Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 1339) +++ branches/2.8.x/CHANGELOG (revision 1340) @@ -11,6 +11,8 @@ ! = Update/Change ------------------------------------- 2.8.1 ------------------------------------- +02-May-2010 Dietmar Woellbrink (Luisehahne) +! added IdKey to class secureForm 30-Apr-2010 Dietmar Woellbrink (Luisehahne) ! changes Backend javascripts from body to head 28-Apr-2010 Dietmar Woellbrink (Luisehahne) Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 1339) +++ branches/2.8.x/wb/admin/interface/version.php (revision 1340) @@ -52,6 +52,6 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.x'); -if(!defined('REVISION')) define('REVISION', '1339'); +if(!defined('REVISION')) define('REVISION', '1340'); ?> \ No newline at end of file Index: branches/2.8.x/wb/framework/class.secureform.php =================================================================== --- branches/2.8.x/wb/framework/class.secureform.php (revision 1339) +++ branches/2.8.x/wb/framework/class.secureform.php (revision 1340) @@ -23,14 +23,21 @@ /* insert global vars here... */ - var $_FTAN = ''; - var $_IDKEYs = array(); + var $_FTAN = ''; + var $_IDKEYs = ''; + var $_salt = ''; function SecureForm() { // $this->__construct(); $this->_FTAN = ''; -// if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); } + $this->_salt = $this->_generate_salt(); + if(isset($_SESSION['IDKEYS'])) + { + $this->_IDKEYs = $_SESSION['IDKEYS']; + }else { + $this->_IDKEYs = array(); + } } // function __construct() // { @@ -38,6 +45,26 @@ // if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); } // } + + function _generate_salt() + { + // server depending values + $salt = ( isset($_SERVER['SERVER_SIGNATURE']) ) ? $_SERVER['SERVER_SIGNATURE'] : '2'; + $salt .= ( isset($_SERVER['SERVER_SOFTWARE']) ) ? $_SERVER['SERVER_SOFTWARE'] : '3'; + $salt .= ( isset($_SERVER['SERVER_NAME']) ) ? $_SERVER['SERVER_NAME'] : '5'; + $salt .= ( isset($_SERVER['SERVER_ADDR']) ) ? $_SERVER['SERVER_ADDR'] : '7'; + $salt .= ( isset($_SERVER['SERVER_PORT']) ) ? $_SERVER['SERVER_PORT'] : '11'; + $salt .= ( isset($_SERVER['SERVER_ADMIN']) ) ? $_SERVER['SERVER_ADMIN'] : '13'; + $salt .= PHP_VERSION; + // client depending values + $salt .= ( isset($_SERVER['HTTP_ACCEPT']) ) ? $_SERVER['HTTP_ACCEPT'] : '17'; + $salt .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : '19'; + $salt .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : '23'; + $salt .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '29'; + $salt .= ( isset($_SERVER['HTTP_CONNECTION']) ) ? $_SERVER['HTTP_CONNECTION'] : '31'; + $salt .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '37'; + return $salt; + } /* * creates Formular transactionnumbers for unique use * @access public @@ -58,16 +85,9 @@ }else{ $time = (string)time(); } - $salt = ( isset($_SERVER['HTTP_ACCEPT']) ? $_SERVER['HTTP_ACCEPT'] : ''); - $salt .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : ''); - $salt .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : ''); - $salt .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : ''); - $salt .= ( isset($_SERVER['HTTP_CONNECTION']) ? $_SERVER['HTTP_CONNECTION'] : ''); - $salt .= ( isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : ''); - $salt .= ( isset($_SERVER['SERVER_ADDR']) ? $_SERVER['SERVER_ADDR'] : ''); - $salt = ( $salt !== '' ) ? $salt : 'eXtremelyHotTomatoJuice'; - $this->_FTAN = md5($time.$salt); + $this->_FTAN = md5($time.$this->_salt); $_SESSION['FTAN'] = $this->_FTAN; + } $ftan0 = 'a'.substr($this->_FTAN, -(10 + hexdec(substr($this->_FTAN, 1))), 10); $ftan1 = 'a'.substr($this->_FTAN, hexdec(substr($this->_FTAN, -1)), 10); @@ -109,8 +129,56 @@ return $retval; } +/* + * save values in session and returns a ID-key + * @access public + * @param mixed $value: the value for witch a key shall generated and memorized + * @return string: a MD5-Key to use instead of the real value + * + * requirements: an active session must be available + */ + function getIDKEY($value) + { + $isarray = is_array($value); + if( $isarray ) { $value = serialize($value); } + $key = md5($this->_salt.(string)$value); + if( $isarray ) { $key[5] = 'h'; } + $added = false; + while(!$added) + { + if( !array_key_exists($key, $this->_IDKEYs) ) + { + $this->_IDKEYs[$key] = $value; + $added = true; + }else { + // if key already exist, increment the last four digits until the key is unique + $key = substr($key, -4).dechex(('0x'.substr($key0, -4)) + 1); + } + } + $_SESSION['IDKEYS'] = $this->_IDKEYs; + return $key; + } - +/* + * search for key in session and returns the original value + * @access public + * @param string $key: the alias-key from the original value + * @return mixed: the original value (string, numeric, array) or NULL if request fails + * + * requirements: an active session must be available + */ + function checkIDKEY( $key ) + { + $value = null; + if( array_key_exists($key, $this->_IDKEYs)) + { + $value = $this->_IDKEYs[$key]; + unset($this->_IDKEYs[$key]); + $_SESSION['IDKEYS'] = $this->_IDKEYs; + if($value[5] == 'h') { $value = unserialize($value); } + } + return $value; + } //put your code here } -?> +?> \ No newline at end of file