diff options
author | Friendika <info@friendika.com> | 2010-12-07 19:40:12 -0800 |
---|---|---|
committer | Friendika <info@friendika.com> | 2010-12-07 19:40:12 -0800 |
commit | e241c401cf21108f39f67e54f64f50ad139af221 (patch) | |
tree | 287e6568475d0a5b168b1ac8ee9c1883838a915a /mod/redir.php | |
parent | 5763d31b4f213fbb2eea4d366a9c7ad534a7f1ec (diff) | |
download | volse-hubzilla-e241c401cf21108f39f67e54f64f50ad139af221.tar.gz volse-hubzilla-e241c401cf21108f39f67e54f64f50ad139af221.tar.bz2 volse-hubzilla-e241c401cf21108f39f67e54f64f50ad139af221.zip |
significantly enhanced profile security
Diffstat (limited to 'mod/redir.php')
-rw-r--r-- | mod/redir.php | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/mod/redir.php b/mod/redir.php index f95c52c96..cc58b9cd1 100644 --- a/mod/redir.php +++ b/mod/redir.php @@ -4,10 +4,13 @@ function redir_init(&$a) { if((! local_user()) || (! ($a->argc == 2)) || (! intval($a->argv[1]))) goaway($a->get_baseurl()); + $cid = $a->argv[1]; + $r = q("SELECT `network`, `issued-id`, `dfrn-id`, `duplex`, `poll` FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1", - intval($a->argv[1]), + intval($cid), intval(local_user()) ); + if((! count($r)) || ($r[0]['network'] !== 'dfrn')) goaway($a->get_baseurl()); @@ -21,12 +24,20 @@ function redir_init(&$a) { $orig_id = $r[0]['dfrn-id']; $dfrn_id = '0:' . $orig_id; } - q("INSERT INTO `profile_check` ( `uid`, `dfrn_id`, `expire`) - VALUES( %d, '%s', %d )", - intval($_SESSION['uid']), + + $sec = random_string(); + + q("INSERT INTO `profile_check` ( `uid`, `cid`, `dfrn_id`, `sec`, `expire`) + VALUES( %d, %s, '%s', '%s', %d )", + intval(local_user()), + intval($cid), dbesc($dfrn_id), - intval(time() + 45)); + dbesc($sec), + intval(time() + 45) + ); + goaway ($r[0]['poll'] . '?dfrn_id=' . $dfrn_id - . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=1'); +// . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile'); + . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=' . $sec); } |