aboutsummaryrefslogtreecommitdiffstats
path: root/mod/redir.php
diff options
context:
space:
mode:
authorFriendika <info@friendika.com>2010-12-07 19:40:12 -0800
committerFriendika <info@friendika.com>2010-12-07 19:40:12 -0800
commite241c401cf21108f39f67e54f64f50ad139af221 (patch)
tree287e6568475d0a5b168b1ac8ee9c1883838a915a /mod/redir.php
parent5763d31b4f213fbb2eea4d366a9c7ad534a7f1ec (diff)
downloadvolse-hubzilla-e241c401cf21108f39f67e54f64f50ad139af221.tar.gz
volse-hubzilla-e241c401cf21108f39f67e54f64f50ad139af221.tar.bz2
volse-hubzilla-e241c401cf21108f39f67e54f64f50ad139af221.zip
significantly enhanced profile security
Diffstat (limited to 'mod/redir.php')
-rw-r--r--mod/redir.php23
1 files changed, 17 insertions, 6 deletions
diff --git a/mod/redir.php b/mod/redir.php
index f95c52c96..cc58b9cd1 100644
--- a/mod/redir.php
+++ b/mod/redir.php
@@ -4,10 +4,13 @@ function redir_init(&$a) {
if((! local_user()) || (! ($a->argc == 2)) || (! intval($a->argv[1])))
goaway($a->get_baseurl());
+ $cid = $a->argv[1];
+
$r = q("SELECT `network`, `issued-id`, `dfrn-id`, `duplex`, `poll` FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1",
- intval($a->argv[1]),
+ intval($cid),
intval(local_user())
);
+
if((! count($r)) || ($r[0]['network'] !== 'dfrn'))
goaway($a->get_baseurl());
@@ -21,12 +24,20 @@ function redir_init(&$a) {
$orig_id = $r[0]['dfrn-id'];
$dfrn_id = '0:' . $orig_id;
}
- q("INSERT INTO `profile_check` ( `uid`, `dfrn_id`, `expire`)
- VALUES( %d, '%s', %d )",
- intval($_SESSION['uid']),
+
+ $sec = random_string();
+
+ q("INSERT INTO `profile_check` ( `uid`, `cid`, `dfrn_id`, `sec`, `expire`)
+ VALUES( %d, %s, '%s', '%s', %d )",
+ intval(local_user()),
+ intval($cid),
dbesc($dfrn_id),
- intval(time() + 45));
+ dbesc($sec),
+ intval(time() + 45)
+ );
+
goaway ($r[0]['poll'] . '?dfrn_id=' . $dfrn_id
- . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=1');
+// . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile');
+ . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=' . $sec);
}