Project

General

Profile

« Previous | Next » 

Revision 1457

Added by Dietmar almost 13 years ago

Preparing 2.8.2 stable, last tests

View differences:

SecureForm.php
37 37 
		$this->_salt = $this->_generate_salt();
38 38 
		$this->_fingerprint = $this->_generate_fingerprint();
39 39 
	// generate names for session variables
40 
		$this->_ftan_name = substr($this->_fingerprint, -(16 + hexdec($this->_fingerprint[0])), 16);
40 
		$this->_ftan_name =
41 
			substr($this->_fingerprint, -(16 + hexdec($this->_fingerprint[0])), 16);
41 42 
	// make sure there is a alpha-letter at first position
42 
		$this->_ftan_name[0] = dechex(10 + (hexdec($this->_ftan_name[0]) % 5));
43 
		$this->_idkey_name = substr($this->_fingerprint,
44 
				                    hexdec($this->_fingerprint[strlen($this->_fingerprint)-1]), 16);
43 
		$this->_ftan_name = $this->_makeFirst2Letter($this->_ftan_name);
44 
		$this->_idkey_name =
45 
			substr($this->_fingerprint, hexdec($this->_fingerprint[strlen($this->_fingerprint)-1]), 16);
45 46 
	// make sure there is a alpha-letter at first position
46 
		$this->_idkey_name[0] = dechex(10 + (hexdec($this->_idkey_name[0]) % 5));
47 
		$this->_idkey_name = $this->_makeFirst2Letter($this->_idkey_name);
47 48 
	// takeover id_keys from session if available
48 49 
		if(isset($_SESSION[$this->_idkey_name]) && is_array($_SESSION[$this->_idkey_name]))
49 50 
		{
......
54 55 
		}
55 56 
	}
56 57 

  		




  
  58
  
    
	private function _makeFirst2Letter($string)


  		




  
  59
  
    
	{


  		




  
  60
  
    
		$string[0] = dechex(10 + (hexdec($string[0]) % 5));


  		




  
  61
  
    
		return $string;


  		




  
  62
  
    
	}


  		




  
  63
  
    

  		




  57
  64
  
    
	private function _generate_salt()


  		




  58
  65
  
    
	{


  		




  59
  66
  
    
		if(function_exists('microtime'))


  		




  ......




  79
  86
  
    
		$fingerprint .= PHP_VERSION;


  		




  80
  87
  
    
	// client depending values


  		




  81
  88
  
    
		$fingerprint .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '17';


  		




  82
  
  
    
		$usedOctets = ( defined('FINGERPRINT_WITH_IP_OCTETS') ) ? intval(defined('FINGERPRINT_WITH_IP_OCTETS')) : 0;


  		




  
  89
  
    
		$usedOctets = ( defined('FINGERPRINT_WITH_IP_OCTETS') ) ? (intval(FINGERPRINT_WITH_IP_OCTETS) % 5) : 2;


  		




  83
  90
  
    
		$clientIp = ( isset($_SERVER['REMOTE_ADDR'])  ? $_SERVER['REMOTE_ADDR'] : '' );


  		




  84
  91
  
    
		if(($clientIp != '') && ($usedOctets > 0)){


  		




  85
  92
  
    
			$ip = explode('.', $clientIp);


  		




  ......




  96
  103
  
    
	{


  		




  97
  104
  
    
		$ftan = md5($tanPart . $this->_fingerprint);


  		




  98
  105
  
    
		$name = substr($ftan, -(16 + hexdec($ftan[0])), 16);


  		




  99
  
  
    
		$name[0] = dechex(10 + (hexdec($name[0]) % 5));


  		




  
  106
  
    
		$name = $this->_makeFirst2Letter($name);


  		




  100
  107
  
    
		$value = substr($ftan, hexdec($ftan[strlen($ftan)-1]), 16);


  		




  101
  108
  
    
		return array( $name, $value);


  		




  102
  109
  
    
	}


  		




  103
  
  
    
/*


  		




  
  110
  
    
/**


  		




  104
  111
  
    
 * creates Formular transactionnumbers for unique use


  		




  105
  
  
    
 * @access public


  		




  106
  
  
    
 * @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default)


  		




  107
  
  
    
 *                     false returns an GET argument 'key=value'


  		




  108
  
  
    
 * @return mixed:      array or string


  		




  109
  112
  
    
 *


  		




  
  113
  
    
 * @return void


  		




  110
  114
  
    
 * requirements: an active session must be available


  		




  111
  115
  
    
 */


  		




  112
  
  
    
	final public function getFTAN( $as_tag = true)


  		




  
  116
  
    
	final protected function createFTAN()


  		




  113
  117
  
    
	{


  		




  114
  118
  
    
		if( $this->_FTAN == '')


  		




  115
  119
  
    
		{ // if no FTAN exists, create new one from time and salt


  		




  116
  120
  
    
			$this->_FTAN = md5($this->_fingerprint.$this->_salt);


  		




  117
  121
  
    
			$_SESSION[$this->_ftan_name] = $this->_FTAN; // store FTAN into session


  		




  118
  122
  
    
		}


  		




  
  123
  
    
	}


  		




  
  124
  
    
/*


  		




  
  125
  
    
 * returns the current FTAN


  		




  
  126
  
    
 * @access public


  		




  
  127
  
    
 * @param bool $mode: true or POST returns a complete prepared, hidden HTML-Input-Tag (default)


  		




  
  128
  
    
 *                    false or GET returns an GET argument 'key=value'


  		




  
  129
  
    
 * @return mixed:     array or string


  		




  
  130
  
    
 */


  		




  
  131
  
    
	final public function getFTAN( $mode = 'POST')


  		




  
  132
  
    
	{


  		




  119
  133
  
    
		$ftan = $this->_calcFtan($this->_FTAN);


  		




  120
  
  
    
		if($as_tag == true)


  		




  
  134
  
    
		if((is_string($mode) && strtolower($mode) == 'post') || ($mode === true))


  		




  121
  135
  
    
		{ // by default return a complete, hidden <input>-tag


  		




  122
  136
  
    
			return '<input type="hidden" name="'.$ftan[0].'" value="'.$ftan[1].'" title="" alt="" />';


  		




  123
  
  
    
		}else{ // return an array with raw FTAN0 and FTAN1


  		




  
  137
  
    
		}else{ // return an string with GET params (FTAN0=FTAN1)


  		




  124
  138
  
    
			return $ftan[0].'='.$ftan[1];


  		




  125
  139
  
    
		}


  		




  126
  140
  
    
	}


  		




  ......




  137
  151
  
    
	final public function checkFTAN( $mode = 'POST')


  		




  138
  152
  
    
	{


  		




  139
  153
  
    
		$retval = false;


  		




  140
  
  
    
		if(isset($_SESSION[$this->_ftan_name]) &&


  		




  141
  
  
    
		   (strlen($_SESSION[$this->_ftan_name]) == strlen(md5('dummy'))))


  		




  
  154
  
    
		if(isset($_SESSION[$this->_ftan_name]))


  		




  142
  155
  
    
		{


  		




  143
  
  
    
			$ftan = $this->_calcFtan($_SESSION[$this->_ftan_name]);


  		




  144
  
  
    
			unset($_SESSION[$this->_ftan_name]);


  		




  145
  
  
    
			$mode = (strtoupper($mode) != 'POST' ? '_GET' : '_POST');


  		




  146
  
  
    
			if( isset($GLOBALS[$mode][$ftan[0]]))


  		




  
  156
  
    
			if( $_SESSION[$this->_ftan_name] && (strlen($_SESSION[$this->_ftan_name]) == strlen(md5('dummy'))))


  		




  147
  157
  
    
			{


  		




  148
  
  
    
				$retval = ($GLOBALS[$mode][$ftan[0]] == $ftan[1]);


  		




  149
  
  
    
				unset($GLOBALS[$mode][$ftan[0]]);


  		




  
  158
  
    
				$ftan = $this->_calcFtan($_SESSION[$this->_ftan_name]);


  		




  
  159
  
    
				unset($_SESSION[$this->_ftan_name]);


  		




  
  160
  
    
				$mode = (strtoupper($mode) != 'POST' ? '_GET' : '_POST');


  		




  
  161
  
    
				if( isset($GLOBALS[$mode][$ftan[0]]))


  		




  
  162
  
    
				{


  		




  
  163
  
    
					$retval = ($GLOBALS[$mode][$ftan[0]] == $ftan[1]);


  		




  
  164
  
    
					unset($GLOBALS[$mode][$ftan[0]]);


  		




  
  165
  
    
				}


  		




  150
  166
  
    
			}


  		




  151
  167
  
    
		}


  		




  152
  168
  
    
		return $retval;


  		




  ......




  211
  227
  
    
			default:


  		




  212
  228
  
    
				$key = $fieldname;


  		




  213
  229
  
    
		}


  		




  
  230
  
    

  		




  214
  231
  
    
		if( preg_match('/[0-9a-f]{16}$/', $key) )


  		




  215
  232
  
    
		{ // key must be a 16-digit hexvalue


  		




  216
  233
  
    
			if( array_key_exists($key, $this->_IDKEYs))


  		












Also available in:  Unified diff