* * @author Oliver Georgi <*****@*****.**> * @copyright Copyright (c) 2002-2015, Oliver Georgi * @license http://opensource.org/licenses/GPL-2.0 GNU GPL-2 * @link http://www.phpwcms.de * **/ session_start(); if (empty($_SESSION["wcs_user_id"])) { die('{"success":false}'); } $phpwcms = array(); require '../../include/config/conf.inc.php'; require '../inc_lib/default.inc.php'; require_once PHPWCMS_ROOT . '/include/inc_lib/helper.session.php'; if (!validate_csrf_get_token('csrftoken')) { die('{"success":false}'); } require PHPWCMS_ROOT . '/include/inc_lib/general.inc.php'; require PHPWCMS_ROOT . '/include/inc_js/uploader/fileuploader.php'; if (@ini_get('post_max_size')) { $post_max_size = return_bytes(ini_get('post_max_size')); if ($post_max_size < $phpwcms['file_maxsize']) { $phpwcms['file_maxsize'] = $post_max_size - 1; } } else { $post_max_size = $phpwcms['file_maxsize']; } if (@ini_get('upload_max_filesize')) { $upload_max_filesize = return_bytes(ini_get('upload_max_filesize')); if ($upload_max_filesize < $phpwcms['file_maxsize']) {
/** * Validate CSRF tokens, POST and GET. * User will get logged out in case error reporting does not stop script. * * @access public * @param string $token_prefix (default: 'csrf_') * @return void */ function validate_csrf_tokens($token_prefix = 'csrf_') { if ($_SERVER['REQUEST_METHOD'] === 'POST' && count($_POST)) { if (empty($_POST[$token_prefix . 'token_name']) || empty($_POST[$token_prefix . 'token_value'])) { trigger_error('No CSRF token found, probable invalid request.', E_USER_ERROR); logout_user('csrf-post-invalid', 'danger'); } if (!validate_session_token($_POST[$token_prefix . 'token_name'], $_POST[$token_prefix . 'token_value'])) { trigger_error('Validating the CSRF token failed, probable an outdated request.', E_USER_ERROR); logout_user('csrf-post-failed', 'danger'); } } else { validate_csrf_get_token('csrftoken'); } // Purge cached tokens if ($cached_tokens = get_session_var('cached_unique_tokens')) { $now = time(); $timespan = 60 * 15; // 15 Minutes foreach ($cached_tokens as $unique_name => $time) { if ($time < $now - $timespan) { unset_session_var($unique_name); unset_cached_token($unique_name); } } } }