Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 2137) +++ branches/2.8.x/CHANGELOG (revision 2138) @@ -10,6 +10,8 @@ # = Bugfix ! = Update/Change =============================================================================== +05 Nov -2015 Build 2138 Manuela v.d.Decken(DarkViper) +! class SecureTokens: added handling of all kind of IPv6 notations 30 Oct -2015 Build 2137 Manuela v.d.Decken(DarkViper) ! class SecureTokens: added easy handling of service requests on checkFTAN()/checkIDKEY() 22 Oct -2015 Build 2136 Manuela v.d.Decken(DarkViper) Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 2137) +++ branches/2.8.x/wb/admin/interface/version.php (revision 2138) @@ -51,5 +51,5 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.4'); -if(!defined('REVISION')) define('REVISION', '2137'); +if(!defined('REVISION')) define('REVISION', '2138'); if(!defined('SP')) define('SP', ''); Index: branches/2.8.x/wb/framework/SecureTokens.php =================================================================== --- branches/2.8.x/wb/framework/SecureTokens.php (revision 2137) +++ branches/2.8.x/wb/framework/SecureTokens.php (revision 2138) @@ -36,11 +36,11 @@ * This class is a replacement for the former class SecureForm using the SecureTokensInterface * * Settings for this class - * TYPE KONSTANTE REGISTY-VAR DEFAULTWERT - * boolean SEC_TOKEN_FINGERPRINT ($oReg->SecTokenFingerprint) [default=true] - * integer SEC_TOKEN_NETMASK4 ($oReg->SecTokenNetmask4) 0-255 [default=24] - * integer SEC_TOKEN_NETMASK6 ($oReg->SecTokenNetmask6) 0-128 [default=64] - * integer SEC_TOKEN_LIFE_TIME ($oReg->SecTokenLifeTime) 1800 | 2700 | 3600[default] | 7200 + * TYPE KONSTANTE REGISTY-VAR DEFAULTWERT + * boolean SEC_TOKEN_FINGERPRINT ($oReg->SecTokenFingerprint) [default=true] + * integer SEC_TOKEN_IPV4_NETMASK ($oReg->SecTokenIpv4Netmask) 0-255 [default=24] + * integer SEC_TOKEN_IPV6_PREFIX_LENGTH ($oReg->SecTokenIpv6PrefixLength) 0-128 [default=64] + * integer SEC_TOKEN_LIFE_TIME ($oReg->SecTokenLifeTime) 1800 | 2700 | 3600[default] | 7200 */ class SecureTokens @@ -102,7 +102,7 @@ // define the expiretime for this instance $this->iExpireTime = time() + $this->iTokenLifeTime; // calculate the instance id for this instance - $this->sCurrentInstance = $this->encode64(md5($this->iExpireTime.$this->sSalt)); + $this->sCurrentInstance = $this->encodeHash(md5($this->iExpireTime.$this->sSalt)); // load array of tokens from session $this->loadTokens(); // at first of all remove expired tokens @@ -144,7 +144,10 @@ * @return void * @deprecated from WB-2.8.3-SP5 */ - final public function createFTAN() { ; } // do nothing + final public function createFTAN() + { + trigger_error('Deprecated function call: '.__CLASS__.'::'.__METHOD__, E_USER_DEPRECATED); + } // do nothing /** * Dummy method for backward compatibility @@ -151,7 +154,10 @@ * @return void * @deprecated from WB-2.8.3-SP5 */ - final public function clearIDKEY() { ; } // do nothing + final public function clearIDKEY() + { + trigger_error('Deprecated function call: '.__CLASS__.'::'.__METHOD__, E_USER_DEPRECATED); + } // do nothing /** * returns the current FTAN @@ -172,7 +178,7 @@ } $aFtan = $this->aTokens[$this->aLastCreatedFtan]; $aFtan['name'] = $this->aLastCreatedFtan; - $aFtan['value'] = $this->encode64(md5($aFtan['value'].$this->sFingerprint)); + $aFtan['value'] = $this->encodeHash(md5($aFtan['value'].$this->sFingerprint)); if (is_string($mMode)) { $mMode = strtoupper($mMode); } else { @@ -209,7 +215,7 @@ // encode the value of all matching tokens $aMatchingTokens = array_map( function ($aToken) { - return $this->encode64(md5($aToken['value'].$this->sFingerprint)); + return $this->encodeHash(md5($aToken['value'].$this->sFingerprint)); }, // extract all matching tokens from $this->aTokens array_intersect_key($this->aTokens, $aArguments) @@ -352,7 +358,12 @@ { if (isset($this->aTokens[$sTokenName])) { if ($this->bPreserveAllOtherTokens) { - $this->sInstanceToUpdate = $this->aTokens[$sTokenName]['instance']; + if ($this->sInstanceToDelete) { + $this->sInstanceToUpdate = $this->sInstanceToDelete; + $this->sInstanceToDelete = null; + } else { + $this->sInstanceToUpdate = $this->aTokens[$sTokenName]['instance']; + } } else { $this->sInstanceToDelete = $this->aTokens[$sTokenName]['instance']; } @@ -392,7 +403,7 @@ */ private function buildFingerprint() { - if (!$this->bUseFingerprint) { return md5('dummy'); } + if (!$this->bUseFingerprint) { return md5('this_is_a_dummy_only'); } $sClientIp = '127.0.0.1'; if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)){ $sClientIp = array_pop(preg_split('/\s*?,\s*?/', $_SERVER['HTTP_X_FORWARDED_FOR'], null, PREG_SPLIT_NO_EMPTY)); @@ -401,11 +412,12 @@ }else if (array_key_exists('HTTP_CLIENT_IP', $_SERVER)) { $sClientIp = $_SERVER['HTTP_CLIENT_IP']; } - $sFingerprint = __FILE__.PHP_VERSION - . isset($_SERVER['SERVER_SIGNATURE']) ? $_SERVER['SERVER_SIGNATURE'] : 'unknown' - . isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'AGENT' - . $this->calcClientIpHash($sClientIp); - return md5($sFingerprint); + return + __FILE__.PHP_VERSION + . isset($_SERVER['SERVER_SIGNATURE']) ? $_SERVER['SERVER_SIGNATURE'] : 'unknown' + . isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'AGENT' + . $this->calcClientIpHash($sClientIp) + ; } /** @@ -417,10 +429,13 @@ */ private function calcClientIpHash($sRawIp) { + // clean address from netmask/prefix and port + $sPattern = '/^\[?([.:a-f0-9]*)(?:\/[0-1]*)?(?:\]?.*)$/im'; + $sRawIp = preg_replace($sPattern, '$1', $sRawIp); if (strpos($sRawIp, ':') === false) { - // calculate IPv4 +// sanitize IPv4 ---------------------------------------------------------------------- // $iIpV4 = ip2long($sRawIp); - // calculate netmask + // calculate netmask $iMask = ($this->iNetmaskLengthV4 < 1) ? 0 : bindec( @@ -427,21 +442,33 @@ str_repeat('1', $this->iNetmaskLengthV4). str_repeat('0', 32 - $this->iNetmaskLengthV4) ); - // apply mask + // apply mask and reformat to IPv4 string notation. $sIp = long2ip($iIpV4 & $iMask); } else { - // sanitize IPv6 +// sanitize IPv6 ---------------------------------------------------------------------- // + // check if IP includes a IPv4 part and convert this into IPv6 format + $sPattern = '/^([:a-f0-9]*?)\:([0-9]{1,3}(?:\.[0-9]{1,3}){3})$/is'; + if (preg_match($sPattern, $sRawIp, $aMatches)) { + $sIpV4Bin = str_pad((string)decbin(ip2long($aMatches[2])), 32, '0', STR_PAD_LEFT) ; + $aIpV6Hex = str_split($sIpV4Bin, 16); + $sRawIp = $aMatches[1].':'.dechex(bindec($aIpV6Hex[0])).':'.dechex(bindec($aIpV6Hex[1])); + } + // calculate number of missing words $iWords = 8 - count(preg_split('/:/', $sRawIp, null, PREG_SPLIT_NO_EMPTY)); + // build replacement for '::' $sReplacement = $iWords ? implode(':', array_fill(0, $iWords, '0000')) : ''; + // insert replacements and remove trailing/leading ':' $sClientIp = trim(preg_replace('/\:\:/', ':'.$sReplacement.':', $sRawIp), ':'); + // split all 8 parts from IP into an array $aIpV6 = array_map( function($sPart) { + // expand all parts to 4 hex digits using leading '0' return str_pad($sPart, 4, '0', STR_PAD_LEFT); }, preg_split('/:/', $sClientIp) ); - // calculate netmask - $iMask = $this->iNetmaskLengthV6; + // build binary netmask from iNetmaskLengthV6 + // and split all 8 parts into an array if ($this->iNetmaskLengthV6 < 1) { $aMask = array_fill(0, 8, str_repeat('0', 16)); } else { @@ -451,7 +478,7 @@ 16 ); } - // apply mask + // iterate all IP parts, apply its mask and reformat to IPv6 string notation. array_walk( $aIpV6, function(&$sWord, $iIndex) use ($aMask) { @@ -458,9 +485,11 @@ $sWord = sprintf('%04x', hexdec($sWord) & bindec($aMask[$iIndex])); } ); + // reformat to IPv6 string notation. $sIp = implode(':', $aIpV6); +// ------------------------------------------------------------------------------------ // } - return md5($sIp); // return the hash + return md5($sIp); // return the hashed IP string } /** @@ -469,7 +498,7 @@ * @return string * @description reduce the 32char length of a MD5 to 22 chars */ - private function encode64($sMd5Hash) + private function encodeHash($sMd5Hash) { return rtrim(base64_encode(pack('h*',$sMd5Hash)), '+-= '); } @@ -479,35 +508,18 @@ */ private function getSettings() { - if (!class_exists('WbAdaptor', false)) { - // for WB before 2.8.4 - $this->bUseFingerprint = defined('SEC_TOKEN_FINGERPRINT') - ? SEC_TOKEN_FINGERPRINT - : $this->bUseFingerprint; - $this->iNetmaskLengthV4 = defined('SEC_TOKEN_NETMASK4') - ? SEC_TOKEN_NETMASK4 - : $this->iNetmaskLengthV4; - $this->iNetmaskLengthV6 = defined('SEC_TOKEN_NETMASK6') - ? SEC_TOKEN_NETMASK6 - : $this->iNetmaskLengthV6; - $this->iTokenLifeTime = defined('SEC_TOKEN_LIFE_TIME') - ? SEC_TOKEN_LIFE_TIME - : $this->iTokenLifeTime; - } else { - // for WB from 2.8.4 and up - $this->bUseFingerprint = isset($this->oReg->SecTokenFingerprint) - ? $this->oReg->SecTokenFingerprint - : $this->bUseFingerprint; - $this->iNetmaskLengthV4 = isset($this->oReg->SecTokenNetmask4) - ? $this->oReg->SecTokenNetmask4 - : $this->iNetmaskLengthV4; - $this->iNetmaskLengthV6 = isset($this->oReg->SecTokenNetmask6) - ? $this->oReg->SecTokenNetmask6 - : $this->iNetmaskLengthV6; - $this->iTokenLifeTime = isset($this->oReg->SecTokenLifeTime) - ? $this->oReg->SecTokenLifeTime - : $this->iTokenLifeTime; - } + $this->bUseFingerprint = isset($this->oReg->SecTokenFingerprint) + ? $this->oReg->SecTokenFingerprint + : $this->bUseFingerprint; + $this->iNetmaskLengthV4 = isset($this->oReg->SecTokenNetmask4) + ? $this->oReg->SecTokenNetmask4 + : $this->iNetmaskLengthV4; + $this->iNetmaskLengthV6 = isset($this->oReg->SecTokenNetmask6) + ? $this->oReg->SecTokenNetmask6 + : $this->iNetmaskLengthV6; + $this->iTokenLifeTime = isset($this->oReg->SecTokenLifeTime) + ? $this->oReg->SecTokenLifeTime + : $this->iTokenLifeTime; $this->iNetmaskLengthV4 = ($this->iNetmaskLengthV4 < 1 || $this->iNetmaskLengthV4 > 32) ? 0 :$this->iNetmaskLengthV4; $this->iNetmaskLengthV6 = ($this->iNetmaskLengthV6 < 1 || $this->iNetmaskLengthV6 > 128)