CSRF protection in user registration

[quix0rs-gnu-social.git] / lib / util.php

diff --git a/lib/util.php b/lib/util.php
index 87f97685c15e1092c5bbc94b04c3743b257992b4..f06f49d71be682e9660a962237a646ddc9115b3a 100644 (file)
--- a/lib/util.php
+++ b/lib/util.php
@@ -173,6 +173,8 @@ function common_show_header($pagetitle, $callable=NULL, $data=NULL, $headercall=
 
        # FIXME: correct language for interface
 
+       $language = common_language();
+       
        common_element_start('html', array('xmlns' => 'http://www.w3.org/1999/xhtml',
                                                                           'xml:lang' => $language,
                                                                           'lang' => $language));
@@ -493,6 +495,10 @@ function common_munge_password($password, $id) {
 
 # check if a username exists and has matching password
 function common_check_user($nickname, $password) {
+       # NEVER allow blank passwords, even if they match the DB
+       if (mb_strlen($password) == 0) {
+               return false;
+       }
        $user = User::staticGet('nickname', $nickname);
        if (is_null($user)) {
                return false;
@@ -988,6 +994,10 @@ function common_date_iso8601($dt) {
        return $d->format('c');
 }
 
+function common_sql_now() {
+       return strftime('%Y-%m-%d %H:%M:%S', time());
+}
+
 function common_redirect($url, $code=307) {
        static $status = array(301 => "Moved Permanently",
                                                   302 => "Found",
@@ -1467,3 +1477,11 @@ function common_canonical_sms($sms) {
        preg_replace('/\D/', '', $sms);
        return $sms;
 }
+
+function common_session_token() {
+       common_ensure_session();
+       if (!array_key_exists('token', $_SESSION)) {
+               $_SESSION['token'] = common_good_rand(64);
+       }
+       return $_SESSION['token'];
+}