CSRF protection in user registration

[quix0rs-gnu-social.git] / lib / util.php

diff --git a/lib/util.php b/lib/util.php
index 9ea503626644a46712461995521cb4d6ec43939a..f06f49d71be682e9660a962237a646ddc9115b3a 100644 (file)
--- a/lib/util.php
+++ b/lib/util.php
@@ -132,6 +132,7 @@ function common_end_xml() {
 }
 
 function common_init_language() {
+       mb_internal_encoding('UTF-8');
        $language = common_language();
        # So we don't have to make people install the gettext locales
        putenv('LANGUAGE='.$language);
@@ -141,7 +142,7 @@ function common_init_language() {
                                                        $language . ".utf-8",
                                                        $language . ".UTF-8",
                                                        $language);
-       bindtextdomain("laconica", $config['site']['locale_path']);
+       bindtextdomain("laconica", common_config('site','locale_path'));
        bind_textdomain_codeset("laconica", "UTF-8");
        textdomain("laconica");
        setlocale(LC_CTYPE, 'C');
@@ -172,6 +173,8 @@ function common_show_header($pagetitle, $callable=NULL, $data=NULL, $headercall=
 
        # FIXME: correct language for interface
 
+       $language = common_language();
+       
        common_element_start('html', array('xmlns' => 'http://www.w3.org/1999/xhtml',
                                                                           'xml:lang' => $language,
                                                                           'lang' => $language));
@@ -492,6 +495,10 @@ function common_munge_password($password, $id) {
 
 # check if a username exists and has matching password
 function common_check_user($nickname, $password) {
+       # NEVER allow blank passwords, even if they match the DB
+       if (mb_strlen($password) == 0) {
+               return false;
+       }
        $user = User::staticGet('nickname', $nickname);
        if (is_null($user)) {
                return false;
@@ -987,6 +994,10 @@ function common_date_iso8601($dt) {
        return $d->format('c');
 }
 
+function common_sql_now() {
+       return strftime('%Y-%m-%d %H:%M:%S', time());
+}
+
 function common_redirect($url, $code=307) {
        static $status = array(301 => "Moved Permanently",
                                                   302 => "Found",
@@ -1078,7 +1089,7 @@ function common_dequeue_notice($notice) {
                 $result = $qi->delete();
                if (!$result) {
                    $last_error = &PEAR::getStaticProperty('DB_DataObject','lastError');
-                    common_log(LOG_ERROR, 'DB error deleting queue item: ' . $last_error->message);
+                    common_log(LOG_ERR, 'DB error deleting queue item: ' . $last_error->message);
                     return false;
                 }
                 common_log(LOG_DEBUG, 'complete dequeueing notice ID = ' . $notice->id);
@@ -1466,3 +1477,11 @@ function common_canonical_sms($sms) {
        preg_replace('/\D/', '', $sms);
        return $sms;
 }
+
+function common_session_token() {
+       common_ensure_session();
+       if (!array_key_exists('token', $_SESSION)) {
+               $_SESSION['token'] = common_good_rand(64);
+       }
+       return $_SESSION['token'];
+}