| [ Index ] |
|
Code source de XOOPS 2.0.17.1 |
1 <?php 2 // $Id: xoopssecurity.php 2 2005-11-02 18:23:29Z skalpa $ 3 // ------------------------------------------------------------------------ // 4 // XOOPS - PHP Content Management System // 5 // Copyright (c) 2000 XOOPS.org // 6 // <http://www.xoops.org/> // 7 // ------------------------------------------------------------------------ // 8 // This program is free software; you can redistribute it and/or modify // 9 // it under the terms of the GNU General Public License as published by // 10 // the Free Software Foundation; either version 2 of the License, or // 11 // (at your option) any later version. // 12 // // 13 // You may not change or alter any portion of this comment or credits // 14 // of supporting developers from this source code or any supporting // 15 // source code which is considered copyrighted (c) material of the // 16 // original comment or credit authors. // 17 // // 18 // This program is distributed in the hope that it will be useful, // 19 // but WITHOUT ANY WARRANTY; without even the implied warranty of // 20 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // 21 // GNU General Public License for more details. // 22 // // 23 // You should have received a copy of the GNU General Public License // 24 // along with this program; if not, write to the Free Software // 25 // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA // 26 // ------------------------------------------------------------------------ // 27 // Author: Kazumi Ono (AKA onokazu) // 28 // URL: http://www.myweb.ne.jp/, http://www.xoops.org/, http://jp.xoops.org/ // 29 // Project: The XOOPS Project // 30 // ------------------------------------------------------------------------- // 31 /* 32 * Class for managing security aspects such as checking referers, applying tokens and checking global variables for contamination 33 * 34 * @package kernel 35 * @subpackage core 36 * 37 * @author Jan Pedersen <mithrandir@xoops.org> 38 * @copyright (c) 2000-2005 The Xoops Project - www.xoops.org 39 */ 40 41 class XoopsSecurity { 42 var $errors = array(); 43 /** 44 * Constructor 45 * 46 **/ 47 function XoopsSecurity() { 48 } 49 50 /** 51 * Check if there is a valid token in $_REQUEST['XOOPS_TOKEN_REQUEST'] - can be expanded for more wide use, later (Mith) 52 * 53 * @param bool $clearIfValid whether to clear the token after validation 54 * @param string $token token to validate 55 * 56 * @return bool 57 */ 58 function check($clearIfValid = true, $token = false) { 59 return $this->validateToken($token, $clearIfValid); 60 } 61 62 /** 63 * Create a token in the user's session 64 * 65 * @param int $timeout time in seconds the token should be valid 66 * 67 * @return string token value 68 */ 69 function createToken($timeout = 0) 70 { 71 $this->garbageCollection(); 72 if ($timeout == 0) { 73 $timeout = $GLOBALS['xoopsConfig']['session_expire'] * 60; //session_expire is in minutes, we need seconds 74 } 75 $token_id = md5(uniqid(rand(), true)); 76 // save token data on the server 77 if (!isset($_SESSION['XOOPS_TOKEN_SESSION'])) { 78 $_SESSION['XOOPS_TOKEN_SESSION'] = array(); 79 } 80 $token_data = array('id' => $token_id, 'expire' => time() + intval($timeout)); 81 array_push($_SESSION['XOOPS_TOKEN_SESSION'], $token_data); 82 return md5($token_id.$_SERVER['HTTP_USER_AGENT'].XOOPS_DB_PREFIX); 83 } 84 85 /** 86 * Check if a token is valid. If no token is specified, $_REQUEST['XOOPS_TOKEN_REQUEST'] is checked 87 * 88 * @param string $token token to validate 89 * @param bool $clearIfValid whether to clear the token value if valid 90 * 91 * @return bool 92 **/ 93 function validateToken($token = false, $clearIfValid = true) 94 { 95 global $xoopsLogger; 96 $token = ($token === false) ? @$_REQUEST['XOOPS_TOKEN_REQUEST'] : $token; 97 if (empty($token) || empty($_SESSION['XOOPS_TOKEN_SESSION'])) { 98 $xoopsLogger->addExtra('Token Validation', 'No valid token found in request/session'); 99 return false; 100 } 101 $validFound = false; 102 $token_data =& $_SESSION['XOOPS_TOKEN_SESSION']; 103 foreach (array_keys($token_data) as $i) { 104 if ($token === md5($token_data[$i]['id'].$_SERVER['HTTP_USER_AGENT'].XOOPS_DB_PREFIX)) { 105 if ($this->filterToken($token_data[$i])) { 106 if ($clearIfValid) { 107 // token should be valid once, so clear it once validated 108 unset($token_data[$i]); 109 } 110 $xoopsLogger->addExtra('Token Validation', 'Valid token found'); 111 $validFound = true; 112 } 113 else { 114 $str = 'Valid token expired'; 115 $this->setErrors($str); 116 $xoopsLogger->addExtra('Token Validation', $str); 117 } 118 } 119 } 120 if (!$validFound) { 121 $xoopsLogger->addExtra('Token Validation', 'No valid token found'); 122 } 123 $this->garbageCollection(); 124 return $validFound; 125 } 126 127 /** 128 * Clear all token values from user's session 129 **/ 130 function clearTokens() 131 { 132 $_SESSION['XOOPS_TOKEN_SESSION'] = array(); 133 } 134 135 /** 136 * Check whether a token value is expired or not 137 * 138 * @param string $token 139 * 140 * @return bool 141 **/ 142 function filterToken($token) 143 { 144 return (!empty($token['expire']) && $token['expire'] >= time()); 145 } 146 147 /** 148 * Perform garbage collection, clearing expired tokens 149 * 150 * @return void 151 **/ 152 function garbageCollection() { 153 if (isset($_SESSION['XOOPS_TOKEN_SESSION']) && count($_SESSION['XOOPS_TOKEN_SESSION']) > 0) { 154 $_SESSION['XOOPS_TOKEN_SESSION'] = array_filter($_SESSION['XOOPS_TOKEN_SESSION'], array($this, 'filterToken')); 155 } 156 } 157 /** 158 * Check the user agent's HTTP REFERER against XOOPS_URL 159 * 160 * @param int $docheck 0 to not check the referer (used with XML-RPC), 1 to actively check it 161 * 162 * @return bool 163 **/ 164 function checkReferer($docheck=1) 165 { 166 $ref = xoops_getenv('HTTP_REFERER'); 167 if ($docheck == 0) { 168 return true; 169 } 170 if ($ref == '') { 171 return false; 172 } 173 if (strpos($ref, XOOPS_URL) !== 0 ) { 174 return false; 175 } 176 return true; 177 } 178 179 /** 180 * Check superglobals for contamination 181 * 182 * @return void 183 **/ 184 function checkSuperglobals() { 185 foreach (array('GLOBALS', '_SESSION', 'HTTP_SESSION_VARS', '_GET', 'HTTP_GET_VARS', '_POST', 'HTTP_POST_VARS', '_COOKIE', 'HTTP_COOKIE_VARS', '_REQUEST', '_SERVER', 'HTTP_SERVER_VARS', '_ENV', 'HTTP_ENV_VARS', '_FILES', 'HTTP_POST_FILES', 'xoopsDB', 'xoopsUser', 'xoopsUserId', 'xoopsUserGroups', 'xoopsUserIsAdmin', 'xoopsConfig', 'xoopsOption', 'xoopsModule', 'xoopsModuleConfig', 'xoopsRequestUri') as $bad_global) { 186 if (isset($_REQUEST[$bad_global])) { 187 header('Location: '.XOOPS_URL.'/'); 188 exit(); 189 } 190 } 191 } 192 193 /** 194 * Check if visitor's IP address is banned 195 * Should be changed to return bool and let the action be up to the calling script 196 * 197 * @return void 198 **/ 199 function checkBadips() { 200 global $xoopsConfig; 201 if ($xoopsConfig['enable_badips'] == 1 && isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] != '') { 202 foreach ($xoopsConfig['bad_ips'] as $bi) { 203 if (!empty($bi) && preg_match("/".$bi."/", $_SERVER['REMOTE_ADDR'])) { 204 exit(); 205 } 206 } 207 } 208 unset($bi); 209 unset($bad_ips); 210 unset($xoopsConfig['badips']); 211 } 212 213 /** 214 * Get the HTML code for a XoopsFormHiddenToken object - used in forms that do not use XoopsForm elements 215 * 216 * @return string 217 **/ 218 function getTokenHTML() { 219 require_once(XOOPS_ROOT_PATH."/class/xoopsformloader.php"); 220 $token = new XoopsFormHiddenToken(); 221 return $token->render(); 222 } 223 224 /** 225 * Add an error 226 * 227 * @param string $error 228 **/ 229 function setErrors($error) 230 { 231 $this->errors[] = trim($error); 232 } 233 234 /** 235 * Get generated errors 236 * 237 * @param bool $ashtml Format using HTML? 238 * 239 * @return array|string Array of array messages OR HTML string 240 */ 241 function &getErrors($ashtml = false) 242 { 243 if (!$ashtml) { 244 return $this->errors; 245 } else { 246 $ret = ''; 247 if (count($this->errors) > 0) { 248 foreach ($this->errors as $error) { 249 $ret .= $error.'<br />'; 250 } 251 } 252 return $ret; 253 } 254 } 255 } 256 ?>
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Sun Nov 25 11:44:32 2007 | par Balluche grâce à PHPXref 0.7 |
|
|