We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit f79f4480 authored by Zach Copley's avatar Zach Copley

- Lookup anon profiles by ID (safer because they are guranteed to be unique) and probably faster

- Obfuscate the anonymous user session token to make it hard to figure out the profile ID
parent 0fe0f421
...@@ -151,7 +151,7 @@ class AnonymousFavePlugin extends Plugin { ...@@ -151,7 +151,7 @@ class AnonymousFavePlugin extends Plugin {
if (!common_logged_in()) { if (!common_logged_in()) {
$profile = $this->getAnonProfile(); $profile = AnonymousFavePlugin::getAnonProfile();
if (!empty($profile)) { if (!empty($profile)) {
if ($profile->hasFave($item->notice)) { if ($profile->hasFave($item->notice)) {
$disfavor = new AnonDisFavorForm($item->out, $item->notice); $disfavor = new AnonDisFavorForm($item->out, $item->notice);
...@@ -207,42 +207,58 @@ class AnonymousFavePlugin extends Plugin { ...@@ -207,42 +207,58 @@ class AnonymousFavePlugin extends Plugin {
// Get the anon user's IP, and turn it into a nickname // Get the anon user's IP, and turn it into a nickname
list($proxy, $ip) = common_client_ip(); list($proxy, $ip) = common_client_ip();
// IP + time + random number should avoid collisions
$nickname = 'anonymous-' . $ip . '-' . time() . '-' . common_good_rand(5); // IP + time + random number should help to avoid collisions
$baseNickname = $ip . '-' . time() . '-' . common_good_rand(5);
$profile = new Profile(); $profile = new Profile();
$profile->nickname = $nickname; $profile->nickname = $baseNickname;
$id = $profile->insert(); $id = $profile->insert();
if (!empty($id)) { if (!$id) {
common_log( throw new ServerException(_m("Couldn't create anonymous user session"));
LOG_INFO, }
"AnonymousFavePlugin - created profile for anonymous user from IP: "
. $ip // Stick the Profile ID into the nickname
. ', nickname = ' $orig = clone($profile);
. $nickname
); $profile->nickname = 'anon-' . $id . '-' . $baseNickname;
$result = $profile->update($orig);
if (!$result) {
throw new ServerException(_m("Couldn't create anonymous user session"));
} }
common_log(
LOG_INFO,
"AnonymousFavePlugin - created profile for anonymous user from IP: "
. $ip
. ', nickname = '
. $profile->nickname
);
return $profile; return $profile;
} }
function getAnonProfile() { static function getAnonProfile() {
$anon = $_SESSION['anon_nickname']; $token = $_SESSION['anon_token'];
$anon = base64_decode($token);
$profile = null; $profile = null;
if (!empty($anon)) { if (!empty($anon) && substr($anon, 0, 5) == 'anon-') {
$profile = Profile::staticGet('nickname', $anon); $parts = explode('-', $anon);
$id = $parts[1];
// Do Profile lookup by ID instead of nickname for safety/performance
$profile = Profile::staticGet('id', $id);
} else { } else {
$profile = $this->createAnonProfile(); $profile = $this->createAnonProfile();
$_SESSION['anon_nickname'] = $profile->nickname; // Obfuscate so it's hard to figure out the Profile ID
$_SESSION['anon_token'] = base64_encode($profile->nickname);
} }
if (!empty($profile)) { return $profile;
return $profile;
}
} }
/** /**
......
...@@ -54,15 +54,7 @@ class AnonDisfavorAction extends RedirectingAction ...@@ -54,15 +54,7 @@ class AnonDisfavorAction extends RedirectingAction
{ {
parent::handle($args); parent::handle($args);
$anon = $_SESSION['anon_nickname']; $profile = AnonymousFavePlugin::getAnonProfile();
$profile = Profile::staticGet('nickname', $anon);
if (empty($profile)) {
common_debug(
"AnonDisFavorAction - Anon user tried to disfave a notice but doesn't have a profile."
);
}
if (empty($profile) || $_SERVER['REQUEST_METHOD'] != 'POST') { if (empty($profile) || $_SERVER['REQUEST_METHOD'] != 'POST') {
$this->clientError( $this->clientError(
......
...@@ -54,14 +54,7 @@ class AnonFavorAction extends RedirectingAction ...@@ -54,14 +54,7 @@ class AnonFavorAction extends RedirectingAction
{ {
parent::handle($args); parent::handle($args);
$anon = $_SESSION['anon_nickname']; $profile = AnonymousFavePlugin::getAnonProfile();
$profile = Profile::staticGet('nickname', $anon);
if (empty($profile)) {
common_debug(
"AnonFavorAction - Anon user tried to fave a notice but doesn't have a profile."
);
}
if (empty($profile) || $_SERVER['REQUEST_METHOD'] != 'POST') { if (empty($profile) || $_SERVER['REQUEST_METHOD'] != 'POST') {
$this->clientError( $this->clientError(
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment