/**
* Generate a captcha based on the given seed value and length.
*
* @param string $seed_token
* @return string
*/
function captcha_generate_captcha($seed_token)
{
/**
* We generate a token out of the random seed value + some session data,
* this means that solving via pr0n site or indian cube farm becomes
* significantly more tricky (we hope).
*
* We also add the site secret, which is unavailable to the client and so should
* make it very very hard to guess values before hand.
*
*/
return strtolower(substr(md5(generate_action_token(0) . $seed_token), 0, elgg_get_plugin_setting('captcha_length', 'captcha')));
}
/**
* Adds action tokens to URL
*
* @param str $link Full action URL
* @return str URL with action tokens
* @since 1.7
*/
function elgg_add_action_tokens_to_url($url)
{
$components = parse_url($url);
if (isset($components['query'])) {
$query = elgg_parse_str($components['query']);
} else {
$query = array();
}
if (isset($query['__elgg_ts']) && isset($query['__elgg_token'])) {
return $url;
}
// append action tokens to the existing query
$query['__elgg_ts'] = time();
$query['__elgg_token'] = generate_action_token($query['__elgg_ts']);
$components['query'] = http_build_query($query);
// rebuild the full url
return elgg_http_build_url($components);
}
/**
* Send an updated CSRF token
*
* @access private
*/
function _elgg_csrf_token_refresh()
{
if (!elgg_is_xhr()) {
return false;
}
$ts = time();
$token = generate_action_token($ts);
$data = array('__elgg_ts' => $ts, '__elgg_token' => $token, 'logged_in' => elgg_is_logged_in());
header("Content-Type: application/json");
echo json_encode($data);
return true;
}
<?php
/**
* Initialize Elgg's js lib with the uncacheable data
*/
$elgg = array('config' => array('lastcache' => (int) elgg_get_config('lastcache'), 'viewtype' => elgg_get_viewtype(), 'simplecache_enabled' => (int) elgg_is_simplecache_enabled()), 'security' => array('token' => array('__elgg_ts' => $ts = time(), '__elgg_token' => generate_action_token($ts))), 'session' => array('user' => null));
$page_owner = elgg_get_page_owner_entity();
if ($page_owner instanceof ElggEntity) {
$elgg['page_owner'] = $page_owner->toObject();
}
$user = elgg_get_logged_in_user_entity();
if ($user instanceof ElggUser) {
$user_object = $user->toObject();
$user_object->admin = $user->isAdmin();
$elgg['session']['user'] = $user_object;
}
?>
var elgg = <?php
echo json_encode($elgg);
?>
;
<?php
// note: elgg.session.user needs to be wrapped with elgg.ElggUser, but this class isn't
// defined yet. So this is delayed until after the classes are defined, in js/lib/session.js
<?php
/**
* Blog integration settings tab
*/
$token = elgg_get_plugin_setting('blog_token', 'community_groups');
if (!$token) {
$token = generate_action_token(time());
elgg_set_plugin_setting('blog_token', $token, 'community_groups');
}
$url = elgg_get_site_url();
$url .= "services/api/rest/json/?method=blog.post&token={$token}";
echo '<p class="mtm">' . elgg_echo('cg:admin:blog:instruct') . '</p>';
echo '<div><label>' . elgg_echo('cg:admin:blogurl') . ':</label> ';
echo elgg_view('input/text', array('value' => $url));
echo '</div>';
// create list of groups for the form
$options = array('type' => 'group', 'limit' => 0);
$groups = elgg_get_entities($options);
$options = array();
foreach ($groups as $group) {
if ($group->guid != $vars['post']->container_guid) {
$options[$group->guid] = $group->name;
}
}
asort($options);
// get previous group guid that was set
$group_guid = elgg_get_plugin_setting('blog_group_guid', 'community_groups');
$form_body .= '<div>';
$form_body .= '<label>';
$form_body .= elgg_echo('cg:admin:bloggroup');
</li>
<?php
}
?>
<li>
<a href="<?php
echo elgg_get_site_url();
?>
settings">
<i class="fa fa-tasks"></i>Settings
</a>
</li>
<li>
<?php
$__elgg_ts = time();
$__elgg_token = generate_action_token($__elgg_ts);
?>
<a href="<?php
echo elgg_get_site_url();
?>
logout?__elgg_ts=<?php
echo $__elgg_ts;
?>
&__elgg_token=<?php
echo $__elgg_token;
?>
">
<i class="fa fa-sign-out"></i>Log out
</a>
</li>
/**
* Validate an action token.
*
* Calls to actions will automatically validate tokens. If tokens are not
* present or invalid, the action will be denied and the user will be redirected.
*
* Plugin authors should never have to manually validate action tokens.
*
* @param bool $visibleerrors Emit {@link register_error()} errors on failure?
* @param mixed $token The token to test against. Default: $_REQUEST['__elgg_token']
* @param mixed $ts The time stamp to test against. Default: $_REQUEST['__elgg_ts']
*
* @return bool
* @see generate_action_token()
* @link http://docs.elgg.org/Actions/Tokens
* @access private
*/
function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL)
{
global $CONFIG;
if (!$token) {
$token = get_input('__elgg_token');
}
if (!$ts) {
$ts = get_input('__elgg_ts');
}
if (!isset($CONFIG->action_token_timeout)) {
// default to 2 hours
$timeout = 2;
} else {
$timeout = $CONFIG->action_token_timeout;
}
$session_id = session_id();
if ($token && $ts && $session_id) {
// generate token, check with input and forward if invalid
$generated_token = generate_action_token($ts);
// Validate token
if ($token == $generated_token) {
$hour = 60 * 60;
$timeout = $timeout * $hour;
$now = time();
// Validate time to ensure its not crazy
if ($timeout == 0 || $ts > $now - $timeout && $ts < $now + $timeout) {
// We have already got this far, so unless anything
// else says something to the contry we assume we're ok
$returnval = true;
$returnval = elgg_trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array('token' => $token, 'time' => $ts), $returnval);
if ($returnval) {
return true;
} else {
if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:pluginprevents'));
}
}
} else {
if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:timeerror'));
}
}
} else {
if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:tokeninvalid'));
}
}
} else {
if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:missingfields'));
}
}
return FALSE;
}
/**
* This method is used to retrieve the login URL of the CAS server.
* @param $gateway true to check authentication, false to force it
* @return a URL.
* @private
*/
function getServerLoginURL($gateway = false)
{
phpCAS::traceBegin();
// the URL is build only when needed
if (empty($this->_server['login_url'])) {
$this->_server['login_url'] = $this->getServerBaseURL();
$this->_server['login_url'] .= 'login?service=';
// $this->_server['login_url'] .= preg_replace('/&/','%26',$this->getURL());
$this->_server['login_url'] .= urlencode($this->getURL());
if ($gateway) {
$this->_server['login_url'] .= '&gateway=true';
}
}
phpCAS::traceEnd($this->_server['login_url']);
$ts = time();
$token = generate_action_token($ts);
$params = "?__elgg_ts={$ts}&__elgg_token={$token}&_elgg_tmp=aa";
return $this->_server['login_url'] . $params;
}
/**
* @see validate_action_token
* @access private
*/
public function validateActionToken($visible_errors = true, $token = null, $ts = null)
{
if (!$token) {
$token = get_input('__elgg_token');
}
if (!$ts) {
$ts = get_input('__elgg_ts');
}
$session_id = _elgg_services()->session->getId();
if ($token && $ts && $session_id) {
// generate token, check with input and forward if invalid
$required_token = generate_action_token($ts);
// Validate token
if ($token == $required_token) {
if ($this->validateTokenTimestamp($ts)) {
// We have already got this far, so unless anything
// else says something to the contrary we assume we're ok
$returnval = elgg_trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array('token' => $token, 'time' => $ts), true);
if ($returnval) {
return true;
} else {
if ($visible_errors) {
register_error(elgg_echo('actiongatekeeper:pluginprevents'));
}
}
} else {
if ($visible_errors) {
// this is necessary because of #5133
if (elgg_is_xhr()) {
register_error(elgg_echo('js:security:token_refresh_failed', array(elgg_get_site_url())));
} else {
register_error(elgg_echo('actiongatekeeper:timeerror'));
}
}
}
} else {
if ($visible_errors) {
// this is necessary because of #5133
if (elgg_is_xhr()) {
register_error(elgg_echo('js:security:token_refresh_failed', array(elgg_get_site_url())));
} else {
register_error(elgg_echo('actiongatekeeper:tokeninvalid'));
}
}
}
} else {
if (!empty($_SERVER['CONTENT_LENGTH']) && empty($_POST)) {
// The size of $_POST or uploaded file has exceed the size limit
$error_msg = elgg_trigger_plugin_hook('action_gatekeeper:upload_exceeded_msg', 'all', array('post_size' => $_SERVER['CONTENT_LENGTH'], 'visible_errors' => $visible_errors), elgg_echo('actiongatekeeper:uploadexceeded'));
} else {
$error_msg = elgg_echo('actiongatekeeper:missingfields');
}
if ($visible_errors) {
register_error($error_msg);
}
}
return false;
}
<?php
/**
* Tidypics ajax upload form body
*
* @uses $vars['entity']
*/
$album = $vars['entity'];
if (!$album->canEdit()) {
register_error(elgg_echo("actionunauthorized"));
elgg_log("ZHError , tidypics:photos:ajax_upload, user can not edit album, album_id {$album->guid}, user_id " . elgg_get_logged_in_user_guid(), "ERROR");
forward(REFERER);
}
$ts = time();
$batch = time();
$tidypics_token = generate_action_token($ts);
$basic_uploader_url = current_page_url() . '/basic';
$maxfilesize = (double) elgg_get_plugin_setting('maxfilesize', 'tidypics');
if (!$maxfilesize) {
$maxfilesize = 5;
}
?>
<p>
<?php
echo elgg_echo('tidypics:uploader:instructs', array($maxfilesize));
?>
</p>
<div id="uploader">
<input type="hidden" name="album_guid" value="<?php
/**
* @see validate_action_token
* @access private
*/
public function validateActionToken($visible_errors = true, $token = null, $ts = null)
{
if (!$token) {
$token = get_input('__elgg_token');
}
if (!$ts) {
$ts = get_input('__elgg_ts');
}
$session_id = _elgg_services()->session->getId();
if ($token && $ts && $session_id) {
// generate token, check with input and forward if invalid
$required_token = generate_action_token($ts);
// Validate token
$token_matches = _elgg_services()->crypto->areEqual($token, $required_token);
if ($token_matches) {
if ($this->validateTokenTimestamp($ts)) {
// We have already got this far, so unless anything
// else says something to the contrary we assume we're ok
$returnval = _elgg_services()->hooks->trigger('action_gatekeeper:permissions:check', 'all', array('token' => $token, 'time' => $ts), true);
if ($returnval) {
return true;
} else {
if ($visible_errors) {
register_error(_elgg_services()->translator->translate('actiongatekeeper:pluginprevents'));
}
}
} else {
if ($visible_errors) {
// this is necessary because of #5133
if (elgg_is_xhr()) {
register_error(_elgg_services()->translator->translate('js:security:token_refresh_failed', array(_elgg_services()->config->getSiteUrl())));
} else {
register_error(_elgg_services()->translator->translate('actiongatekeeper:timeerror'));
}
}
}
} else {
if ($visible_errors) {
// this is necessary because of #5133
if (elgg_is_xhr()) {
register_error(_elgg_services()->translator->translate('js:security:token_refresh_failed', array(_elgg_services()->config->getSiteUrl())));
} else {
register_error(_elgg_services()->translator->translate('actiongatekeeper:tokeninvalid'));
}
}
}
} else {
$req = _elgg_services()->request;
$length = $req->server->get('CONTENT_LENGTH');
$post_count = count($req->request);
if ($length && $post_count < 1) {
// The size of $_POST or uploaded file has exceed the size limit
$error_msg = _elgg_services()->hooks->trigger('action_gatekeeper:upload_exceeded_msg', 'all', array('post_size' => $length, 'visible_errors' => $visible_errors), _elgg_services()->translator->translate('actiongatekeeper:uploadexceeded'));
} else {
$error_msg = _elgg_services()->translator->translate('actiongatekeeper:missingfields');
}
if ($visible_errors) {
register_error($error_msg);
}
}
return false;
}
/**
* Replaces dynamic data in menu's
*
* @param string $hook name of the hook
* @param string $type type of the hook
* @param unknown $return return value
* @param unknown $params hook parameters
*
* @return void
*/
public static function afterViewMenu($hook, $type, $return, $params)
{
if (empty($return)) {
return $return;
}
// fill in username/userguid
$user = elgg_get_logged_in_user_entity();
if ($user) {
$return = str_replace('[username]', $user->username, $return);
$return = str_replace('[userguid]', $user->guid, $return);
} else {
$return = str_replace('[username]', '', $return);
$return = str_replace('[userguid]', '', $return);
}
// add in tokens
$elgg_ts = time();
$elgg_token = generate_action_token($elgg_ts);
$return = str_replace('[__elgg_ts]', $elgg_ts, $return);
$return = str_replace('[__elgg_token]', $elgg_token, $return);
return $return;
}
function event_calendar_security_fields()
{
$ts = time();
$token = generate_action_token($ts);
return "__elgg_token={$token}&__elgg_ts={$ts}";
}
/**
* Validate an action token, returning true if valid and false if not
*
* @return unknown
*/
function validate_action_token($visibleerrors = true)
{
$token = get_input('__elgg_token');
$ts = get_input('__elgg_ts');
$session_id = session_id();
if ($token && $ts && $session_id) {
// generate token, check with input and forward if invalid
$generated_token = generate_action_token($ts);
// Validate token
if (strcmp($token, $generated_token) == 0) {
$hour = 60 * 60;
$now = time();
// Validate time to ensure its not crazy
if ($ts > $now - $hour && $ts < $now + $hour) {
$returnval = true;
// We have already got this far, so unless anything else says something to the contry we assume we're ok
$returnval = trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array('token' => $token, 'time' => $ts), $returnval);
if ($returnval) {
return true;
} else {
if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:pluginprevents'));
}
}
} else {
if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:timeerror'));
}
}
} else {
if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:tokeninvalid'));
}
}
} else {
if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:missingfields'));
}
}
return false;
}
;
elgg.config.viewtype = '<?php
echo elgg_get_viewtype();
?>
';
elgg.config.simplecache_enabled = <?php
echo (int) elgg_is_simplecache_enabled();
?>
;
elgg.security.token.__elgg_ts = <?php
echo $ts = time();
?>
;
elgg.security.token.__elgg_token = '<?php
echo generate_action_token($ts);
?>
';
<?php
// @todo json export should be smoother than this...
// @todo Might also be nice to make url exportable. $entity->url? yes please!
$page_owner = elgg_get_page_owner_entity();
if ($page_owner instanceof ElggEntity) {
$page_owner_json = array();
foreach ($page_owner->getExportableValues() as $v) {
$page_owner_json[$v] = $page_owner->{$v};
}
$page_owner_json['subtype'] = $page_owner->getSubtype();
$page_owner_json['url'] = $page_owner->getURL();
echo 'elgg.page_owner = ' . json_encode($page_owner_json) . ';';
<?php
/**
* iZAP izap_videos
*
* @package Elgg videotizer, by iZAP Web Solutions.
* @license GNU Public License version 3
* @Contact iZAP Team "<*****@*****.**>"
* @Founder Tarun Jangra "<*****@*****.**>"
* @link http://www.izap.in/
*
*/
$ts = time();
$token = generate_action_token($ts);
echo elgg_view('input/hidden', array('internalname' => '__elgg_token', 'value' => $token));
echo elgg_view('input/hidden', array('internalname' => '__elgg_ts', 'value' => $ts));
/**
* Get the initial contents of "elgg" client side. Will be extended by elgg.js.
*
* @return array
* @access private
*/
function _elgg_get_js_page_data()
{
$data = elgg_trigger_plugin_hook('elgg.data', 'page', null, []);
if (!is_array($data)) {
elgg_log('"elgg.data" plugin hook handlers must return an array. Returned ' . gettype($data) . '.', 'ERROR');
$data = [];
}
$elgg = array('config' => array('lastcache' => (int) elgg_get_config('lastcache'), 'viewtype' => elgg_get_viewtype(), 'simplecache_enabled' => (int) elgg_is_simplecache_enabled()), 'security' => array('token' => array('__elgg_ts' => $ts = time(), '__elgg_token' => generate_action_token($ts))), 'session' => array('user' => null, 'token' => _elgg_services()->session->get('__elgg_session')), '_data' => (object) $data);
if (elgg_get_config('elgg_load_sync_code')) {
$elgg['config']['load_sync_code'] = true;
}
$page_owner = elgg_get_page_owner_entity();
if ($page_owner instanceof ElggEntity) {
$elgg['page_owner'] = $page_owner->toObject();
}
$user = elgg_get_logged_in_user_entity();
if ($user instanceof ElggUser) {
$user_object = $user->toObject();
$user_object->admin = $user->isAdmin();
$elgg['session']['user'] = $user_object;
}
return $elgg;
}
