From 0accf8fe1eb6c27fbc86c03b97f79043a5cbc38d Mon Sep 17 00:00:00 2001 From: Neil Drumm Date: Tue, 31 Oct 2006 08:06:18 +0000 Subject: #90508 by Heine and the security team. Every form gets a token. --- includes/common.inc | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'includes/common.inc') diff --git a/includes/common.inc b/includes/common.inc index b0b184ee4..ea3ce8709 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -1507,6 +1507,48 @@ function drupal_urlencode($text) { } } +/** + * Ensure the private key variable used to generate tokens is set. + * + * @return + * The private key + */ +function drupal_get_private_key() { + if (!($key = variable_get('drupal_private_key', 0))) { + $key = md5(uniqid(mt_rand(), true)) . md5(uniqid(mt_rand(), true)); + variable_set('drupal_private_key', $key); + } + return $key; +} + +/** + * Generate a token based on $value, the current user session and private key. + * + * @param $value + * An additional value to base the token on + */ +function drupal_get_token($value = '') { + $private_key = drupal_get_private_key(); + return md5(session_id() . $value . $private_key); +} + +/** + * Validate a token based on $value, the current user session and private key. + * + * @param $token + * The token to be validated. + * @param $value + * An additional value to base the token on. + * @param $skip_anonymous + * Set to true to skip token validation for anonymous users. + * @return + * True for a valid token, false for an invalid token. When $skip_anonymous is true, the return value will always be true for anonymous users. + */ +function drupal_valid_token($token, $value = '', $skip_anonymous = FALSE) { + global $user; + return (($skip_anonymous && $user->uid == 0) || ($token == md5(session_id() . $value . variable_get('drupal_private_key', '')))); +} + /** * Performs one or more XML-RPC request(s). * -- cgit v1.2.3