PageRenderTime 25ms CodeModel.GetById 0ms RepoModel.GetById 0ms app.codeStats 0ms

/concrete/core/helpers/validation/token.php

https://bitbucket.org/selfeky/xclusivescardwebsite
PHP | 104 lines | 50 code | 15 blank | 39 comment | 10 complexity | 1e593b21f03546d1253edbb02fb76116 MD5 | raw file
  1. <?php
  2. defined('C5_EXECUTE') or die("Access Denied.");
  3. /**
  4. * @package Helpers
  5. * @subpackage Validation
  6. * @author Andrew Embler <andrew@concrete5.org>
  7. * @copyright Copyright (c) 2003-2008 Concrete5. (http://www.concrete5.org)
  8. * @license http://www.concrete5.org/license/ MIT License
  9. */
  10. /**
  11. * A helper that allows the creation of nonces/tokens, to protect against CSRF attacks.
  12. * @package Helpers
  13. * @subpackage Validation
  14. * @author Andrew Embler <andrew@concrete5.org>
  15. * @copyright Copyright (c) 2003-2008 Concrete5. (http://www.concrete5.org)
  16. * @license http://www.concrete5.org/license/ MIT License
  17. */
  18. class Concrete5_Helper_Validation_Token {
  19. const VALID_HASH_TIME_THRESHOLD = 86400; // 24 hours (in seconds)
  20. /**
  21. * For localization we can't just store this as a constant, unfortunately
  22. */
  23. public function getErrorMessage() {
  24. return t("Invalid form token. Please reload this form and submit again.");
  25. }
  26. /**
  27. * Generates a unique token for a given action. This is a token in the form of
  28. * time:hash, where hash is md5(time:userID:action:salt)
  29. * @param string table
  30. * @param string key
  31. * @param int length
  32. */
  33. public function generate($action = '', $time = null) {
  34. $u = new User();
  35. $uID = $u->getUserID();
  36. if (!$uID) {
  37. $uID = 0;
  38. }
  39. if ($time == null) {
  40. $time = time();
  41. }
  42. $hash = $time . ':' . md5($time . ':' . $uID . ':' . $action . ':' . PASSWORD_SALT);
  43. return $hash;
  44. }
  45. /**
  46. * prints out a generated token as a hidden form field
  47. */
  48. public function output($action = '', $return = false) {
  49. $hash = $this->generate($action);
  50. $token = '<input type="hidden" name="ccm_token" value="' . $hash . '" />';
  51. if (!$return) {
  52. print $token;
  53. } else {
  54. return $token;
  55. }
  56. }
  57. /**
  58. * returns a generated token as a query string variable
  59. */
  60. public function getParameter($action = '') {
  61. $hash = $this->generate($action);
  62. return 'ccm_token=' . $hash;
  63. }
  64. /**
  65. * Validates against a given action. Basically, we check the passed hash to see if
  66. * a. the hash is valid. That means it computes in the time:action:PASSWORD_SALT format
  67. * b. the time included next to the hash is within the threshold.
  68. * @param string $action
  69. * @param string $token
  70. */
  71. public function validate($action = '', $token = null) {
  72. if ($token == null) {
  73. $token = $_REQUEST['ccm_token'];
  74. }
  75. $parts = explode(':', $token);
  76. if ($parts[0]) {
  77. $time = $parts[0];
  78. $hash = $parts[1];
  79. $compHash = $this->generate($action, $time);
  80. $now = time();
  81. if (substr($compHash, strpos($compHash, ':') + 1) == $hash) {
  82. $diff = $now - $time;
  83. //hash is only valid if $diff is less than VALID_HASH_TIME_RECORD
  84. return $diff <= ValidationTokenHelper::VALID_HASH_TIME_THRESHOLD;
  85. }
  86. }
  87. return false;
  88. }
  89. }