Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 2135) +++ branches/2.8.x/CHANGELOG (revision 2136) @@ -10,6 +10,9 @@ # = Bugfix ! = Update/Change =============================================================================== +22 Oct -2015 Build 2136 Manuela v.d.Decken(DarkViper) ++ class SecureTokens: as a replacement for former class SecureForm in SecureForm.php and SecureForm.mtab.php +! framework/initialize.php change bindings of SecureForm to SecureTokens 01 Sep -2015 Build 2135 Manuela v.d.Decken(DarkViper) ! class WbAdaptor: added values VarUrl/VarPath/VarRel for new var/ folder 01 Sep -2015 Build 2134 Manuela v.d.Decken(DarkViper) Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 2135) +++ branches/2.8.x/wb/admin/interface/version.php (revision 2136) @@ -51,5 +51,5 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.4'); -if(!defined('REVISION')) define('REVISION', '2135'); +if(!defined('REVISION')) define('REVISION', '2136'); if(!defined('SP')) define('SP', ''); Index: branches/2.8.x/wb/framework/initialize.php =================================================================== --- branches/2.8.x/wb/framework/initialize.php (revision 2135) +++ branches/2.8.x/wb/framework/initialize.php (revision 2136) @@ -256,6 +256,8 @@ if (defined('TABLE_PREFIX')) { /** TODO */ } // set system defaults date_default_timezone_set('UTC'); +// set internal character encoding to UTF-8 + mb_internal_encoding('UTF-8'); // initialize debug evaluation values --- $starttime = array_sum(explode(" ",microtime())); @@ -411,10 +413,6 @@ // extended wb editor settings if(!defined('EDIT_ONE_SECTION')) { define('EDIT_ONE_SECTION', false); } if(!defined('EDITOR_WIDTH')) { define('EDITOR_WIDTH', 0); } -// define form security class and preload it --- - $sSecMod = (defined('SECURE_FORM_MODULE') && SECURE_FORM_MODULE != '') ? '.'.SECURE_FORM_MODULE : ''; - $sSecMod = WB_PATH.'/framework/SecureForm'.$sSecMod.'.php'; - require_once($sSecMod); // *** begin deprecated part ************************************************************* // load settings for use in Captch and ASP module if (!defined('WB_INSTALL_PROCESS') && !defined('ENABLED_CAPTCHA')) { Index: branches/2.8.x/wb/framework/SecureTokens.php =================================================================== --- branches/2.8.x/wb/framework/SecureTokens.php (nonexistent) +++ branches/2.8.x/wb/framework/SecureTokens.php (revision 2136) @@ -0,0 +1,458 @@ +. + */ + +/** + * SecureTokens.php + * + * @category Core + * @package Core_Security + * @subpackage WB-2.8.4 and up + * @copyright Manuela v.d.Decken + * @author Manuela v.d.Decken + * @license http://www.gnu.org/licenses/gpl.html GPL License + * @ + * @version 0.1.2 + * @revision $Revision: $ + * @link $HeadURL: $ + * @lastmodified $Date: $ + * @since File available since 12.09.2015 + * @description + * This class is a replacement for the former class SecureForm using the SecureTokensInterface + * + * Settings for this class + * TYPE KONSTANTE REGISTY-VAR DEFAULTWERT + * boolean SEC_TOKEN_FINGERPRINT ($oReg->SecTokenFingerprint) [default=true] + * integer SEC_TOKEN_NETMASK4 ($oReg->SecTokenNetmask4) 0-255 [default=24] + * integer SEC_TOKEN_NETMASK6 ($oReg->SecTokenNetmask6) 0-128 [default=64] + * integer SEC_TOKEN_LIFE_TIME ($oReg->SecTokenLifeTime) 1800 | 2700 | 3600[default] | 7200 +*/ + +class SecureTokens +{ +/** character string for 64char encoding */ + const CHAR64 = 'Zabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZa'; +/** possible settings for TokenLifeTime in seconds */ + const LIFETIMES = [1800, 2700, 3600, 7200]; // seconds for 30min / 45min / 1h / 2h +/** lifetime in seconds to use in DEBUG mode if negative value is given (-1) */ + const DEBUG_LIFETIME = 300; + +/** array to hold all tokens from the session */ + private $aTokens = array( + 'default' => array('value' => 0, 'expire' => 0) + ); +/** the salt for this run */ + private $sSalt = ''; +/** fingerprint of the current connection */ + private $sFingerprint = ''; +/** the FTAN token which is valid for this run */ + private $aLastCreatedFtan = null; +/* --- settings for SecureTokens ------------------------------------------------------ */ +/** use fingerprinting to encode */ + private $bUseFingerprint = true; +/** maximum lifetime of a token in seconds */ + private $iTokenLifeTime = 1800; // 30min / 45min / 1h / 2h (default = 30min) +/** bit length of the IPv4 Netmask (0-32 // 0 = off default = 24) */ + private $iNetmaskLengthV4 = 0; +/** bit length of the IPv6 Netmask (0-128 // 0 = off default = 64) */ + private $iNetmaskLengthV6 = 0; + +/** + * constructor + * @param (void) + */ + protected function __construct() { + // load settings if available + $this->getSettings(); + // load array of tokens from session + $this->loadTokens(); + // at first of all remove expired tokens + $this->removeExpiredTokens(); + // generate salt for calculations in this run + $this->sSalt = $this->generateSalt(); + // generate fingerprint for the current connection + $this->sFingerprint = $this->buildFingerprint(); + } + +/** + * @param (void) + * @return integer + */ + public function getTokenLifeTime() + { + // return 5 seconds less then lifetime to compensate delay of transfer to the client + return $this->iTokenLifeTime - 5; + } +/** + * Dummy method for backward compatibility + * @return void + * @deprecated from WB-2.8.3-SP5 + */ + final public function createFTAN() { ; } // do nothing + +/** + * Dummy method for backward compatibility + * @return void + * @deprecated from WB-2.8.3-SP5 + */ + final public function clearIDKEY() { ; } // do nothing + +/** + * returns the current FTAN + * @param bool $mode: true or POST returns a complete prepared, hidden HTML-Input-Tag (default) + * false or GET returns an GET argument 'key=value' + * @return mixed: array or string + * @deprecated the param $mMode is set deprecated + * string retvals are set deprecated. From versions after 2.8.4 retval will be array only + */ + final public function getFTAN($mMode = 'POST') + { + if (is_null($this->aLastCreatedFtan)) { + $sFtan = md5($this->sSalt); + $this->aLastCreatedFtan = $this->addToken( + substr($sFtan, rand(0,15), 16), + substr($sFtan, rand(0,15), 16) + ); + } + $aFtan = $this->aTokens[$this->aLastCreatedFtan]; + $aFtan['name'] = $this->aLastCreatedFtan; + $aFtan['value'] = $this->encode64(md5($aFtan['value'].$this->sFingerprint)); + if (is_string($mMode)) { + $mMode = strtoupper($mMode); + } else { + $mMode = $mMode === true ? 'POST' : 'GET'; + } + switch ($mMode): + case 'POST': + return ''; + break; + case 'GET': + return $aFtan['name'].'='.$aFtan['value']; + break; + default: + return array('name' => $aFtan['name'], 'value' => $aFtan['value']); + endswitch; + } + +/** + * checks received form-transactionnumbers against session-stored one + * @param string $mode: requestmethode POST(default) or GET + * @return bool: true if numbers matches against stored ones + * + * requirements: an active session must be available + * this check will prevent from multiple sending a form. history.back() also will never work + */ + final public function checkFTAN($mMode = 'POST') + { + $bRetval = false; + // get the POST/GET arguments + $aArguments = (strtoupper($mMode) == 'POST' ? $_POST : $_GET); + // encode the value of all matching tokens + $aMatchingTokens = array_map( + function ($aToken) { + return $this->encode64(md5($aToken['value'].$this->sFingerprint)); + }, + // extract all matching tokens from $this->aTokens + array_intersect_key($this->aTokens, $aArguments) + ); + // extract all matching arguments from $aArguments + $aMatchingArguments = array_intersect_key($aArguments, $this->aTokens); + // get all tokens with matching values from match lists + $aHits = array_intersect($aMatchingTokens, $aMatchingArguments); + foreach ($aHits as $sTokenName => $sValue) { + $bRetval = true; + $this->removeToken($sTokenName); + } + return $bRetval; + } +/** + * store value in session and returns an accesskey to it + * @param mixed $mValue can be numeric, string or array + * @return string + */ + final public function getIDKEY($mValue) + { + if (is_array($mValue) == true) { + // serialize value, if it's an array + $mValue = serialize($mValue); + } + // crypt value with salt into md5-hash and return a 16-digit block from random start position + $sTokenName = $this->addToken( + substr(md5($this->sSalt.(string)$mValue), rand(0,15), 16), + $mValue + ); + return $sTokenName; + } + +/* + * search for key in session and returns the original value + * @param string $sFieldname: name of the POST/GET-Field containing the key or hex-key itself + * @param mixed $mDefault: returnvalue if key not exist (default 0) + * @param string $sRequest: requestmethode can be POST or GET or '' (default POST) + * @return mixed: the original value (string, numeric, array) or DEFAULT if request fails + * @description: each IDKEY can be checked only once. Unused Keys stay in list until they expire + */ + final public function checkIDKEY( $sFieldname, $mDefault = 0, $sRequest = 'POST' ) + { + $mReturnValue = $mDefault; // set returnvalue to default + $sRequest = strtoupper($sRequest); + switch ($sRequest) { + case 'POST': + case 'GET': + $sTokenName = @$GLOBALS['_'.$sRequest][$sFieldname] ?: $sFieldname; + break; + default: + $sTokenName = $sFieldname; + } + if (preg_match('/[0-9a-f]{16}$/i', $sTokenName)) { + // key must be a 16-digit hexvalue + if (array_key_exists($sTokenName, $this->aTokens)) { + // check if key is stored in IDKEYs-list + $mReturnValue = $this->aTokens[$sTokenName]['value']; // get stored value + $this->removeToken($sTokenName); // remove from list to prevent multiuse + if (preg_match('/.*(?aTokens = unserialize($_SESSION['TOKENS']); + } else { + $this->saveTokens(); + } + } + +/** + * save all tokens into session + */ + private function saveTokens() + { + $_SESSION['TOKENS'] = serialize($this->aTokens); + } + +/** + * add new token to the list + * @param string $sTokenName + * @param string $sValue + * @return string name(index) of the token + */ + private function addToken($sTokenName, $sValue) + { + $sTokenName = substr($sTokenName, 0, 16); + $sTokenName[0] = dechex(10 + (hexdec($sTokenName[0]) % 5)); + while (isset($this->aTokens[$sTokenName])) { + $sTokenName = sprintf('%16x', hexdec($sTokenName)+1); + } + $this->aTokens[$sTokenName] = array( + 'value' => $sValue, + 'expire' => time()+$this->iTokenLifeTime + ); + $this->saveTokens(); + return $sTokenName; + } + +/** + * remove the token, called sTokenName from list + * @param type $sTokenName + */ + private function removeToken($sTokenName) + { + if (isset($this->aTokens[$sTokenName])) { + unset($this->aTokens[$sTokenName]); + } + $this->saveTokens(); + } + +/** + * remove all expired tokens from list + */ + private function removeExpiredTokens() + { + $iTimestamp = time(); + foreach ($this->aTokens as $sTokenName => $aToken) { + if ($aToken['expire'] <= $iTimestamp && $aToken['expire'] != 0){ + unset($this->aTokens[$sTokenName]); + } + } + $this->saveTokens(); + } + +/** + * generate a runtime depended hash + * @return string md5 hash + */ + private function generateSalt() + { + list($fUsec, $fSec) = explode(" ", microtime()); + $sSalt = (string)rand(10000, 99999) + . (string)((float)$fUsec + (float)$fSec) + . (string)rand(10000, 99999); + return md5($sSalt); + } + +/** + * build a simple fingerprint + * @return string + */ + private function buildFingerprint() + { + if (!$this->bUseFingerprint) { return md5('dummy'); } + $sClientIp = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '0.0.0.0'; + $sFingerprint = __FILE__.PHP_VERSION + . isset($_SERVER['SERVER_SIGNATURE']) ? $_SERVER['SERVER_SIGNATURE'] : 'unknown' + . isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'AGENT' + . $this->calcClientIpHash($sClientIp); + return md5($sFingerprint); + } + +/** + * mask IPv4 as well IPv6 addresses with netmask and make a md5 hash from + * @param string $sClientIp IP as string from $_SERVER['REMOTE_ADDR'] + * @return md5 value of masked ip + * @description this method does not accept the IPv6/IPv4 mixed format + * like "2222:3333:4444:5555:6666:7777:192.168.1.200" + */ + private function calcClientIpHash($sRawIp) + { + if (strpos($sRawIp, ':') === false) { + // calculate IPv4 + $iIpV4 = ip2long($sRawIp); + // calculate netmask + $iMask = ($this->iNetmaskLengthV4 < 1) + ? 0 + : bindec( + str_repeat('1', $this->iNetmaskLengthV4). + str_repeat('0', 32 - $this->iNetmaskLengthV4) + ); + // apply mask + $sIp = long2ip($iIpV4 & $iMask); + } else { + // sanitize IPv6 + $iWords = 8 - count(preg_split('/:/', $sRawIp, null, PREG_SPLIT_NO_EMPTY)); + $sReplacement = $iWords ? implode(':', array_fill(0, $iWords, '0000')) : ''; + $sClientIp = trim(preg_replace('/\:\:/', ':'.$sReplacement.':', $sRawIp), ':'); + $aIpV6 = array_map( + function($sPart) { + return str_pad($sPart, 4, '0', STR_PAD_LEFT); + }, + preg_split('/:/', $sClientIp) + ); + // calculate netmask + $iMask = $this->iNetmaskLengthV6; + if ($this->iNetmaskLengthV6 < 1) { + $aMask = array_fill(0, 8, str_repeat('0', 16)); + } else { + $aMask = str_split( + str_repeat('1', $this->iNetmaskLengthV6). + str_repeat('0', 128 - $this->iNetmaskLengthV6), + 16 + ); + } + // apply mask + array_walk( + $aIpV6, + function(&$sWord, $iIndex) use ($aMask) { + $sWord = sprintf('%04x', hexdec($sWord) & bindec($aMask[$iIndex])); + } + ); + $sIp = implode(':', $aIpV6); + } + return md5($sIp); // return the hash + } + +/** + * encode a hex string into a 64char based string + * @param string $sMd5Hash + * @return string + * @description reduce the 32char length of a MD5 to 21 chars + */ + private function encode64($sMd5Hash) + { + $sCharList = self::CHAR64; + $sBin = implode( + '', + array_map( + function($sPart) { + return sprintf('%032b', hexdec($sPart)); + }, + str_split($sMd5Hash, 8) + ) + ); + $sResult = implode( + '', + array_map( + function($sPart) use ($sCharList) { + $sPart = str_pad($sPart, 6, '0', STR_PAD_RIGHT); + return $sCharList[bindec($sPart)]; + }, + str_split($sBin, 6) + ) + ); + return $sResult; + } + +/** + * read settings if available + */ + private function getSettings() + { + $this->bUseFingerprint = isset($this->oReg->SecTokenFingerprint) + ? $this->oReg->SecTokenFingerprint + : $this->bUseFingerprint; + $this->iNetmaskLengthV4 = isset($this->oReg->SecTokenNetmask4) + ? $this->oReg->SecTokenNetmask4 + : $this->iNetmaskLengthV4; + $this->iNetmaskLengthV6 = isset($this->oReg->SecTokenNetmask6) + ? $this->oReg->SecTokenNetmask6 + : $this->iNetmaskLengthV6; + $this->iTokenLifeTime = isset($this->oReg->SecTokenLifeTime) + ? $this->oReg->SecTokenLifeTime + : $this->iTokenLifeTime; + $this->iNetmaskLengthV4 = ($this->iNetmaskLengthV4 < 1 || $this->iNetmaskLengthV4 > 32) + ? 0 :$this->iNetmaskLengthV4; + $this->iNetmaskLengthV6 = ($this->iNetmaskLengthV6 < 1 || $this->iNetmaskLengthV6 > 128) + ? 0 :$this->iNetmaskLengthV6; + $aLifeTimes = self::LIFETIMES; + sort($aLifeTimes); + if ($this->iTokenLifeTime < 0 && DEBUG) { + $this->iTokenLifeTime = self::DEBUG_LIFETIME; + } else { + $iRetval = array_pop($aLifeTimes); + foreach ($aLifeTimes as $iValue) { + if ($this->iTokenLifeTime <= $iValue) { + $iRetval = $iValue; + break; + } + } + $this->iTokenLifeTime = $iRetval; + } + + } + +} // end of class SecureTokens