source: temp/test-xoops.ec-cube.net/html/modules/rssj/include/gtickets.php @ 405

Revision 405, 4.5 KB checked in by root, 20 years ago (diff)
Line 
1<?php
2// GIJOE's Ticket Class (based on Marijuana's Oreteki XOOPS)
3// nobunobu's suggestions are applied
4
5if( ! class_exists( 'XoopsGTicket' ) ) {
6
7class XoopsGTicket {
8
9    var $_errors = array() ;
10    var $_latest_token = '' ;
11
12    // render form as plain html
13    function getTicketHtml( $salt = '' , $timeout = 1800 )
14    {
15        return '<input type="hidden" name="XOOPS_G_TICKET" value="'.$this->issue( $salt , $timeout ).'" />' ;
16    }
17
18    // returns an object of XoopsFormHidden including theh ticket
19    function getTicketXoopsForm( $salt = '' , $timeout = 1800 )
20    {
21        return new XoopsFormHidden( 'XOOPS_G_TICKET' , $this->issue( $salt , $timeout ) ) ;
22    }
23
24    // returns an array for xoops_confirm() ;
25    function getTicketArray( $salt = '' , $timeout = 1800 )
26    {
27        return array( 'XOOPS_G_TICKET' => $this->issue( $salt , $timeout ) ) ;
28    }
29
30    // return GET parameter string.
31    function getTicketParamString( $salt = '' , $noamp = false , $timeout=1800 )
32    {
33        return ( $noamp ? '' : '&amp;' ) . 'XOOPS_G_TICKET=' . $this->issue( $salt, $timeout ) ;
34    }
35
36    // issue a ticket
37    function issue( $salt = '' , $timeout = 1800 )
38    {
39        // create a token
40        list( $usec , $sec ) = explode( " " , microtime() ) ;
41        $token = crypt( $salt . $usec . $_SERVER['PATH'] . $sec ) ;
42        $this->_latest_token = $token ;
43
44        if( empty( $_SESSION['XOOPS_G_STUBS'] ) ) $_SESSION['XOOPS_G_STUBS'] = array() ;
45
46        // limit max stubs 10
47        if( sizeof( $_SESSION['XOOPS_G_STUBS'] ) > 10 ) {
48            $_SESSION['XOOPS_G_STUBS'] = array_slice( $_SESSION['XOOPS_G_STUBS'] , -10 ) ;
49        }
50
51        // store stub
52        $_SESSION['XOOPS_G_STUBS'][] = array(
53            'expire' => time() + $timeout ,
54            'ip' => $_SERVER['REMOTE_ADDR'] ,
55            'token' => $token
56        ) ;
57
58        // paid md5ed token as a ticket
59        return md5( $token . XOOPS_DB_PREFIX ) ;
60    }
61
62    // check a ticket
63    function check( $post = true )
64    {
65
66        $this->_errors = array() ;
67
68        // CHECK: stubs are not stored in session
69        if( empty( $_SESSION['XOOPS_G_STUBS'] ) || ! is_array($_SESSION['XOOPS_G_STUBS'])) {
70            $this->clear() ;
71            $this->_errors[] = 'Invalid Session' ;
72            return false ;
73        }
74
75        // get key&val of the ticket from a user's query
76        if( $post ) {
77            $ticket = empty( $_POST['XOOPS_G_TICKET'] ) ? '' : $_POST['XOOPS_G_TICKET'] ;
78        } else {
79            $ticket = empty( $_GET['XOOPS_G_TICKET'] ) ? '' : $_GET['XOOPS_G_TICKET'] ;
80        }
81
82        // CHECK: no tickets found
83        if( empty( $ticket ) ) {
84            $this->clear() ;
85            $this->_errors[] = 'Irregular post found' ;
86            return false ;
87        }
88
89        // gargage collection & find a right stub
90        $stubs_tmp = $_SESSION['XOOPS_G_STUBS'] ;
91        $_SESSION['XOOPS_G_STUBS'] = array() ;
92        foreach( $stubs_tmp as $stub ) {
93            // default lifetime 30min
94            if( $stub['expire'] >= time() ) {
95                if( md5( $stub['token'] . XOOPS_DB_PREFIX ) === $ticket ) {
96                    $found_stub = $stub ;
97                } else {
98                    // store the other valid stubs into session
99                    $_SESSION['XOOPS_G_STUBS'][] = $stub ;
100                }
101            } else {
102                if( md5( $stub['token'] . XOOPS_DB_PREFIX ) === $ticket ) {
103                    // not CSRF but Time-Out
104                    $timeout_flag = true ;
105                }
106            }
107        }
108
109        // CHECK: no right stub found
110        if( empty( $found_stub ) ) {
111            $this->clear() ;
112            if( empty( $timeout_flag ) ) $this->_errors[] = 'Invalid Session' ;
113            else $this->_errors[] = 'Time out' ;
114            return false ;
115        }
116
117        // CHECK: different ip
118        /* if( $found_stub['ip'] != $_SERVER['REMOTE_ADDR'] ) {
119            $this->clear() ;
120            $this->_errors[] = 'IP has been changed' ;
121            return false ;
122        } */
123
124        // all green
125        return true;
126    }
127
128
129    // clear all stubs
130    function clear()
131    {
132        $_SESSION['XOOPS_G_STUBS'] = array() ;
133    }
134
135
136    // Ticket Using
137    function using()
138    {
139        if( ! empty( $_SESSION['XOOPS_G_STUBS'] ) ) {
140            return true;
141        } else {
142            return false;
143        }
144    }
145
146
147    // return errors
148    function getErrors( $ashtml = true )
149    {
150        if( $ashtml ) {
151            $ret = '' ;
152            foreach( $this->_errors as $msg ) {
153                $ret .= "$msg<br />\n" ;
154            }
155        } else {
156            $ret = $this->_errors ;
157        }
158        return $ret ;
159    }
160
161// end of class
162}
163
164// create a instance in global scope
165$GLOBALS['xoopsGTicket'] = new XoopsGTicket() ;
166
167}
168
169if( ! function_exists( 'admin_refcheck' ) ) {
170
171//Admin Referer Check By Marijuana(Rev.011)
172function admin_refcheck($chkref = "") {
173    if( empty( $_SERVER['HTTP_REFERER'] ) ) {
174        return true ;
175    } else {
176        $ref = $_SERVER['HTTP_REFERER'];
177    }
178    $cr = XOOPS_URL;
179    if ( $chkref != "" ) { $cr .= $chkref; }
180    if ( strpos($ref, $cr) !== 0 ) { return false; }
181    return true;
182}
183
184}
185
186?>
Note: See TracBrowser for help on using the repository browser.