/** * Generate a captcha based on the given seed value and length. * * @param string $seed_token * @return string */ function captcha_generate_captcha($seed_token) { /** * We generate a token out of the random seed value + some session data, * this means that solving via pr0n site or indian cube farm becomes * significantly more tricky (we hope). * * We also add the site secret, which is unavailable to the client and so should * make it very very hard to guess values before hand. * */ return strtolower(substr(md5(generate_action_token(0) . $seed_token), 0, elgg_get_plugin_setting('captcha_length', 'captcha'))); }
/** * Adds action tokens to URL * * @param str $link Full action URL * @return str URL with action tokens * @since 1.7 */ function elgg_add_action_tokens_to_url($url) { $components = parse_url($url); if (isset($components['query'])) { $query = elgg_parse_str($components['query']); } else { $query = array(); } if (isset($query['__elgg_ts']) && isset($query['__elgg_token'])) { return $url; } // append action tokens to the existing query $query['__elgg_ts'] = time(); $query['__elgg_token'] = generate_action_token($query['__elgg_ts']); $components['query'] = http_build_query($query); // rebuild the full url return elgg_http_build_url($components); }
/** * Send an updated CSRF token * * @access private */ function _elgg_csrf_token_refresh() { if (!elgg_is_xhr()) { return false; } $ts = time(); $token = generate_action_token($ts); $data = array('__elgg_ts' => $ts, '__elgg_token' => $token, 'logged_in' => elgg_is_logged_in()); header("Content-Type: application/json"); echo json_encode($data); return true; }
<?php /** * Initialize Elgg's js lib with the uncacheable data */ $elgg = array('config' => array('lastcache' => (int) elgg_get_config('lastcache'), 'viewtype' => elgg_get_viewtype(), 'simplecache_enabled' => (int) elgg_is_simplecache_enabled()), 'security' => array('token' => array('__elgg_ts' => $ts = time(), '__elgg_token' => generate_action_token($ts))), 'session' => array('user' => null)); $page_owner = elgg_get_page_owner_entity(); if ($page_owner instanceof ElggEntity) { $elgg['page_owner'] = $page_owner->toObject(); } $user = elgg_get_logged_in_user_entity(); if ($user instanceof ElggUser) { $user_object = $user->toObject(); $user_object->admin = $user->isAdmin(); $elgg['session']['user'] = $user_object; } ?> var elgg = <?php echo json_encode($elgg); ?> ; <?php // note: elgg.session.user needs to be wrapped with elgg.ElggUser, but this class isn't // defined yet. So this is delayed until after the classes are defined, in js/lib/session.js
<?php /** * Blog integration settings tab */ $token = elgg_get_plugin_setting('blog_token', 'community_groups'); if (!$token) { $token = generate_action_token(time()); elgg_set_plugin_setting('blog_token', $token, 'community_groups'); } $url = elgg_get_site_url(); $url .= "services/api/rest/json/?method=blog.post&token={$token}"; echo '<p class="mtm">' . elgg_echo('cg:admin:blog:instruct') . '</p>'; echo '<div><label>' . elgg_echo('cg:admin:blogurl') . ':</label> '; echo elgg_view('input/text', array('value' => $url)); echo '</div>'; // create list of groups for the form $options = array('type' => 'group', 'limit' => 0); $groups = elgg_get_entities($options); $options = array(); foreach ($groups as $group) { if ($group->guid != $vars['post']->container_guid) { $options[$group->guid] = $group->name; } } asort($options); // get previous group guid that was set $group_guid = elgg_get_plugin_setting('blog_group_guid', 'community_groups'); $form_body .= '<div>'; $form_body .= '<label>'; $form_body .= elgg_echo('cg:admin:bloggroup');
</li> <?php } ?> <li> <a href="<?php echo elgg_get_site_url(); ?> settings"> <i class="fa fa-tasks"></i>Settings </a> </li> <li> <?php $__elgg_ts = time(); $__elgg_token = generate_action_token($__elgg_ts); ?> <a href="<?php echo elgg_get_site_url(); ?> logout?__elgg_ts=<?php echo $__elgg_ts; ?> &__elgg_token=<?php echo $__elgg_token; ?> "> <i class="fa fa-sign-out"></i>Log out </a> </li>
/** * Validate an action token. * * Calls to actions will automatically validate tokens. If tokens are not * present or invalid, the action will be denied and the user will be redirected. * * Plugin authors should never have to manually validate action tokens. * * @param bool $visibleerrors Emit {@link register_error()} errors on failure? * @param mixed $token The token to test against. Default: $_REQUEST['__elgg_token'] * @param mixed $ts The time stamp to test against. Default: $_REQUEST['__elgg_ts'] * * @return bool * @see generate_action_token() * @link http://docs.elgg.org/Actions/Tokens * @access private */ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) { global $CONFIG; if (!$token) { $token = get_input('__elgg_token'); } if (!$ts) { $ts = get_input('__elgg_ts'); } if (!isset($CONFIG->action_token_timeout)) { // default to 2 hours $timeout = 2; } else { $timeout = $CONFIG->action_token_timeout; } $session_id = session_id(); if ($token && $ts && $session_id) { // generate token, check with input and forward if invalid $generated_token = generate_action_token($ts); // Validate token if ($token == $generated_token) { $hour = 60 * 60; $timeout = $timeout * $hour; $now = time(); // Validate time to ensure its not crazy if ($timeout == 0 || $ts > $now - $timeout && $ts < $now + $timeout) { // We have already got this far, so unless anything // else says something to the contry we assume we're ok $returnval = true; $returnval = elgg_trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array('token' => $token, 'time' => $ts), $returnval); if ($returnval) { return true; } else { if ($visibleerrors) { register_error(elgg_echo('actiongatekeeper:pluginprevents')); } } } else { if ($visibleerrors) { register_error(elgg_echo('actiongatekeeper:timeerror')); } } } else { if ($visibleerrors) { register_error(elgg_echo('actiongatekeeper:tokeninvalid')); } } } else { if ($visibleerrors) { register_error(elgg_echo('actiongatekeeper:missingfields')); } } return FALSE; }
/** * This method is used to retrieve the login URL of the CAS server. * @param $gateway true to check authentication, false to force it * @return a URL. * @private */ function getServerLoginURL($gateway = false) { phpCAS::traceBegin(); // the URL is build only when needed if (empty($this->_server['login_url'])) { $this->_server['login_url'] = $this->getServerBaseURL(); $this->_server['login_url'] .= 'login?service='; // $this->_server['login_url'] .= preg_replace('/&/','%26',$this->getURL()); $this->_server['login_url'] .= urlencode($this->getURL()); if ($gateway) { $this->_server['login_url'] .= '&gateway=true'; } } phpCAS::traceEnd($this->_server['login_url']); $ts = time(); $token = generate_action_token($ts); $params = "?__elgg_ts={$ts}&__elgg_token={$token}&_elgg_tmp=aa"; return $this->_server['login_url'] . $params; }
/** * @see validate_action_token * @access private */ public function validateActionToken($visible_errors = true, $token = null, $ts = null) { if (!$token) { $token = get_input('__elgg_token'); } if (!$ts) { $ts = get_input('__elgg_ts'); } $session_id = _elgg_services()->session->getId(); if ($token && $ts && $session_id) { // generate token, check with input and forward if invalid $required_token = generate_action_token($ts); // Validate token if ($token == $required_token) { if ($this->validateTokenTimestamp($ts)) { // We have already got this far, so unless anything // else says something to the contrary we assume we're ok $returnval = elgg_trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array('token' => $token, 'time' => $ts), true); if ($returnval) { return true; } else { if ($visible_errors) { register_error(elgg_echo('actiongatekeeper:pluginprevents')); } } } else { if ($visible_errors) { // this is necessary because of #5133 if (elgg_is_xhr()) { register_error(elgg_echo('js:security:token_refresh_failed', array(elgg_get_site_url()))); } else { register_error(elgg_echo('actiongatekeeper:timeerror')); } } } } else { if ($visible_errors) { // this is necessary because of #5133 if (elgg_is_xhr()) { register_error(elgg_echo('js:security:token_refresh_failed', array(elgg_get_site_url()))); } else { register_error(elgg_echo('actiongatekeeper:tokeninvalid')); } } } } else { if (!empty($_SERVER['CONTENT_LENGTH']) && empty($_POST)) { // The size of $_POST or uploaded file has exceed the size limit $error_msg = elgg_trigger_plugin_hook('action_gatekeeper:upload_exceeded_msg', 'all', array('post_size' => $_SERVER['CONTENT_LENGTH'], 'visible_errors' => $visible_errors), elgg_echo('actiongatekeeper:uploadexceeded')); } else { $error_msg = elgg_echo('actiongatekeeper:missingfields'); } if ($visible_errors) { register_error($error_msg); } } return false; }
<?php /** * Tidypics ajax upload form body * * @uses $vars['entity'] */ $album = $vars['entity']; if (!$album->canEdit()) { register_error(elgg_echo("actionunauthorized")); elgg_log("ZHError , tidypics:photos:ajax_upload, user can not edit album, album_id {$album->guid}, user_id " . elgg_get_logged_in_user_guid(), "ERROR"); forward(REFERER); } $ts = time(); $batch = time(); $tidypics_token = generate_action_token($ts); $basic_uploader_url = current_page_url() . '/basic'; $maxfilesize = (double) elgg_get_plugin_setting('maxfilesize', 'tidypics'); if (!$maxfilesize) { $maxfilesize = 5; } ?> <p> <?php echo elgg_echo('tidypics:uploader:instructs', array($maxfilesize)); ?> </p> <div id="uploader"> <input type="hidden" name="album_guid" value="<?php
/** * @see validate_action_token * @access private */ public function validateActionToken($visible_errors = true, $token = null, $ts = null) { if (!$token) { $token = get_input('__elgg_token'); } if (!$ts) { $ts = get_input('__elgg_ts'); } $session_id = _elgg_services()->session->getId(); if ($token && $ts && $session_id) { // generate token, check with input and forward if invalid $required_token = generate_action_token($ts); // Validate token $token_matches = _elgg_services()->crypto->areEqual($token, $required_token); if ($token_matches) { if ($this->validateTokenTimestamp($ts)) { // We have already got this far, so unless anything // else says something to the contrary we assume we're ok $returnval = _elgg_services()->hooks->trigger('action_gatekeeper:permissions:check', 'all', array('token' => $token, 'time' => $ts), true); if ($returnval) { return true; } else { if ($visible_errors) { register_error(_elgg_services()->translator->translate('actiongatekeeper:pluginprevents')); } } } else { if ($visible_errors) { // this is necessary because of #5133 if (elgg_is_xhr()) { register_error(_elgg_services()->translator->translate('js:security:token_refresh_failed', array(_elgg_services()->config->getSiteUrl()))); } else { register_error(_elgg_services()->translator->translate('actiongatekeeper:timeerror')); } } } } else { if ($visible_errors) { // this is necessary because of #5133 if (elgg_is_xhr()) { register_error(_elgg_services()->translator->translate('js:security:token_refresh_failed', array(_elgg_services()->config->getSiteUrl()))); } else { register_error(_elgg_services()->translator->translate('actiongatekeeper:tokeninvalid')); } } } } else { $req = _elgg_services()->request; $length = $req->server->get('CONTENT_LENGTH'); $post_count = count($req->request); if ($length && $post_count < 1) { // The size of $_POST or uploaded file has exceed the size limit $error_msg = _elgg_services()->hooks->trigger('action_gatekeeper:upload_exceeded_msg', 'all', array('post_size' => $length, 'visible_errors' => $visible_errors), _elgg_services()->translator->translate('actiongatekeeper:uploadexceeded')); } else { $error_msg = _elgg_services()->translator->translate('actiongatekeeper:missingfields'); } if ($visible_errors) { register_error($error_msg); } } return false; }
/** * Replaces dynamic data in menu's * * @param string $hook name of the hook * @param string $type type of the hook * @param unknown $return return value * @param unknown $params hook parameters * * @return void */ public static function afterViewMenu($hook, $type, $return, $params) { if (empty($return)) { return $return; } // fill in username/userguid $user = elgg_get_logged_in_user_entity(); if ($user) { $return = str_replace('[username]', $user->username, $return); $return = str_replace('[userguid]', $user->guid, $return); } else { $return = str_replace('[username]', '', $return); $return = str_replace('[userguid]', '', $return); } // add in tokens $elgg_ts = time(); $elgg_token = generate_action_token($elgg_ts); $return = str_replace('[__elgg_ts]', $elgg_ts, $return); $return = str_replace('[__elgg_token]', $elgg_token, $return); return $return; }
function event_calendar_security_fields() { $ts = time(); $token = generate_action_token($ts); return "__elgg_token={$token}&__elgg_ts={$ts}"; }
/** * Validate an action token, returning true if valid and false if not * * @return unknown */ function validate_action_token($visibleerrors = true) { $token = get_input('__elgg_token'); $ts = get_input('__elgg_ts'); $session_id = session_id(); if ($token && $ts && $session_id) { // generate token, check with input and forward if invalid $generated_token = generate_action_token($ts); // Validate token if (strcmp($token, $generated_token) == 0) { $hour = 60 * 60; $now = time(); // Validate time to ensure its not crazy if ($ts > $now - $hour && $ts < $now + $hour) { $returnval = true; // We have already got this far, so unless anything else says something to the contry we assume we're ok $returnval = trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array('token' => $token, 'time' => $ts), $returnval); if ($returnval) { return true; } else { if ($visibleerrors) { register_error(elgg_echo('actiongatekeeper:pluginprevents')); } } } else { if ($visibleerrors) { register_error(elgg_echo('actiongatekeeper:timeerror')); } } } else { if ($visibleerrors) { register_error(elgg_echo('actiongatekeeper:tokeninvalid')); } } } else { if ($visibleerrors) { register_error(elgg_echo('actiongatekeeper:missingfields')); } } return false; }
; elgg.config.viewtype = '<?php echo elgg_get_viewtype(); ?> '; elgg.config.simplecache_enabled = <?php echo (int) elgg_is_simplecache_enabled(); ?> ; elgg.security.token.__elgg_ts = <?php echo $ts = time(); ?> ; elgg.security.token.__elgg_token = '<?php echo generate_action_token($ts); ?> '; <?php // @todo json export should be smoother than this... // @todo Might also be nice to make url exportable. $entity->url? yes please! $page_owner = elgg_get_page_owner_entity(); if ($page_owner instanceof ElggEntity) { $page_owner_json = array(); foreach ($page_owner->getExportableValues() as $v) { $page_owner_json[$v] = $page_owner->{$v}; } $page_owner_json['subtype'] = $page_owner->getSubtype(); $page_owner_json['url'] = $page_owner->getURL(); echo 'elgg.page_owner = ' . json_encode($page_owner_json) . ';';
<?php /** * iZAP izap_videos * * @package Elgg videotizer, by iZAP Web Solutions. * @license GNU Public License version 3 * @Contact iZAP Team "<*****@*****.**>" * @Founder Tarun Jangra "<*****@*****.**>" * @link http://www.izap.in/ * */ $ts = time(); $token = generate_action_token($ts); echo elgg_view('input/hidden', array('internalname' => '__elgg_token', 'value' => $token)); echo elgg_view('input/hidden', array('internalname' => '__elgg_ts', 'value' => $ts));
/** * Get the initial contents of "elgg" client side. Will be extended by elgg.js. * * @return array * @access private */ function _elgg_get_js_page_data() { $data = elgg_trigger_plugin_hook('elgg.data', 'page', null, []); if (!is_array($data)) { elgg_log('"elgg.data" plugin hook handlers must return an array. Returned ' . gettype($data) . '.', 'ERROR'); $data = []; } $elgg = array('config' => array('lastcache' => (int) elgg_get_config('lastcache'), 'viewtype' => elgg_get_viewtype(), 'simplecache_enabled' => (int) elgg_is_simplecache_enabled()), 'security' => array('token' => array('__elgg_ts' => $ts = time(), '__elgg_token' => generate_action_token($ts))), 'session' => array('user' => null, 'token' => _elgg_services()->session->get('__elgg_session')), '_data' => (object) $data); if (elgg_get_config('elgg_load_sync_code')) { $elgg['config']['load_sync_code'] = true; } $page_owner = elgg_get_page_owner_entity(); if ($page_owner instanceof ElggEntity) { $elgg['page_owner'] = $page_owner->toObject(); } $user = elgg_get_logged_in_user_entity(); if ($user instanceof ElggUser) { $user_object = $user->toObject(); $user_object->admin = $user->isAdmin(); $elgg['session']['user'] = $user_object; } return $elgg; }