Index: branches/2.8.x/CHANGELOG
===================================================================
--- branches/2.8.x/CHANGELOG (revision 1367)
+++ branches/2.8.x/CHANGELOG (revision 1368)
@@ -11,6 +11,10 @@
! = Update/Change
------------------------------------- 2.8.2 -------------------------------------
+31 Dec-2010 Build 1368 Dietmar Woellbrink (Luisehahne)
+- delete class.secureform.php
++ add newest SecureForm
+# fixed Call to a member function read() on a non-object in function register_frontend_modfiles
29 Dec-2010 Build 1367 Dietmar Woellbrink (Luisehahne)
# securtiy fix in class.login
# see http://www.websitebaker2.org/forum/index.php/topic,20347.msg137554.html#msg137554
Index: branches/2.8.x/wb/admin/interface/version.php
===================================================================
--- branches/2.8.x/wb/admin/interface/version.php (revision 1367)
+++ branches/2.8.x/wb/admin/interface/version.php (revision 1368)
@@ -52,6 +52,6 @@
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
if(!defined('VERSION')) define('VERSION', '2.8.2.RC3');
-if(!defined('REVISION')) define('REVISION', '1367');
+if(!defined('REVISION')) define('REVISION', '1368');
?>
\ No newline at end of file
Index: branches/2.8.x/wb/framework/class.secureform.php
===================================================================
--- branches/2.8.x/wb/framework/class.secureform.php (revision 1367)
+++ branches/2.8.x/wb/framework/class.secureform.php (nonexistent)
@@ -1,184 +0,0 @@
-__construct();
- $this->_FTAN = '';
- $this->_salt = $this->_generate_salt();
- if(isset($_SESSION['IDKEYS']))
- {
- $this->_IDKEYs = $_SESSION['IDKEYS'];
- }else {
- $this->_IDKEYs = array();
- }
- }
-// function __construct()
-// {
-// var $_FTAN = '';
-// if(isset($_SESSION['FTAN'])) { unset($_SESSION['FTAN']); }
-// }
-
-
- function _generate_salt()
- {
- // server depending values
- $salt = ( isset($_SERVER['SERVER_SIGNATURE']) ) ? $_SERVER['SERVER_SIGNATURE'] : '2';
- $salt .= ( isset($_SERVER['SERVER_SOFTWARE']) ) ? $_SERVER['SERVER_SOFTWARE'] : '3';
- $salt .= ( isset($_SERVER['SERVER_NAME']) ) ? $_SERVER['SERVER_NAME'] : '5';
- $salt .= ( isset($_SERVER['SERVER_ADDR']) ) ? $_SERVER['SERVER_ADDR'] : '7';
- $salt .= ( isset($_SERVER['SERVER_PORT']) ) ? $_SERVER['SERVER_PORT'] : '11';
- $salt .= ( isset($_SERVER['SERVER_ADMIN']) ) ? $_SERVER['SERVER_ADMIN'] : '13';
- $salt .= PHP_VERSION;
- // client depending values
- $salt .= ( isset($_SERVER['HTTP_ACCEPT']) ) ? $_SERVER['HTTP_ACCEPT'] : '17';
- $salt .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : '19';
- $salt .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : '23';
- $salt .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '29';
- $salt .= ( isset($_SERVER['HTTP_CONNECTION']) ) ? $_SERVER['HTTP_CONNECTION'] : '31';
- $salt .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '37';
- return $salt;
- }
-/*
- * creates Formular transactionnumbers for unique use
- * @access public
- * @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default)
- * false returns an array including FTAN0 and FTAN1
- * @return mixed: array or string
- *
- * requirements: an active session must be available
- */
- function getFTAN( $as_tag = true)
- {
- if( $this->_FTAN == '')
- {
- if(function_exists('microtime'))
- {
- list($usec, $sec) = explode(" ", microtime());
- $time = (string)((float)$usec + (float)$sec);
- }else{
- $time = (string)time();
- }
- $this->_FTAN = md5($time.$this->_salt);
- $_SESSION['FTAN'] = $this->_FTAN;
-
- }
- $ftan0 = 'a'.substr($this->_FTAN, -(10 + hexdec(substr($this->_FTAN, 1))), 10);
- $ftan1 = 'a'.substr($this->_FTAN, hexdec(substr($this->_FTAN, -1)), 10);
- if($as_tag == true)
- {
- return '';
- }else{
- return array('FTAN0' => $ftan0, 'FTAN1' => $ftan1);
- }
- }
-
-/*
- * checks received form-transactionnumbers against session-stored one
- * @access public
- * @param string $mode: requestmethode POST(default) or GET
- * @return bool: true if numbers matches against stored ones
- *
- * requirements: an active session must be available
- * this check will prevent from multiple sending a form. history.back() also will never work
- */
- function checkFTAN( $mode = 'POST')
- {
- $retval = false;
- if(isset($_SESSION['FTAN']) && strlen($_SESSION['FTAN']) == strlen(md5('dummy')))
- {
- $ftan = $_SESSION['FTAN'];
- $ftan0 = 'a'.substr($ftan, -(10 + hexdec(substr($ftan, 1))), 10);
- $ftan1 = 'a'.substr($ftan, hexdec(substr($ftan, -1)), 10);
- unset($_SESSION['FTAN']);
- if(strtoupper($mode) == 'POST')
- {
- $retval = (isset($_POST[$ftan0]) && $_POST[$ftan0] == ($ftan1));
- $_POST[$ftan0] = '';
- }else{
- $retval = (isset($_GET[$ftan0]) && $_GET[$ftan0] == ($ftan1));
- $_GET[$ftan0] = '';
- }
- }
- return $retval;
- }
-
-/*
- * save values in session and returns a ID-key
- * @access public
- * @param mixed $value: the value for witch a key shall generated and memorized
- * @return string: a MD5-Key to use instead of the real value
- *
- * requirements: an active session must be available
- */
- function getIDKEY($value)
- {
- $isarray = is_array($value);
- if( $isarray ) { $value = serialize($value); }
- $key = md5($this->_salt.(string)$value);
- if( $isarray ) { $key[5] = 'h'; }
- $added = false;
- while(!$added)
- {
- if( !array_key_exists($key, $this->_IDKEYs) )
- {
- $this->_IDKEYs[$key] = $value;
- $added = true;
- }else {
- // if key already exist, increment the last four digits until the key is unique
- $key = substr($key, -4).dechex(('0x'.substr($key0, -4)) + 1);
- }
- }
- $_SESSION['IDKEYS'] = $this->_IDKEYs;
- return $key;
- }
-
-/*
- * search for key in session and returns the original value
- * @access public
- * @param string $key: the alias-key from the original value
- * @return mixed: the original value (string, numeric, array) or NULL if request fails
- *
- * requirements: an active session must be available
- */
- function checkIDKEY( $key )
- {
- $value = null;
- if( array_key_exists($key, $this->_IDKEYs))
- {
- $value = $this->_IDKEYs[$key];
- unset($this->_IDKEYs[$key]);
- $_SESSION['IDKEYS'] = $this->_IDKEYs;
- if($value[5] == 'h') { $value = unserialize($value); }
- }
- return $value;
- }
- //put your code here
-}
-?>
\ No newline at end of file
Property changes on: branches/2.8.x/wb/framework/class.secureform.php
___________________________________________________________________
Deleted: svn:executable
## -1 +0,0 ##
-*
\ No newline at end of property
Deleted: svn:keywords
## -1,4 +0,0 ##
-Id
-Revision
-HeadURL
-Date
\ No newline at end of property
Index: branches/2.8.x/wb/framework/SecureForm.php
===================================================================
--- branches/2.8.x/wb/framework/SecureForm.php (nonexistent)
+++ branches/2.8.x/wb/framework/SecureForm.php (revision 1368)
@@ -0,0 +1,237 @@
+'0');
+ private $_ftan_name = '';
+ private $_idkey_name = '';
+ private $_salt = '';
+ private $_fingerprint = '';
+
+/* Construtor */
+ protected function __construct()
+ {
+ $this->_FTAN = '';
+ $this->_salt = $this->_generate_salt();
+ $this->_fingerprint = $this->_generate_fingerprint();
+ // generate names for session variables
+ $this->_ftan_name = substr($this->_fingerprint, -(16 + hexdec($this->_fingerprint[0])), 16);
+ // make sure there is a alpha-letter at first position
+ $this->_ftan_name[0] = dechex(10 + (hexdec($this->_ftan_name[0]) % 5));
+ $this->_idkey_name = substr($this->_fingerprint, hexdec($this->_fingerprint[strlen($this->_fingerprint)-1]), 16);
+ // make sure there is a alpha-letter at first position
+ $this->_idkey_name[0] = dechex(10 + (hexdec($this->_idkey_name[0]) % 5));
+ // takeover id_keys from session if available
+ if(isset($_SESSION[$this->_idkey_name]) && is_array($_SESSION[$this->_idkey_name]))
+ {
+ $this->_IDKEYs = $_SESSION[$this->_idkey_name];
+ }else{
+ $this->_IDKEYs = array('0'=>'0');
+ $_SESSION[$this->_idkey_name] = $this->_IDKEYs;
+ }
+ }
+
+ private function _generate_salt()
+ {
+ if(function_exists('microtime'))
+ {
+ list($usec, $sec) = explode(" ", microtime());
+ $salt = (string)((float)$usec + (float)$sec);
+ }else{
+ $salt = (string)time();
+ }
+ $salt = (string)rand(10000, 99999) . $salt . (string)rand(10000, 99999);
+ return md5($salt);
+ }
+
+ private function _generate_fingerprint()
+ {
+ // server depending values
+ $fingerprint = ( isset($_SERVER['SERVER_SIGNATURE']) ) ? $_SERVER['SERVER_SIGNATURE'] : '2';
+ $fingerprint .= ( isset($_SERVER['SERVER_SOFTWARE']) ) ? $_SERVER['SERVER_SOFTWARE'] : '3';
+ $fingerprint .= ( isset($_SERVER['SERVER_NAME']) ) ? $_SERVER['SERVER_NAME'] : '5';
+ $fingerprint .= ( isset($_SERVER['SERVER_ADDR']) ) ? $_SERVER['SERVER_ADDR'] : '7';
+ $fingerprint .= ( isset($_SERVER['SERVER_PORT']) ) ? $_SERVER['SERVER_PORT'] : '11';
+ $fingerprint .= ( isset($_SERVER['SERVER_ADMIN']) ) ? $_SERVER['SERVER_ADMIN'] : '13';
+ $fingerprint .= PHP_VERSION;
+ // client depending values
+ $fingerprint .= ( isset($_SERVER['HTTP_ACCEPT']) ) ? $_SERVER['HTTP_ACCEPT'] : '17';
+ $fingerprint .= ( isset($_SERVER['HTTP_ACCEPT_CHARSET']) ) ? $_SERVER['HTTP_ACCEPT_CHARSET'] : '19';
+ $fingerprint .= ( isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) ? $_SERVER['HTTP_ACCEPT_ENCODING'] : '23';
+ $fingerprint .= ( isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : '29';
+ $fingerprint .= ( isset($_SERVER['HTTP_CONNECTION']) ) ? $_SERVER['HTTP_CONNECTION'] : '31';
+ $fingerprint .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '37';
+ $fingerprint .= ( isset($_SERVER['REMOTE_ADDR']) ) ? $_SERVER['REMOTE_ADDR'] : '41';
+ return md5($fingerprint);
+ }
+
+ private function _calcFtan($tanPart)
+ {
+ $ftan = md5($tanPart . $this->_fingerprint);
+ $name = substr($ftan, -(16 + hexdec($ftan[0])), 16);
+ $name[0] = dechex(10 + (hexdec($name[0]) % 5));
+ $value = substr($ftan, hexdec($ftan[strlen($ftan)-1]), 16);
+ return array( $name, $value);
+ }
+/*
+ * creates Formular transactionnumbers for unique use
+ * @access public
+ * @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default)
+ * false returns an array including FTAN0 and FTAN1
+ * @return mixed: array or string
+ *
+ * requirements: an active session must be available
+ */
+ final public function getFTAN( $as_tag = true)
+ {
+ if( $this->_FTAN == '')
+ { // if no FTAN exists, create new one from time and salt
+ $this->_FTAN = md5($this->_fingerprint.$this->_salt);
+ $_SESSION[$this->_ftan_name] = $this->_FTAN; // store FTAN into session
+ }
+ $ftan = $this->_calcFtan($this->_FTAN);
+ if($as_tag == true)
+ { // by default return a complete, hidden -tag
+ return '';
+ }else{ // return an array with raw FTAN0 and FTAN1
+ return array('FTAN0' => $ftan[0], 'FTAN1'=>$ftan[1]);
+ }
+ }
+
+/*
+ * checks received form-transactionnumbers against session-stored one
+ * @access public
+ * @param string $mode: requestmethode POST(default) or GET
+ * @return bool: true if numbers matches against stored ones
+ *
+ * requirements: an active session must be available
+ * this check will prevent from multiple sending a form. history.back() also will never work
+ */
+ final public function checkFTAN( $mode = 'POST')
+ {
+ $retval = false;
+ if(isset($_SESSION[$this->_ftan_name]) &&
+ (strlen($_SESSION[$this->_ftan_name]) == strlen(md5('dummy'))))
+ {
+ $ftan = $this->_calcFtan($_SESSION[$this->_ftan_name]);
+ unset($_SESSION[$this->_ftan_name]);
+ $mode = (strtoupper($mode) != 'POST' ? '_GET' : '_POST');
+ if( isset($GLOBALS[$mode][$ftan[0]]))
+ {
+ $retval = ($GLOBALS[$mode][$ftan[0]] == $ftan[1]);
+ unset($GLOBALS[$mode][$ftan[0]]);
+ }
+ }
+ return $retval;
+ }
+
+/*
+ * save values in session and returns a ID-key
+ * @access public
+ * @param mixed $value: the value for witch a key shall be generated and memorized
+ * @return string: a MD5-Key to use instead of the real value
+ *
+ * @requirements: an active session must be available
+ * @description: IDKEY can handle string/numeric/array - vars. Each key is a
+ */
+ final public function getIDKEY($value)
+ {
+ if( is_array($value) == true )
+ { // serialize value, if it's an array
+ $value = serialize($value);
+ }
+ // crypt value with salt into md5-hash
+ // and return a 16-digit block from random start position
+ $key = substr( md5($this->_salt.(string)$value), rand(0,15), 16);
+ do{ // loop while key/value isn't added
+ if( !array_key_exists($key, $this->_IDKEYs) )
+ { // the key is unique, so store it in list
+ $this->_IDKEYs[$key] = $value;
+ break;
+ }else {
+ // if key already exist, increment the last five digits until the key is unique
+ $key = substr($key, 0, -5).dechex(('0x'.substr($key, -5)) + 1);
+ }
+ }while(0);
+ // store key/value-pairs into session
+ $_SESSION[$this->_idkey_name] = $this->_IDKEYs;
+ return $key;
+ }
+
+/*
+ * search for key in session and returns the original value
+ * @access public
+ * @param string $fieldname: name of the POST/GET-Field containing the key or hex-key itself
+ * @param mixed $default: returnvalue if key not exist (default 0)
+ * @param string $request: requestmethode can be POST or GET or '' (default POST)
+ * @return mixed: the original value (string, numeric, array) or DEFAULT if request fails
+ *
+ * @requirements: an active session must be available
+ * @description: each IDKEY can be checked only once. Unused Keys stay in list until the
+ * session is destroyed.
+ */
+ final public function checkIDKEY( $fieldname, $default = 0, $request = 'POST' )
+ {
+ $return_value = $default; // set returnvalue to default
+ switch( strtoupper($request) )
+ {
+ case 'POST':
+ $key = isset($_POST[$fieldname]) ? $_POST[$fieldname] : $fieldname;
+ break;
+ case 'GET':
+ $key = isset($_GET[$fieldname]) ? $_GET[$fieldname] : $fieldname;
+ break;
+ default:
+ $key = $fieldname;
+ }
+ if( preg_match('/[0-9a-f]{16}$/', $key) )
+ { // key must be a 16-digit hexvalue
+ if( array_key_exists($key, $this->_IDKEYs))
+ { // check if key is stored in IDKEYs-list
+ $return_value = $this->_IDKEYs[$key]; // get stored value
+ unset($this->_IDKEYs[$key]); // remove from list to prevent multiuse
+ $_SESSION[$this->_idkey_name] = $this->_IDKEYs; // save modified list into session again
+ if( preg_match('/.*(?_IDKEYs = array('0'=>'0');
+ }
+}
Property changes on: branches/2.8.x/wb/framework/SecureForm.php
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+Date Revision Id HeadURL
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Index: branches/2.8.x/wb/framework/class.wb.php
===================================================================
--- branches/2.8.x/wb/framework/class.wb.php (revision 1367)
+++ branches/2.8.x/wb/framework/class.wb.php (revision 1368)
@@ -24,7 +24,7 @@
// Include new wbmailer class (subclass of PHPmailer)
require_once(WB_PATH."/framework/class.wbmailer.php");
-require_once(WB_PATH."/framework/class.secureform.php");
+require_once(WB_PATH."/framework/SecureForm.php");
class wb extends SecureForm
{
@@ -331,7 +331,7 @@
/*
// Validate supplied email address
function validate_email($email) {
- if(function_exists('idn_to_ascii')){ // use pear if available
+ if(function_exists('idn_to_ascii')){ // use pear if available
$email = idn_to_ascii($email);
}else {
require_once(WB_PATH.'/include/idna_convert/idna_convert.class.php');
Index: branches/2.8.x/wb/framework/frontend.functions.php
===================================================================
--- branches/2.8.x/wb/framework/frontend.functions.php (revision 1367)
+++ branches/2.8.x/wb/framework/frontend.functions.php (revision 1368)
@@ -474,27 +474,29 @@
// gather information for all models embedded on actual page
$page_id = $wb->page_id;
- $query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections
- WHERE page_id=$page_id AND module<>'wysiwyg'");
+ $sql = 'SELECT `module` FROM `'.TABLE_PREFIX.'sections` ';
+ $sql .= 'WHERE `page_id` = '.(int)$page_id.' AND `module` <> \'wysiwyg\'';
+ if( ($query_modules = $database->query($sql)) )
+ {
+ while($row = $query_modules->fetchRow())
+ {
+ // check if page module directory contains a frontend_body.js file
+ if(file_exists(WB_PATH ."/modules/" .$row['module'] ."/$base_file"))
+ {
+ // create link with frontend_body.js source for the current module
+ $tmp_link = str_replace("{MODULE_DIRECTORY}", $row['module'], $base_link);
- while($row = $query_modules->fetchRow())
- {
- // check if page module directory contains a frontend_body.js file
- if(file_exists(WB_PATH ."/modules/" .$row['module'] ."/$base_file"))
- {
- // create link with frontend_body.js source for the current module
- $tmp_link = str_replace("{MODULE_DIRECTORY}", $row['module'], $base_link);
+ // define constant indicating that the register_frontent_files_body was invoked
+ if(!defined('MOD_FRONTEND_BODY_JAVASCRIPT_REGISTERED')) { define('MOD_FRONTEND_BODY_JAVASCRIPT_REGISTERED', true);}
- // define constant indicating that the register_frontent_files_body was invoked
- if(!defined('MOD_FRONTEND_BODY_JAVASCRIPT_REGISTERED')) { define('MOD_FRONTEND_BODY_JAVASCRIPT_REGISTERED', true);}
-
- // ensure that frontend_body.js is only added once per module type
- if(strpos($body_links, $tmp_link) === false)
- {
- $body_links .= $tmp_link;
- }
- }
- }
+ // ensure that frontend_body.js is only added once per module type
+ if(strpos($body_links, $tmp_link) === false)
+ {
+ $body_links .= $tmp_link;
+ }
+ }
+ }
+ }
}
print $body_links."\n"; ;
@@ -550,41 +552,43 @@
{
// gather information for all models embedded on actual page
$page_id = $wb->page_id;
- $query_modules = $database->query("SELECT module FROM " .TABLE_PREFIX ."sections
- WHERE page_id=$page_id AND module<>'wysiwyg'");
+ $sql = 'SELECT `module` FROM `'.TABLE_PREFIX.'sections` ';
+ $sql .= 'WHERE `page_id` = '.(int)$page_id.' AND `module` <> \'wysiwyg\'';
+ if( ($query_modules = $database->query($sql)) )
+ {
+ while($row = $query_modules->fetchRow())
+ {
+ // check if page module directory contains a frontend.js or frontend.css file
+ if(file_exists(WB_PATH ."/modules/" .$row['module'] ."/$base_file"))
+ {
+ // create link with frontend.js or frontend.css source for the current module
+ $tmp_link = str_replace("{MODULE_DIRECTORY}", $row['module'], $base_link);
- while($row = $query_modules->fetchRow())
- {
- // check if page module directory contains a frontend.js or frontend.css file
- if(file_exists(WB_PATH ."/modules/" .$row['module'] ."/$base_file"))
- {
- // create link with frontend.js or frontend.css source for the current module
- $tmp_link = str_replace("{MODULE_DIRECTORY}", $row['module'], $base_link);
-
- // define constant indicating that the register_frontent_files was invoked
- if($file_id == 'css')
- {
- if(!defined('MOD_FRONTEND_CSS_REGISTERED')) define('MOD_FRONTEND_CSS_REGISTERED', true);
- } else
- {
- if(!defined('MOD_FRONTEND_JAVASCRIPT_REGISTERED')) define('MOD_FRONTEND_JAVASCRIPT_REGISTERED', true);
- }
- // ensure that frontend.js or frontend.css is only added once per module type
- if(strpos($head_links, $tmp_link) === false)
- {
- $head_links .= $tmp_link."\n";
- }
- };
- }
- // include the Javascript email protection function
- if( $file_id != 'css' && file_exists(WB_PATH .'/modules/droplets/js/mdcr.js'))
- {
- $head_links .= ''."\n";
- }
- elseif( $file_id != 'css' && file_exists(WB_PATH .'/modules/output_filter/js/mdcr.js'))
- {
- $head_links .= ''."\n";
- }
+ // define constant indicating that the register_frontent_files was invoked
+ if($file_id == 'css')
+ {
+ if(!defined('MOD_FRONTEND_CSS_REGISTERED')) define('MOD_FRONTEND_CSS_REGISTERED', true);
+ } else
+ {
+ if(!defined('MOD_FRONTEND_JAVASCRIPT_REGISTERED')) define('MOD_FRONTEND_JAVASCRIPT_REGISTERED', true);
+ }
+ // ensure that frontend.js or frontend.css is only added once per module type
+ if(strpos($head_links, $tmp_link) === false)
+ {
+ $head_links .= $tmp_link."\n";
+ }
+ };
+ }
+ }
+ // include the Javascript email protection function
+ if( $file_id != 'css' && file_exists(WB_PATH .'/modules/droplets/js/mdcr.js'))
+ {
+ $head_links .= ''."\n";
+ }
+ elseif( $file_id != 'css' && file_exists(WB_PATH .'/modules/output_filter/js/mdcr.js'))
+ {
+ $head_links .= ''."\n";
+ }
}
print $head_links;
}