source: trunk/www/config.php @ 1184

Revision 1174, 2.4 KB checked in by adrian.budau, 3 months ago (diff)

Bunch of security fixes.

Login and register pages go through https
Updated recaptcha library

Implmented an anti-spam token system with price per actions and
token regeneration.

There is a maximum amount of tokens per IP.
Actions like register and login cost tokens.
When there are not enough tokens a captcha is requested.
The tokens regenerate at a constant rate.

Example -> This is how the captcha is requested at this moment for register/login:

You can login/logout as manytimes as you want. If you do 3 bad login attempts a captcha will appear and will be requested until you login correctly.
You always need a captcha for registering and after that after only one bad login attempt a captcha will be requested.
You can logout and login a different account without the need of a captcha(there is no way to use this as a brute-force entrance).

Token system description below:

You can communicate with the tokens system with the functions
get_tokens to get current tokens
check_captcha_for_tokens to check for captcha submits and their correctness thus adding an amount of tokens, this function also returns the error of the captcha(it can be forced to search for all errors)
pay_tokens which pays a certain amount of tokens or receives(if used with a negative value), it returns true or false weather it can pay or not(has enough)
save_tokens(which pushes the tokens to the mysql db)

Review URL: http://reviewboard.infoarena.ro/r/188/
  • Property svn:eol-style set to native
Line 
1<?php
2/**
3 * This file contains configuration settings specific for the infoarena
4 * WEBSITE.
5 *
6 * Please note that the "big" configuration file (residing one directory up)
7 * is meant to keep settings that are common accross all infoarena
8 * applications.
9 *
10 * This file has some decent defaults.
11 */
12
13// client-side HTTP cache
14define("IA_CLIENT_CACHE_ENABLE", true);
15define("IA_CLIENT_CACHE_AGE", 604800);
16
17// maximum attachment size for wiki pages
18define("IA_ATTACH_MAXSIZE", 64*1024*1024);
19
20// maximum jobs to reeval
21define("IA_REEVAL_MAXJOBS", 512);
22
23// maximum file size for user-submitted files - solutions to tasks
24define("IA_SUBMISSION_MAXSIZE", 256*1024);
25
26// maximum avatar file-size
27define("IA_AVATAR_MAXSIZE", 400*1024);
28
29// Number of items in a RSS feed
30define('IA_MAX_FEED_ITEMS', 15);
31date_default_timezone_set('GMT');
32
33// Constrains and default value for pager display_rows.
34define('IA_PAGER_DEFAULT_DISPLAY_ENTRIES', 50);
35define('IA_PAGER_MAX_DISPLAY_ENTRIES', 250);
36define('IA_PAGER_MIN_DISPLAY_ENTRIES', 3);
37$IA_PAGER_DISPLAY_ENTRIES_OPTIONS = array(25, 50, 100, 250);
38
39// User date formatting.
40// Everything in the database is UTC.
41// Date formatting for the user is done in www/format/format.php
42define('IA_DATE_DEFAULT_TIMEZONE', 'Europe/Bucharest');
43define('IA_DATE_DEFAULT_FORMAT', '%e %B %Y %H:%M:%S');
44
45// mail sender
46define("IA_MAIL_SENDER_NO_REPLY", 'infoarena <no-reply@infoarena.ro>');
47
48// Maximum number of recursive includes in the wiki.
49define('IA_MAX_RECURSIVE_INCLUDES', 5);
50
51// Cache directory
52define('IA_CACHE_ENABLE', true);
53define('IA_IMAGE_CACHE_ENABLE', true);
54define('IA_TEXTILE_CACHE_ENABLE', true);
55// FIXME: proper cleaning mechanism.
56define('IA_CACHE_SIZE', 256 * 1024 * 1024);
57
58// Image resampling
59//  - constraints for image resampling
60define("IA_IMAGE_RESIZE_MAX_WIDTH", 800);
61define("IA_IMAGE_RESIZE_MAX_HEIGHT", 800);
62
63// Textblock name for sidebar ad
64define("IA_SIDEBAR_PAGE", "sidebar-ad");
65
66// Textblock name for blog sidebar
67define("IA_BLOG_SIDEBAR", "blog-sidebar");
68
69// LaTeX support
70define("IA_LATEX_ENABLE", !IA_DEVELOPMENT_MODE);
71
72// Token constants
73define('IA_TOKENS_MAX', 60);
74define('IA_TOKENS_REGISTER', 61);
75define('IA_TOKENS_CAPTCHA', 5);
76define('IA_TOKENS_LOGIN', 20);
77define('IA_TOKENS_REGEN', 300);
78// List of safe MIME types
79// FIXME: add more?
80$IA_SAFE_MIME_TYPES = array('image/jpeg', 'image/png', 'image/gif', 'image/bmp', 'image/x-ms-bmp');
81
82?>
Note: See TracBrowser for help on using the repository browser.