>
<tr> <td> Username </td> <td> <input type="text" name="username" /> </td> </tr>
<tr> <td> Password </td> <td> <input type="password" name="password" /> </td>
<td> <input type="submit" name = "submit" value="Login" /> </td></tr>
</table>
<input type="hidden" name="nonce" value="<?php
echo $nonce->get();
?>
">
</form>
function _deleteNonces()
{
$nonce = new Nonce();
$nonce->consumer_key = $this->consumer_key;
$nonce->delete();
}
/** validate a nonce
* @params (string) $key, (string) $nonce
* @return (bool) $isValid
**/
protected function validateNonce($key, $nonce)
{
return Nonce::validateString($nonce, $key);
}
public function registerForm()
{
$this->nonce = Nonce::getNonce();
}
public function afterAuthentication()
{
//auth succesfull. Make sure nonce cannot be re-used to prevent replay attacks.
$this->nonce->markAsUsed();
parent::afterAuthentication();
}
<?php
define("MEMBERS_ONLY", true);
require "_inc/functions.php";
//if the login form is submitted
if (isset($_POST['submit']) && isset($_POST["password"]) && isset($_POST["username"]) && isset($_POST["nonce"])) {
$nonce = new Nonce("login_action");
if (!$nonce->verify($_POST["nonce"])) {
die("CSRF detected, knock it off you punk");
}
$auth->login($_POST["username"], $_POST["password"]);
}
require "_inc/header.php";
$threads = $auth->query("SELECT * FROM threads ORDER BY date DESC", array(), true);
foreach ($threads as $thread) {
?>
<div class="post">
<div class="post-bgtop">
<div class="post-bgbtm">
<h2 class="title">
<a href="show.php?pid=<?php
echo htmlspecialchars($thread->id);
?>
"><?php
echo htmlspecialchars($thread->title);
?>
</a>
</h2>
<p class="meta">
<span class="date"><?php
echo date('l, d F, Y', htmlspecialchars($thread->date));
/**
* Gets additional resources for assigned media
* @param string $serverKey
* @param string $hardwareKey
* @param int $layoutId
* @param string $regionId
* @param string $mediaId
* @return mixed
* @throws SoapFault
*/
function GetResource($serverKey, $hardwareKey, $layoutId, $regionId, $mediaId)
{
// Sanitize
$serverKey = Kit::ValidateParam($serverKey, _STRING);
$hardwareKey = Kit::ValidateParam($hardwareKey, _STRING);
$layoutId = Kit::ValidateParam($layoutId, _INT);
$regionId = Kit::ValidateParam($regionId, _STRING);
$mediaId = Kit::ValidateParam($mediaId, _STRING);
// Check the serverKey matches
if ($serverKey != Config::GetSetting('SERVER_KEY')) {
throw new SoapFault('Sender', 'The Server key you entered does not match with the server key at this address');
}
// Make sure we are sticking to our bandwidth limit
if (!$this->CheckBandwidth()) {
throw new SoapFault('Receiver', "Bandwidth Limit exceeded");
}
// Auth this request...
if (!$this->AuthDisplay($hardwareKey)) {
throw new SoapFault('Receiver', "This display client is not licensed");
}
// Validate the nonce
$nonce = new Nonce();
if (!$nonce->AllowedFile('resource', $this->displayId, NULL, $layoutId, $regionId, $mediaId)) {
throw new SoapFault('Receiver', 'Requested an invalid file.');
}
// What type of module is this?
$region = new region();
$type = $region->GetMediaNodeType($layoutId, $regionId, $mediaId);
if ($type == '') {
throw new SoapFault('Receiver', 'Unable to get the media node type');
}
// Dummy User Object
$user = new User();
$user->userid = 0;
$user->usertypeid = 1;
// Initialise the theme (for global styles in GetResource)
new Theme($user);
Theme::SetPagename('module');
// Get the resource from the module
try {
$module = ModuleFactory::load($type, $layoutId, $regionId, $mediaId, null, null, $user);
} catch (Exception $e) {
Debug::Error($e->getMessage(), $this->displayId);
throw new SoapFault('Receiver', 'Cannot create module. Check CMS Log');
}
$resource = $module->GetResource($this->displayId);
if (!$resource || $resource == '') {
throw new SoapFault('Receiver', 'Unable to get the media resource');
}
// Log Bandwidth
$this->LogBandwidth($this->displayId, Bandwidth::$GETRESOURCE, strlen($resource));
return $resource;
}
public function testCreation()
{
$nonce = new Nonce();
$this->assertEquals(self::$nonce, $nonce->generate());
$this->assertEquals(self::$nonce, (string) $nonce);
}
// Check to see if we are going to consume a service (if we came from xmds.php then we will always use the SOAP service)
if (defined('XMDS') || $method != '') {
// Create a service to handle the method
switch ($service) {
case 'soap':
// Check to see if we have a file attribute set (for HTTP file downloads)
if (isset($_GET['file'])) {
// Check send file mode is enabled
$sendFileMode = Config::GetSetting('SENDFILE_MODE');
if ($sendFileMode == 'Off') {
Debug::LogEntry('audit', 'HTTP GetFile request received but SendFile Mode is Off. Issuing 404', 'services');
header('HTTP/1.0 404 Not Found');
exit;
}
// Check nonce, output appropriate headers, log bandwidth and stop.
$nonce = new Nonce();
if (!($file = $nonce->Details(Kit::GetParam('file', _GET, _STRING)))) {
Debug::LogEntry('audit', 'HTTP GetFile request received but unable to find XMDS Nonce. Issuing 404', 'services');
// 404
header('HTTP/1.0 404 Not Found');
} else {
// Issue magic packet
// Send via Apache X-Sendfile header?
if ($sendFileMode == 'Apache') {
Debug::LogEntry('audit', 'HTTP GetFile request redirecting to ' . Config::GetSetting('LIBRARY_LOCATION') . $file['storedAs'], 'services');
header('X-Sendfile: ' . Config::GetSetting('LIBRARY_LOCATION') . $file['storedAs']);
} else {
if ($sendFileMode == 'Nginx') {
header('X-Accel-Redirect: /download/' . $file['storedAs']);
} else {
header('HTTP/1.0 404 Not Found');
<?php
require "_inc/functions.php";
//Redirect to members page if logged in
if ($auth->logged_in) {
header("Location: members.php");
}
$nonce = new Nonce("register_action");
if (isset($_POST['submit'])) {
if (!isset($_POST["nonce"]) || !$nonce->verify($_POST["nonce"])) {
die("CSRF detected, knock it off you punk");
}
if (!isset($_POST['uname']) || !isset($_POST['password']) || !isset($_POST['fname']) || !isset($_POST['lname'])) {
die('<p>You did not fill in a required field.
Please go back and try again!</p>');
}
if (!$auth->createUser($_POST["uname"], $_POST["password"], $_POST["fname"], $_POST["lname"])) {
die("Sorry, can't create user");
} else {
$userCreated = true;
}
}
require "_inc/header.php";
?>
<div class="post">
<div class="post-bgtop">
<div class="post-bgbtm">
<h2 class = "title">hackme Registration</h2>
<?php
if (isset($userCreated)) {
?>
public final function execute()
{
/*
* kontroly funkcii
*/
//prednastavena hodnota premnnej enabled je false
if (empty($this->enabled)) {
$this->enabled = false;
}
//zisti ci bola zadana funkcia
if (empty($_GET['func'])) {
$this->setMsg(false, "Nebola zadaná žiadna funkcia");
return;
}
//zisti, ci zadana funkcia existuje
if (empty($this->functions[$_GET['func']])) {
$this->setMsg(false, "Zadaná funkcia neexistuje");
return;
}
//kontrola identifikatora formulara
if (!empty($_POST['nonce']) && !Nonce::checkNonce($_POST['nonce'])) {
$this->setMsg(false, "Neplatný formulár.");
return;
}
//pripojenie na databazu
$db = CDatabaza::getInstance();
//zisti, ci sa uskutocnilo spojenie s databazou
if (empty($db)) {
$this->setMsg(false, "Spojenie s databázou zlyhalo");
return;
}
//skontoluje, ci je mozne spustit modul
if (!$this->enabled) {
$this->setMsg(false, "Nemáte oprávnenie na zmenu záznamov");
return;
}
//spusti vybranu funkciu zvoleneho modulu
$call = $this->functions[$_GET['func']]['execute'];
$this->{$call}();
}
/**
* Constructor. Sets up the properties.
*
* @param string $file Main plugin file.
* @param State $state State model.
* @param Nonce $nonce Nonce object.
*/
public function __construct($file, State $state, Nonce $nonce)
{
$this->file = $file;
$this->state = $state;
$this->nonce = $nonce->get();
}
