Merge branch '5.0RC'5.0

author: Mario <mario@mariovavti.com> 2020-11-05 08:46:42 +0000
committer: Mario <mario@mariovavti.com> 2020-11-05 08:46:42 +0000
commit: bafbf0416462c6f18c3fb6c8c06a063c8d6fdae6 (patch)
tree: 8929845be585b09d0f420621281c5531e1efad3e /include/security.php
parent: 6f93d9848c43019d43ea76c27d42d657ba031cd7 (diff)
parent: fdefa101d84dc2a9424eaedbdb003a4c30ec5d01 (diff)
download: volse-hubzilla-bafbf0416462c6f18c3fb6c8c06a063c8d6fdae6.tar.gz
volse-hubzilla-bafbf0416462c6f18c3fb6c8c06a063c8d6fdae6.tar.bz2
volse-hubzilla-bafbf0416462c6f18c3fb6c8c06a063c8d6fdae6.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/include/security.php b/include/security.php
index 38cb72263..c9df00f1e 100644
--- a/include/security.php
+++ b/include/security.php
@@ -594,9 +594,11 @@ function check_form_security_token($typename = '', $formname = 'form_security_to
 	$hash = $_REQUEST[$formname];
 
 	$max_livetime = 10800; // 3 hours
+	$min_livetime = 3; // 3 sec
 
 	$x = explode('.', $hash);
-	if (time() > (IntVal($x[0]) + $max_livetime)) return false;
+	if (time() > (IntVal($x[0]) + $max_livetime) || time() < (IntVal($x[0]) + $min_livetime))
+	    return false;
 
 	$sec_hash = hash('whirlpool', App::$observer['xchan_guid'] . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename);
author	Mario <mario@mariovavti.com>	2020-11-05 08:46:42 +0000
committer	Mario <mario@mariovavti.com>	2020-11-05 08:46:42 +0000
commit	bafbf0416462c6f18c3fb6c8c06a063c8d6fdae6 (patch)
tree	8929845be585b09d0f420621281c5531e1efad3e /include/security.php
parent	6f93d9848c43019d43ea76c27d42d657ba031cd7 (diff)
parent	fdefa101d84dc2a9424eaedbdb003a4c30ec5d01 (diff)
download	volse-hubzilla-bafbf0416462c6f18c3fb6c8c06a063c8d6fdae6.tar.gz volse-hubzilla-bafbf0416462c6f18c3fb6c8c06a063c8d6fdae6.tar.bz2 volse-hubzilla-bafbf0416462c6f18c3fb6c8c06a063c8d6fdae6.zip