Revision 1699
Added by Dietmar almost 12 years ago
SecureForm.mtab.php | ||
---|---|---|
17 | 17 |
*/ |
18 | 18 |
## Heavy patched version, idea for patches based on : |
19 | 19 |
## http://stackoverflow.com/questions/2695153/php-csrf-how-to-make-it-works-in-all-tabs/2695291#2695291 |
20 |
## Whith this patch the token System now allows for multiple browser tabs but
|
|
20 |
## Whith this patch the token System now allows for multiple browser tabs but |
|
21 | 21 |
## denies the use of multiple browsers. |
22 | 22 |
## You can configure this class by adding several constants to your config.php |
23 |
## All Patches are Copyright Norbert Heimsath released under GPLv3
|
|
23 |
## All Patches are Copyright Norbert Heimsath released under GPLv3 |
|
24 | 24 |
## http://www.gnu.org/licenses/gpl.html |
25 | 25 |
## Take a look at __construkt for configuration options(constants). |
26 | 26 |
## Patch version 0.3.5 |
27 | 27 |
|
28 | 28 |
/** |
29 |
* |
|
29 | 30 |
* If you want some special configuration put this somewhere in your config.php for |
30 | 31 |
* example or just uncomment the lines here |
31 | 32 |
* |
... | ... | |
44 | 45 |
* define ('WB_SECFORM_TOKENNAME','my3form3'); |
45 | 46 |
* how many blocks of the IP should be used in fingerprint 0=no ipcheck, possible values 0-4 |
46 | 47 |
* define ('FINGERPRINT_WITH_IP_OCTETS',2); |
48 |
* |
|
49 |
* Fixed IDKEY in Secureform 2012/08/27 by NorHey |
|
50 |
* |
|
51 |
* I still had problems whith Security warnings on pages that used alot of |
|
52 |
* IDKEYS. For example if i tried to move a field in the basic form module |
|
53 |
* i had one Warning on in about 15 atempts. |
|
54 |
* |
|
55 |
* Another Problem: unused old IDKEYS where never deleted so session got |
|
56 |
* spammed by idkeys. |
|
57 |
* |
|
58 |
* So i made a more unique ID, recursive checking for overlapping ids, |
|
59 |
* added a tiemout for IDKEYS (same as for FTAN) and added a page parameter |
|
60 |
* to instantly delete all keys from a pagecall if one is used. |
|
61 |
* |
|
62 |
* Last thing i added is an additional parameter that allows the use of |
|
63 |
* IDKEYS whith ajax scripts. If this setting is used, the key is not |
|
64 |
* removed and can be used multiple times. (this is a small security risk |
|
65 |
* but nothing compared to the 1 in 16 chance to guess the key that we had before.) |
|
66 |
* |
|
47 | 67 |
*/ |
68 |
|
|
48 | 69 |
/* -------------------------------------------------------- */ |
49 | 70 |
// Must include code to stop this file being accessed directly |
50 | 71 |
if(!defined('WB_PATH')) { |
... | ... | |
56 | 77 |
class SecureForm { |
57 | 78 |
|
58 | 79 |
const FRONTEND = 0; |
59 |
const BACKEND = 1;
|
|
80 |
const BACKEND = 1; |
|
60 | 81 |
|
61 | 82 |
## additional private data |
62 | 83 |
private $_secret = '5609bnefg93jmgi99igjefg'; |
63 |
private $_secrettime = 86400; #Approx. one day
|
|
84 |
private $_secrettime = 86400; #Approx. one day |
|
64 | 85 |
private $_tokenname = 'formtoken'; |
65 |
private $_timeout = 7200;
|
|
86 |
private $_timeout = 7200; |
|
66 | 87 |
private $_useipblocks = 2; |
67 | 88 |
private $_usefingerprint = true; |
89 |
private $_page_uid = ""; |
|
90 |
private $_page_id = ""; |
|
68 | 91 |
### additional private data |
69 | 92 |
|
70 | 93 |
private $_FTAN = ''; |
... | ... | |
77 | 100 |
/* Construtor */ |
78 | 101 |
protected function __construct($mode = self::FRONTEND){ |
79 | 102 |
|
80 |
## additional constants and stuff for global configuration
|
|
103 |
// additional constants and stuff for global configuration
|
|
81 | 104 |
|
82 |
# Secret can contain anything its the base for the secret part of the hash
|
|
83 |
if (defined ('WB_SECFORM_SECRET')){
|
|
105 |
// Secret can contain anything its the base for the secret part of the hash
|
|
106 |
if (defined ('WB_SECFORM_SECRET')){ |
|
84 | 107 |
$this->_secret=WB_SECFORM_SECRET; |
85 | 108 |
} |
86 | 109 |
|
87 |
# shall we use fingerprinting
|
|
110 |
// shall we use fingerprinting
|
|
88 | 111 |
if (defined ('WB_SECFORM_USEFP') AND WB_SECFORM_USEFP===false){ |
89 | 112 |
$this->_usefingerprint = false; |
90 | 113 |
} |
91 | 114 |
|
92 |
# Timeout till the form token times out. Integer value between 0-86400 seconds (one day)
|
|
115 |
// Timeout till the form token times out. Integer value between 0-86400 seconds (one day)
|
|
93 | 116 |
if (defined ('WB_SECFORM_TIMEOUT') AND is_numeric(WB_SECFORM_TIMEOUT) AND intval(WB_SECFORM_TIMEOUT) >=0 AND intval(WB_SECFORM_TIMEOUT) <=86400 ){ |
94 | 117 |
$this->_timeout=intval(WB_SECFORM_TIMEOUT); |
95 | 118 |
} |
96 |
# Name for the token form element only alphanumerical string allowed that starts whith a charakter
|
|
119 |
// Name for the token form element only alphanumerical string allowed that starts whith a charakter
|
|
97 | 120 |
if (defined ('WB_SECFORM_TOKENNAME') AND !$this->_validate_alalnum(WB_SECFORM_TOKENNAME)){ |
98 | 121 |
$this->_tokenname=WB_SECFORM_TOKENNAME; |
99 | 122 |
} |
100 |
# how many bloks of the IP should be used 0=no ipcheck
|
|
123 |
// how many bloks of the IP should be used 0=no ipcheck
|
|
101 | 124 |
if (defined ('FINGERPRINT_WITH_IP_OCTETS') AND !$this->_is04(FINGERPRINT_WITH_IP_OCTETS)){ |
102 | 125 |
$this->_useipblocks=FINGERPRINT_WITH_IP_OCTETS; |
103 | 126 |
} |
104 |
## additional stuff end |
|
127 |
|
|
128 |
// create a unique pageid for per page management of idkeys , especially |
|
129 |
// to identify and delete unused ones from same page call. |
|
130 |
$this->_page_uid = uniqid (rand(), true); |
|
131 |
|
|
132 |
// additional stuff end |
|
105 | 133 |
$this->_browser_fingerprint = $this->_browser_fingerprint(true); |
106 | 134 |
$this->_fingerprint = $this->_generate_fingerprint(); |
107 | 135 |
$this->_serverdata = $this->_generate_serverdata(); |
... | ... | |
132 | 160 |
|
133 | 161 |
$secret .= $this->_secret.$this->_serverdata.session_id(); |
134 | 162 |
if ($this->_usefingerprint){$secret.= $this->_browser_fingerprint;} |
135 |
|
|
163 |
|
|
136 | 164 |
return $secret; |
137 | 165 |
} |
138 | 166 |
|
... | ... | |
155 | 183 |
{ |
156 | 184 |
// server depending values |
157 | 185 |
$fingerprint = $this->_generate_serverdata(); |
158 |
|
|
186 |
|
|
159 | 187 |
// client depending values |
160 | 188 |
$fingerprint .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '17'; |
161 | 189 |
$usedOctets = ( defined('FINGERPRINT_WITH_IP_OCTETS') ) ? intval(defined('FINGERPRINT_WITH_IP_OCTETS')) : 0; |
... | ... | |
192 | 220 |
return $serverdata; |
193 | 221 |
} |
194 | 222 |
|
195 |
// fake funktion , just exits to avoid error message
|
|
223 |
// fake funktion , just exits to avoid error message |
|
196 | 224 |
final protected function createFTAN(){} |
197 | 225 |
|
198 | 226 |
/* |
... | ... | |
261 | 289 |
* |
262 | 290 |
* @requirements: an active session must be available |
263 | 291 |
* @description: IDKEY can handle string/numeric/array - vars. Each key is a |
292 |
* shortened md5 String |
|
264 | 293 |
*/ |
265 |
final public function getIDKEY($value) |
|
266 |
{ |
|
267 |
if( is_array($value) == true ) |
|
268 |
{ // serialize value, if it's an array |
|
269 |
$value = serialize($value); |
|
294 |
final public function getIDKEY($value) { |
|
295 |
|
|
296 |
|
|
297 |
// serialize value, if it's an array |
|
298 |
if( is_array($value) == true ) $value = serialize($value); |
|
299 |
|
|
300 |
// cryptsome random stuff with salt into md5-hash |
|
301 |
$key = md5($this->_salt.rand().uniqid('', true)); |
|
302 |
|
|
303 |
//shorten hash a bit |
|
304 |
$key = str_replace(array("=","$","+"),array("-","_",""),base64_encode(pack('H*',$key))); |
|
305 |
|
|
306 |
// the key is unique, so store it in list |
|
307 |
if( !array_key_exists($key, $_SESSION[$this->_idkey_name])) { |
|
308 |
$_SESSION[$this->_idkey_name][$key]['value'] = $value; |
|
309 |
$_SESSION[$this->_idkey_name][$key]['time'] = time(); |
|
310 |
$_SESSION[$this->_idkey_name][$key]['page'] = $this->_page_uid; |
|
270 | 311 |
} |
271 |
// crypt value with salt into md5-hash |
|
272 |
// and return a 16-digit block from random start position |
|
273 |
$key = substr( md5($this->_salt.(string)$value), rand(0,15), 16); |
|
274 |
do{ // loop while key/value isn't added |
|
275 |
if( !array_key_exists($key, $this->_IDKEYs) ) |
|
276 |
{ // the key is unique, so store it in list |
|
277 |
$this->_IDKEYs[$key] = $value; |
|
278 |
break; |
|
279 |
}else { |
|
280 |
// if key already exist, increment the last five digits until the key is unique |
|
281 |
$key = substr($key, 0, -5).dechex(('0x'.substr($key, -5)) + 1); |
|
282 |
} |
|
283 |
}while(0); |
|
284 |
// store key/value-pairs into session |
|
285 |
$_SESSION[$this->_idkey_name] = $this->_IDKEYs; |
|
312 |
// if key already exist, try again, dont store as it already been stored |
|
313 |
else $key = $this->getIDKEY($value); |
|
314 |
|
|
286 | 315 |
return $key; |
287 | 316 |
} |
288 | 317 |
|
... | ... | |
298 | 327 |
* @description: each IDKEY can be checked only once. Unused Keys stay in list until the |
299 | 328 |
* session is destroyed. |
300 | 329 |
*/ |
301 |
final public function checkIDKEY( $fieldname, $default = 0, $request = 'POST' )
|
|
330 |
final public function checkIDKEY( $fieldname, $default = 0, $request = 'POST', $ajax=false)
|
|
302 | 331 |
{ |
332 |
//Remove timed out idkeys |
|
333 |
$_SESSION[$this->_idkey_name]= array_filter( $_SESSION[$this->_idkey_name],array($this, "_timedout")); |
|
334 |
|
|
335 |
|
|
303 | 336 |
$return_value = $default; // set returnvalue to default |
304 | 337 |
switch( strtoupper($request) ) |
305 | 338 |
{ |
... | ... | |
312 | 345 |
default: |
313 | 346 |
$key = $fieldname; |
314 | 347 |
} |
315 |
if( preg_match('/[0-9a-f]{16}$/', $key) ) |
|
316 |
{ // key must be a 16-digit hexvalue |
|
317 |
if( array_key_exists($key, $this->_IDKEYs)) |
|
318 |
{ // check if key is stored in IDKEYs-list |
|
319 |
$return_value = $this->_IDKEYs[$key]; // get stored value |
|
320 |
unset($this->_IDKEYs[$key]); // remove from list to prevent multiuse |
|
321 |
$_SESSION[$this->_idkey_name] = $this->_IDKEYs; // save modified list into session again |
|
348 |
if( preg_match('/[0-9a-zA-Z\-\_]{1,32}$/', $key) ) { // key must match the generated ones |
|
349 |
if( array_key_exists($key, $_SESSION[$this->_idkey_name])) { // check if key is stored in IDKEYs-list |
|
350 |
$return_value = $_SESSION[$this->_idkey_name][$key]['value']; // get stored value |
|
351 |
$this->_page_id = $_SESSION[$this->_idkey_name][$key]['page']; |
|
352 |
|
|
353 |
if ($ajax === false) { |
|
354 |
//Remove all keys from this page to prevent multiuse and session mem usage |
|
355 |
$_SESSION[$this->_idkey_name]= array_filter( $_SESSION[$this->_idkey_name],array($this, "_fpages")); |
|
356 |
//unset($_SESSION[$this->_idkey_name][$key]); // remove from list to prevent multiuse |
|
357 |
} |
|
322 | 358 |
if( preg_match('/.*(?<!\{).*(\d:\{.*;\}).*(?!\}).*/', $return_value) ) |
323 | 359 |
{ // if value is a serialized array, then deserialize it |
324 | 360 |
$return_value = unserialize($return_value); |
325 | 361 |
} |
326 | 362 |
} |
327 | 363 |
} |
364 |
|
|
328 | 365 |
return $return_value; |
329 | 366 |
} |
330 | 367 |
|
368 |
private function _timedout( $var ) { |
|
369 |
if ($var['time'] < time()-$this->_timeout) return false; |
|
370 |
return true; |
|
371 |
} |
|
372 |
private function _fpages( $var ) { |
|
373 |
if ($var['page'] == $this->_page_id) return false; |
|
374 |
return true; |
|
375 |
} |
|
376 |
|
|
331 | 377 |
/* @access public |
332 | 378 |
* @return void |
333 | 379 |
* |
... | ... | |
345 | 391 |
## all are Copyright Norbert Heimsath, heimsath.org |
346 | 392 |
## released under GPLv3 http://www.gnu.org/licenses/gpl.html |
347 | 393 |
|
348 |
/* Made because ctype_ gives strange results using mb Strings*/
|
|
394 |
/* Made because ctype_ gives strange results using mb Strings*/ |
|
349 | 395 |
private function _validate_alalnum($input){ |
350 |
# alphanumerical string that starts whith a letter charakter
|
|
396 |
# alphanumerical string that starts whith a letter charakter |
|
351 | 397 |
if (preg_match('/^[a-zA-Z][0-9a-zA-Z]+$/u', $input)) |
352 | 398 |
{return false;} |
353 |
|
|
399 |
|
|
354 | 400 |
return "The given input is not an alphanumeric string."; |
355 |
}
|
|
401 |
} |
|
356 | 402 |
|
357 | 403 |
private function _is04($input){ |
358 | 404 |
# integer value between 0-4 |
359 | 405 |
if (preg_match('/^[0-4]$/', $input)) {return false;} |
360 |
|
|
406 |
|
|
361 | 407 |
return "The given input is not an alphanumeric string."; |
362 |
}
|
|
408 |
} |
|
363 | 409 |
|
364 | 410 |
|
365 | 411 |
private function _getip($ipblocks=4){ |
... | ... | |
368 | 414 |
*/ |
369 | 415 |
$ip = ""; //Ip address result |
370 | 416 |
$cutip = ""; //Ip address cut to limit |
371 |
|
|
372 |
# mabe user is behind a Proxy but we need his real ip address if we got a nice Proxyserver,
|
|
417 |
|
|
418 |
# mabe user is behind a Proxy but we need his real ip address if we got a nice Proxyserver, |
|
373 | 419 |
# it sends us the "HTTP_X_FORWARDED_FOR" Header. Sometimes there is more than one Proxy. |
374 | 420 |
# !!!!!! THIS PART WAS NEVER TESTED BECAUSE I ONLY GOT A DIRECT INTERNET CONNECTION !!!!!! |
375 | 421 |
# long2ip(ip2long($lastip)) makes sure we got nothing else than an ip into our script ;-) |
... | ... | |
380 | 426 |
$lastip = array_pop($iplist); |
381 | 427 |
$ip.= long2ip(ip2long($lastip)); |
382 | 428 |
} |
383 |
|
|
429 |
|
|
384 | 430 |
/* If theres no other supported info we just use REMOTE_ADDR |
385 | 431 |
If we have a fiendly proxy supporting HTTP_X_FORWARDED_FOR its ok to use the full address. |
386 |
But if there is no HTTP_X_FORWARDED_FOR we can not be sure if its a proxy or whatever, so we use the
|
|
387 |
blocklimit for IP address.
|
|
432 |
But if there is no HTTP_X_FORWARDED_FOR we can not be sure if its a proxy or whatever, so we use the |
|
433 |
blocklimit for IP address. |
|
388 | 434 |
*/ |
389 |
else
|
|
435 |
else |
|
390 | 436 |
{ |
391 | 437 |
$ip = long2ip(ip2long($_SERVER['REMOTE_ADDR'])); |
392 |
|
|
438 |
|
|
393 | 439 |
# ipblocks used here defines how many blocks of the ip adress are checked xxx.xxx.xxx.xxx |
394 | 440 |
$blocks = explode('.', $ip); |
395 | 441 |
for ($i=0; $i<$ipblocks; $i++){ |
... | ... | |
397 | 443 |
} |
398 | 444 |
$ip=substr($cutip, 0, -1); |
399 | 445 |
} |
400 |
|
|
446 |
|
|
401 | 447 |
return $ip; |
402 | 448 |
} |
403 |
|
|
449 |
|
|
404 | 450 |
private function _browser_fingerprint($encode=true,$fpsalt="My Fingerprint: "){ |
405 | 451 |
/* |
406 | 452 |
Creates a basic Browser Fingerprint for securing the session and forms. |
407 | 453 |
*/ |
408 |
|
|
454 |
|
|
409 | 455 |
$fingerprint=$fpsalt; |
410 | 456 |
if (isset($_SERVER['HTTP_USER_AGENT'])){ $fingerprint .= $_SERVER['HTTP_USER_AGENT'];} |
411 | 457 |
if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];} |
412 | 458 |
if (isset($_SERVER['HTTP_ACCEPT_ENCODING'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_ENCODING'];} |
413 | 459 |
if (isset($_SERVER['HTTP_ACCEPT_CHARSET'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_CHARSET'];} |
414 |
|
|
460 |
|
|
415 | 461 |
$fingerprint.= $this->_getip($this->_useipblocks); |
416 |
|
|
462 |
|
|
417 | 463 |
if ($encode){$fingerprint=md5($fingerprint);} |
418 |
|
|
464 |
|
|
419 | 465 |
return $fingerprint; |
420 | 466 |
} |
421 | 467 |
## |
422 | 468 |
## additional Functions END |
423 | 469 |
## |
424 |
} |
|
470 |
} |
Also available in: Unified diff
! Fixed IDKEY in Secureform.mtab to solve issues whith Security warnings
! on pages that used a lot of IDKEYS. (fixed by NorHei)