示例#1
0
function csrf_get_tokens()
{
    $has_cookies = !empty($_COOKIE);
    // if the user hasn't sent any cookies.
    $secret = csrf_get_secret();
    if (!$has_cookies && $secret) {
        $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
    } else {
        $ip = '';
    }
    csrf_start();
    if (session_id()) {
        return 'sid:' . csrf_hash(session_id()) . $ip;
    }
    if ($GLOBALS['csrf']['cookie']) {
        $val = csrf_generate_secret();
        setcookie($GLOBALS['csrf']['cookie'], $val);
        return 'cookie:' . csrf_hash($val) . $ip;
    }
    if ($GLOBALS['csrf']['key']) {
        return 'key:' . csrf_hash($GLOBALS['csrf']['key']) . $ip;
    }
    if (!$secret) {
        return 'invalid';
    }
    if ($GLOBALS['csrf']['user'] !== false) {
        return 'user:'******'csrf']['user']);
    }
    if ($GLOBALS['csrf']['allow-ip']) {
        return ltrim($ip, ';');
    }
    return 'invalid';
}
示例#2
0
/**
 * Retrieves a valid token(s) for a particular context. Tokens are separated
 * by semicolons.
 */
function csrf_get_tokens()
{
    $has_cookies = !empty($_COOKIE);
    // $ip implements a composite key, which is sent if the user hasn't sent
    // any cookies. It may or may not be used, depending on whether or not
    // the cookies "stick"
    $secret = csrf_get_secret();
    if (!$has_cookies && $secret && isset($_SERVER['IP_ADDRESS'])) {
        // :TODO: Harden this against proxy-spoofing attacks
        $ip = ';ip:' . csrf_hash($_SERVER['IP_ADDRESS']);
    } else {
        $ip = '';
    }
    csrf_start();
    // These are "strong" algorithms that don't require per se a secret
    if (session_id()) {
        return 'sid:' . csrf_hash(session_id()) . $ip;
    }
    if ($GLOBALS['csrf']['cookie']) {
        $val = csrf_generate_secret();
        setcookie($GLOBALS['csrf']['cookie'], $val);
        return 'cookie:' . csrf_hash($val) . $ip;
    }
    if ($GLOBALS['csrf']['key']) {
        return 'key:' . csrf_hash($GLOBALS['csrf']['key']) . $ip;
    }
    // These further algorithms require a server-side secret
    if (!$secret) {
        return 'invalid';
    }
    if ($GLOBALS['csrf']['user'] !== false) {
        return 'user:'******'csrf']['user']);
    }
    if ($GLOBALS['csrf']['allow-ip']) {
        return ltrim($ip, ';');
    }
    return 'invalid';
}
示例#3
0
            $site_sess->set_session_var("rated_imgs", $session_info['rated_imgs']);
            $cookie_rated[] = $id;
            $cookie_expire = time() + 60 * 60 * 24 * 4;
            setcookie($cookie_name . 'rated', implode(" ", $cookie_rated), $cookie_expire, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
            update_image_rating($id, $rating);
            $msg = $lang['voting_success'];
        } else {
            $msg = $lang['already_voted'];
        }
    } else {
        $msg = $lang['voting_error'];
    }
}
//-----------------------------------------------------
//--- User Box ----------------------------------------
//-----------------------------------------------------
if ($user_info['user_level'] >= USER) {
    $site_template->register_vars("lang_loggedin_msg", preg_replace("/" . $site_template->start . "loggedin_user_name" . $site_template->end . "/siU", format_text($user_info['user_name'], 2), $lang['lang_loggedin_msg']));
    $user_box = $site_template->parse_template("user_logininfo");
    $site_template->register_vars(array("user_box" => $user_box, "user_loggedin" => 1, "user_loggedout" => 0, "is_admin" => $user_info['user_level'] == ADMIN ? 1 : 0));
    $site_template->un_register_vars("user_logininfo");
    unset($user_box);
} else {
    $user_box = $site_template->parse_template("user_loginform");
    $site_template->register_vars(array("user_box" => $user_box, "user_loggedin" => 0, "user_loggedout" => 1, "is_admin" => 0));
    $site_template->un_register_vars("user_loginform");
    unset($user_box);
}
if ($csrf_protection_enable && $csrf_protection_frontend) {
    csrf_start(true);
}
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/
if (!defined('ROOT_PATH')) {
    die("Security violation");
}
define('GET_CACHES', 1);
include_once ROOT_PATH . 'global.php';
include_once ROOT_PATH . 'includes/sessions.php';
include_once ROOT_PATH . 'admin/admin_functions.php';
if ($csrf_protection_enable && $csrf_protection_backend) {
    csrf_start();
}
if (isset($HTTP_GET_VARS['redirect']) || isset($HTTP_POST_VARS['redirect'])) {
    $redirect = isset($HTTP_GET_VARS['redirect']) ? trim($HTTP_GET_VARS['redirect']) : trim($HTTP_POST_VARS['redirect']);
} else {
    $redirect = "";
}
if (isset($HTTP_GET_VARS['goto']) || isset($HTTP_POST_VARS['goto'])) {
    $goto = isset($HTTP_GET_VARS['goto']) ? trim($HTTP_GET_VARS['goto']) : trim($HTTP_POST_VARS['goto']);
} else {
    $goto = "";
}
if (isset($PHP_SELF) && preg_match("/\\/plugins\\//i", $PHP_SELF)) {
    $self_url = "plugins/" . $self_url;
}
if ($goto != "") {