| 17 |
17 |
*/
|
| 18 |
18 |
## Heavy patched version, idea for patches based on :
|
| 19 |
19 |
## http://stackoverflow.com/questions/2695153/php-csrf-how-to-make-it-works-in-all-tabs/2695291#2695291
|
| 20 |
|
## Whith this patch the token System now allows for multiple browser tabs but
|
|
20 |
## Whith this patch the token System now allows for multiple browser tabs but
|
| 21 |
21 |
## denies the use of multiple browsers.
|
| 22 |
22 |
## You can configure this class by adding several constants to your config.php
|
| 23 |
|
## All Patches are Copyright Norbert Heimsath released under GPLv3
|
|
23 |
## All Patches are Copyright Norbert Heimsath released under GPLv3
|
| 24 |
24 |
## http://www.gnu.org/licenses/gpl.html
|
| 25 |
25 |
## Take a look at __construkt for configuration options(constants).
|
| 26 |
26 |
## Patch version 0.3.5
|
| 27 |
27 |
|
| 28 |
28 |
/**
|
|
29 |
*
|
| 29 |
30 |
* If you want some special configuration put this somewhere in your config.php for
|
| 30 |
31 |
* example or just uncomment the lines here
|
| 31 |
32 |
*
|
| ... | ... | |
| 44 |
45 |
* define ('WB_SECFORM_TOKENNAME','my3form3');
|
| 45 |
46 |
* how many blocks of the IP should be used in fingerprint 0=no ipcheck, possible values 0-4
|
| 46 |
47 |
* define ('FINGERPRINT_WITH_IP_OCTETS',2);
|
|
48 |
*
|
|
49 |
* Fixed IDKEY in Secureform 2012/08/27 by NorHey
|
|
50 |
*
|
|
51 |
* I still had problems whith Security warnings on pages that used alot of
|
|
52 |
* IDKEYS. For example if i tried to move a field in the basic form module
|
|
53 |
* i had one Warning on in about 15 atempts.
|
|
54 |
*
|
|
55 |
* Another Problem: unused old IDKEYS where never deleted so session got
|
|
56 |
* spammed by idkeys.
|
|
57 |
*
|
|
58 |
* So i made a more unique ID, recursive checking for overlapping ids,
|
|
59 |
* added a tiemout for IDKEYS (same as for FTAN) and added a page parameter
|
|
60 |
* to instantly delete all keys from a pagecall if one is used.
|
|
61 |
*
|
|
62 |
* Last thing i added is an additional parameter that allows the use of
|
|
63 |
* IDKEYS whith ajax scripts. If this setting is used, the key is not
|
|
64 |
* removed and can be used multiple times. (this is a small security risk
|
|
65 |
* but nothing compared to the 1 in 16 chance to guess the key that we had before.)
|
|
66 |
*
|
| 47 |
67 |
*/
|
|
68 |
|
| 48 |
69 |
/* -------------------------------------------------------- */
|
| 49 |
70 |
// Must include code to stop this file being accessed directly
|
| 50 |
71 |
if(!defined('WB_PATH')) {
|
| ... | ... | |
| 56 |
77 |
class SecureForm {
|
| 57 |
78 |
|
| 58 |
79 |
const FRONTEND = 0;
|
| 59 |
|
const BACKEND = 1;
|
|
80 |
const BACKEND = 1;
|
| 60 |
81 |
|
| 61 |
82 |
## additional private data
|
| 62 |
83 |
private $_secret = '5609bnefg93jmgi99igjefg';
|
| 63 |
|
private $_secrettime = 86400; #Approx. one day
|
|
84 |
private $_secrettime = 86400; #Approx. one day
|
| 64 |
85 |
private $_tokenname = 'formtoken';
|
| 65 |
|
private $_timeout = 7200;
|
|
86 |
private $_timeout = 7200;
|
| 66 |
87 |
private $_useipblocks = 2;
|
| 67 |
88 |
private $_usefingerprint = true;
|
|
89 |
private $_page_uid = "";
|
|
90 |
private $_page_id = "";
|
| 68 |
91 |
### additional private data
|
| 69 |
92 |
|
| 70 |
93 |
private $_FTAN = '';
|
| ... | ... | |
| 77 |
100 |
/* Construtor */
|
| 78 |
101 |
protected function __construct($mode = self::FRONTEND){
|
| 79 |
102 |
|
| 80 |
|
## additional constants and stuff for global configuration
|
|
103 |
// additional constants and stuff for global configuration
|
| 81 |
104 |
|
| 82 |
|
# Secret can contain anything its the base for the secret part of the hash
|
| 83 |
|
if (defined ('WB_SECFORM_SECRET')){
|
|
105 |
// Secret can contain anything its the base for the secret part of the hash
|
|
106 |
if (defined ('WB_SECFORM_SECRET')){
|
| 84 |
107 |
$this->_secret=WB_SECFORM_SECRET;
|
| 85 |
108 |
}
|
| 86 |
109 |
|
| 87 |
|
# shall we use fingerprinting
|
|
110 |
// shall we use fingerprinting
|
| 88 |
111 |
if (defined ('WB_SECFORM_USEFP') AND WB_SECFORM_USEFP===false){
|
| 89 |
112 |
$this->_usefingerprint = false;
|
| 90 |
113 |
}
|
| 91 |
114 |
|
| 92 |
|
# Timeout till the form token times out. Integer value between 0-86400 seconds (one day)
|
|
115 |
// Timeout till the form token times out. Integer value between 0-86400 seconds (one day)
|
| 93 |
116 |
if (defined ('WB_SECFORM_TIMEOUT') AND is_numeric(WB_SECFORM_TIMEOUT) AND intval(WB_SECFORM_TIMEOUT) >=0 AND intval(WB_SECFORM_TIMEOUT) <=86400 ){
|
| 94 |
117 |
$this->_timeout=intval(WB_SECFORM_TIMEOUT);
|
| 95 |
118 |
}
|
| 96 |
|
# Name for the token form element only alphanumerical string allowed that starts whith a charakter
|
|
119 |
// Name for the token form element only alphanumerical string allowed that starts whith a charakter
|
| 97 |
120 |
if (defined ('WB_SECFORM_TOKENNAME') AND !$this->_validate_alalnum(WB_SECFORM_TOKENNAME)){
|
| 98 |
121 |
$this->_tokenname=WB_SECFORM_TOKENNAME;
|
| 99 |
122 |
}
|
| 100 |
|
# how many bloks of the IP should be used 0=no ipcheck
|
|
123 |
// how many bloks of the IP should be used 0=no ipcheck
|
| 101 |
124 |
if (defined ('FINGERPRINT_WITH_IP_OCTETS') AND !$this->_is04(FINGERPRINT_WITH_IP_OCTETS)){
|
| 102 |
125 |
$this->_useipblocks=FINGERPRINT_WITH_IP_OCTETS;
|
| 103 |
126 |
}
|
| 104 |
|
## additional stuff end
|
|
127 |
|
|
128 |
// create a unique pageid for per page management of idkeys , especially
|
|
129 |
// to identify and delete unused ones from same page call.
|
|
130 |
$this->_page_uid = uniqid (rand(), true);
|
|
131 |
|
|
132 |
// additional stuff end
|
| 105 |
133 |
$this->_browser_fingerprint = $this->_browser_fingerprint(true);
|
| 106 |
134 |
$this->_fingerprint = $this->_generate_fingerprint();
|
| 107 |
135 |
$this->_serverdata = $this->_generate_serverdata();
|
| ... | ... | |
| 132 |
160 |
|
| 133 |
161 |
$secret .= $this->_secret.$this->_serverdata.session_id();
|
| 134 |
162 |
if ($this->_usefingerprint){$secret.= $this->_browser_fingerprint;}
|
| 135 |
|
|
|
163 |
|
| 136 |
164 |
return $secret;
|
| 137 |
165 |
}
|
| 138 |
166 |
|
| ... | ... | |
| 155 |
183 |
{
|
| 156 |
184 |
// server depending values
|
| 157 |
185 |
$fingerprint = $this->_generate_serverdata();
|
| 158 |
|
|
|
186 |
|
| 159 |
187 |
// client depending values
|
| 160 |
188 |
$fingerprint .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '17';
|
| 161 |
189 |
$usedOctets = ( defined('FINGERPRINT_WITH_IP_OCTETS') ) ? intval(defined('FINGERPRINT_WITH_IP_OCTETS')) : 0;
|
| ... | ... | |
| 192 |
220 |
return $serverdata;
|
| 193 |
221 |
}
|
| 194 |
222 |
|
| 195 |
|
// fake funktion , just exits to avoid error message
|
|
223 |
// fake funktion , just exits to avoid error message
|
| 196 |
224 |
final protected function createFTAN(){}
|
| 197 |
225 |
|
| 198 |
226 |
/*
|
| ... | ... | |
| 261 |
289 |
*
|
| 262 |
290 |
* @requirements: an active session must be available
|
| 263 |
291 |
* @description: IDKEY can handle string/numeric/array - vars. Each key is a
|
|
292 |
* shortened md5 String
|
| 264 |
293 |
*/
|
| 265 |
|
final public function getIDKEY($value)
|
| 266 |
|
{
|
| 267 |
|
if( is_array($value) == true )
|
| 268 |
|
{ // serialize value, if it's an array
|
| 269 |
|
$value = serialize($value);
|
|
294 |
final public function getIDKEY($value) {
|
|
295 |
|
|
296 |
|
|
297 |
// serialize value, if it's an array
|
|
298 |
if( is_array($value) == true ) $value = serialize($value);
|
|
299 |
|
|
300 |
// cryptsome random stuff with salt into md5-hash
|
|
301 |
$key = md5($this->_salt.rand().uniqid('', true));
|
|
302 |
|
|
303 |
//shorten hash a bit
|
|
304 |
$key = str_replace(array("=","$","+"),array("-","_",""),base64_encode(pack('H*',$key)));
|
|
305 |
|
|
306 |
// the key is unique, so store it in list
|
|
307 |
if( !array_key_exists($key, $_SESSION[$this->_idkey_name])) {
|
|
308 |
$_SESSION[$this->_idkey_name][$key]['value'] = $value;
|
|
309 |
$_SESSION[$this->_idkey_name][$key]['time'] = time();
|
|
310 |
$_SESSION[$this->_idkey_name][$key]['page'] = $this->_page_uid;
|
| 270 |
311 |
}
|
| 271 |
|
// crypt value with salt into md5-hash
|
| 272 |
|
// and return a 16-digit block from random start position
|
| 273 |
|
$key = substr( md5($this->_salt.(string)$value), rand(0,15), 16);
|
| 274 |
|
do{ // loop while key/value isn't added
|
| 275 |
|
if( !array_key_exists($key, $this->_IDKEYs) )
|
| 276 |
|
{ // the key is unique, so store it in list
|
| 277 |
|
$this->_IDKEYs[$key] = $value;
|
| 278 |
|
break;
|
| 279 |
|
}else {
|
| 280 |
|
// if key already exist, increment the last five digits until the key is unique
|
| 281 |
|
$key = substr($key, 0, -5).dechex(('0x'.substr($key, -5)) + 1);
|
| 282 |
|
}
|
| 283 |
|
}while(0);
|
| 284 |
|
// store key/value-pairs into session
|
| 285 |
|
$_SESSION[$this->_idkey_name] = $this->_IDKEYs;
|
|
312 |
// if key already exist, try again, dont store as it already been stored
|
|
313 |
else $key = $this->getIDKEY($value);
|
|
314 |
|
| 286 |
315 |
return $key;
|
| 287 |
316 |
}
|
| 288 |
317 |
|
| ... | ... | |
| 298 |
327 |
* @description: each IDKEY can be checked only once. Unused Keys stay in list until the
|
| 299 |
328 |
* session is destroyed.
|
| 300 |
329 |
*/
|
| 301 |
|
final public function checkIDKEY( $fieldname, $default = 0, $request = 'POST' )
|
|
330 |
final public function checkIDKEY( $fieldname, $default = 0, $request = 'POST', $ajax=false)
|
| 302 |
331 |
{
|
|
332 |
//Remove timed out idkeys
|
|
333 |
$_SESSION[$this->_idkey_name]= array_filter( $_SESSION[$this->_idkey_name],array($this, "_timedout"));
|
|
334 |
|
|
335 |
|
| 303 |
336 |
$return_value = $default; // set returnvalue to default
|
| 304 |
337 |
switch( strtoupper($request) )
|
| 305 |
338 |
{
|
| ... | ... | |
| 312 |
345 |
default:
|
| 313 |
346 |
$key = $fieldname;
|
| 314 |
347 |
}
|
| 315 |
|
if( preg_match('/[0-9a-f]{16}$/', $key) )
|
| 316 |
|
{ // key must be a 16-digit hexvalue
|
| 317 |
|
if( array_key_exists($key, $this->_IDKEYs))
|
| 318 |
|
{ // check if key is stored in IDKEYs-list
|
| 319 |
|
$return_value = $this->_IDKEYs[$key]; // get stored value
|
| 320 |
|
unset($this->_IDKEYs[$key]); // remove from list to prevent multiuse
|
| 321 |
|
$_SESSION[$this->_idkey_name] = $this->_IDKEYs; // save modified list into session again
|
|
348 |
if( preg_match('/[0-9a-zA-Z\-\_]{1,32}$/', $key) ) { // key must match the generated ones
|
|
349 |
if( array_key_exists($key, $_SESSION[$this->_idkey_name])) { // check if key is stored in IDKEYs-list
|
|
350 |
$return_value = $_SESSION[$this->_idkey_name][$key]['value']; // get stored value
|
|
351 |
$this->_page_id = $_SESSION[$this->_idkey_name][$key]['page'];
|
|
352 |
|
|
353 |
if ($ajax === false) {
|
|
354 |
//Remove all keys from this page to prevent multiuse and session mem usage
|
|
355 |
$_SESSION[$this->_idkey_name]= array_filter( $_SESSION[$this->_idkey_name],array($this, "_fpages"));
|
|
356 |
//unset($_SESSION[$this->_idkey_name][$key]); // remove from list to prevent multiuse
|
|
357 |
}
|
| 322 |
358 |
if( preg_match('/.*(?<!\{).*(\d:\{.*;\}).*(?!\}).*/', $return_value) )
|
| 323 |
359 |
{ // if value is a serialized array, then deserialize it
|
| 324 |
360 |
$return_value = unserialize($return_value);
|
| 325 |
361 |
}
|
| 326 |
362 |
}
|
| 327 |
363 |
}
|
|
364 |
|
| 328 |
365 |
return $return_value;
|
| 329 |
366 |
}
|
| 330 |
367 |
|
|
368 |
private function _timedout( $var ) {
|
|
369 |
if ($var['time'] < time()-$this->_timeout) return false;
|
|
370 |
return true;
|
|
371 |
}
|
|
372 |
private function _fpages( $var ) {
|
|
373 |
if ($var['page'] == $this->_page_id) return false;
|
|
374 |
return true;
|
|
375 |
}
|
|
376 |
|
| 331 |
377 |
/* @access public
|
| 332 |
378 |
* @return void
|
| 333 |
379 |
*
|
| ... | ... | |
| 345 |
391 |
## all are Copyright Norbert Heimsath, heimsath.org
|
| 346 |
392 |
## released under GPLv3 http://www.gnu.org/licenses/gpl.html
|
| 347 |
393 |
|
| 348 |
|
/* Made because ctype_ gives strange results using mb Strings*/
|
|
394 |
/* Made because ctype_ gives strange results using mb Strings*/
|
| 349 |
395 |
private function _validate_alalnum($input){
|
| 350 |
|
# alphanumerical string that starts whith a letter charakter
|
|
396 |
# alphanumerical string that starts whith a letter charakter
|
| 351 |
397 |
if (preg_match('/^[a-zA-Z][0-9a-zA-Z]+$/u', $input))
|
| 352 |
398 |
{return false;}
|
| 353 |
|
|
|
399 |
|
| 354 |
400 |
return "The given input is not an alphanumeric string.";
|
| 355 |
|
}
|
|
401 |
}
|
| 356 |
402 |
|
| 357 |
403 |
private function _is04($input){
|
| 358 |
404 |
# integer value between 0-4
|
| 359 |
405 |
if (preg_match('/^[0-4]$/', $input)) {return false;}
|
| 360 |
|
|
|
406 |
|
| 361 |
407 |
return "The given input is not an alphanumeric string.";
|
| 362 |
|
}
|
|
408 |
}
|
| 363 |
409 |
|
| 364 |
410 |
|
| 365 |
411 |
private function _getip($ipblocks=4){
|
| ... | ... | |
| 368 |
414 |
*/
|
| 369 |
415 |
$ip = ""; //Ip address result
|
| 370 |
416 |
$cutip = ""; //Ip address cut to limit
|
| 371 |
|
|
| 372 |
|
# mabe user is behind a Proxy but we need his real ip address if we got a nice Proxyserver,
|
|
417 |
|
|
418 |
# mabe user is behind a Proxy but we need his real ip address if we got a nice Proxyserver,
|
| 373 |
419 |
# it sends us the "HTTP_X_FORWARDED_FOR" Header. Sometimes there is more than one Proxy.
|
| 374 |
420 |
# !!!!!! THIS PART WAS NEVER TESTED BECAUSE I ONLY GOT A DIRECT INTERNET CONNECTION !!!!!!
|
| 375 |
421 |
# long2ip(ip2long($lastip)) makes sure we got nothing else than an ip into our script ;-)
|
| ... | ... | |
| 380 |
426 |
$lastip = array_pop($iplist);
|
| 381 |
427 |
$ip.= long2ip(ip2long($lastip));
|
| 382 |
428 |
}
|
| 383 |
|
|
|
429 |
|
| 384 |
430 |
/* If theres no other supported info we just use REMOTE_ADDR
|
| 385 |
431 |
If we have a fiendly proxy supporting HTTP_X_FORWARDED_FOR its ok to use the full address.
|
| 386 |
|
But if there is no HTTP_X_FORWARDED_FOR we can not be sure if its a proxy or whatever, so we use the
|
| 387 |
|
blocklimit for IP address.
|
|
432 |
But if there is no HTTP_X_FORWARDED_FOR we can not be sure if its a proxy or whatever, so we use the
|
|
433 |
blocklimit for IP address.
|
| 388 |
434 |
*/
|
| 389 |
|
else
|
|
435 |
else
|
| 390 |
436 |
{
|
| 391 |
437 |
$ip = long2ip(ip2long($_SERVER['REMOTE_ADDR']));
|
| 392 |
|
|
|
438 |
|
| 393 |
439 |
# ipblocks used here defines how many blocks of the ip adress are checked xxx.xxx.xxx.xxx
|
| 394 |
440 |
$blocks = explode('.', $ip);
|
| 395 |
441 |
for ($i=0; $i<$ipblocks; $i++){
|
| ... | ... | |
| 397 |
443 |
}
|
| 398 |
444 |
$ip=substr($cutip, 0, -1);
|
| 399 |
445 |
}
|
| 400 |
|
|
|
446 |
|
| 401 |
447 |
return $ip;
|
| 402 |
448 |
}
|
| 403 |
|
|
|
449 |
|
| 404 |
450 |
private function _browser_fingerprint($encode=true,$fpsalt="My Fingerprint: "){
|
| 405 |
451 |
/*
|
| 406 |
452 |
Creates a basic Browser Fingerprint for securing the session and forms.
|
| 407 |
453 |
*/
|
| 408 |
|
|
|
454 |
|
| 409 |
455 |
$fingerprint=$fpsalt;
|
| 410 |
456 |
if (isset($_SERVER['HTTP_USER_AGENT'])){ $fingerprint .= $_SERVER['HTTP_USER_AGENT'];}
|
| 411 |
457 |
if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];}
|
| 412 |
458 |
if (isset($_SERVER['HTTP_ACCEPT_ENCODING'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_ENCODING'];}
|
| 413 |
459 |
if (isset($_SERVER['HTTP_ACCEPT_CHARSET'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_CHARSET'];}
|
| 414 |
|
|
|
460 |
|
| 415 |
461 |
$fingerprint.= $this->_getip($this->_useipblocks);
|
| 416 |
|
|
|
462 |
|
| 417 |
463 |
if ($encode){$fingerprint=md5($fingerprint);}
|
| 418 |
|
|
|
464 |
|
| 419 |
465 |
return $fingerprint;
|
| 420 |
466 |
}
|
| 421 |
467 |
##
|
| 422 |
468 |
## additional Functions END
|
| 423 |
469 |
##
|
| 424 |
|
}
|
|
470 |
}
|
! Fixed IDKEY in Secureform.mtab to solve issues whith Security warnings
! on pages that used a lot of IDKEYS. (fixed by NorHei)