Revision 2139
Added by darkviper almost 10 years ago
- class SecureTokens: ::buildFingerprint() fixed server identification an add protection of file SecureToken.php
| SecureTokens.php | ||
|---|---|---|
| 62 | 62 |
'default' => array('value' => 0, 'expire' => 0, 'instance' => 0)
|
| 63 | 63 |
); |
| 64 | 64 |
/** the salt for this instance */ |
| 65 |
private $sSalt = ''; |
|
| 65 |
private $sSalt = '';
|
|
| 66 | 66 |
/** fingerprint of the current connection */ |
| 67 |
private $sFingerprint = ''; |
|
| 67 |
private $sFingerprint = '';
|
|
| 68 | 68 |
/** the FTAN token which is valid for this instance */ |
| 69 |
private $aLastCreatedFtan = null; |
|
| 69 |
private $aLastCreatedFtan = null;
|
|
| 70 | 70 |
/** the time when tokens expired if they created in this instance */ |
| 71 |
private $iExpireTime = 0; |
|
| 71 |
private $iExpireTime = 0;
|
|
| 72 | 72 |
/** remove selected tokens only and update all others */ |
| 73 | 73 |
private $bPreserveAllOtherTokens = false; |
| 74 | 74 |
/** id of the current instance */ |
| ... | ... | |
| 79 | 79 |
private $sInstanceToUpdate = null; |
| 80 | 80 |
/* --- settings for SecureTokens ------------------------------------------------------ */ |
| 81 | 81 |
/** use fingerprinting to encode */ |
| 82 |
private $bUseFingerprint = true; |
|
| 82 |
private $bUseFingerprint = true;
|
|
| 83 | 83 |
/** maximum lifetime of a token in seconds */ |
| 84 |
private $iTokenLifeTime = 1800; // between LIFETIME_MIN and LIFETIME_MAX (default = 30min) |
|
| 84 |
private $iTokenLifeTime = 1800; // between LIFETIME_MIN and LIFETIME_MAX (default = 30min)
|
|
| 85 | 85 |
/** bit length of the IPv4 Netmask (0-32 // 0 = off default = 24) */ |
| 86 |
private $iNetmaskLengthV4 = 0; |
|
| 86 |
private $iNetmaskLengthV4 = 0;
|
|
| 87 | 87 |
/** bit length of the IPv6 Netmask (0-128 // 0 = off default = 64) */ |
| 88 |
private $iNetmaskLengthV6 = 0; |
|
| 88 |
private $iNetmaskLengthV6 = 0;
|
|
| 89 | 89 |
|
| 90 | 90 |
/** |
| 91 | 91 |
* constructor |
| ... | ... | |
| 271 | 271 |
default: |
| 272 | 272 |
$sTokenName = $sFieldname; |
| 273 | 273 |
} |
| 274 |
if (preg_match('/[0-9a-f]{16}$/i', $sTokenName)) {
|
|
| 274 |
if (preg_match('/^[0-9a-f]{16}$/i', $sTokenName)) {
|
|
| 275 | 275 |
// key must be a 16-digit hexvalue |
| 276 | 276 |
if (array_key_exists($sTokenName, $this->aTokens)) {
|
| 277 | 277 |
// check if key is stored in IDKEYs-list |
| ... | ... | |
| 412 | 412 |
}else if (array_key_exists('HTTP_CLIENT_IP', $_SERVER)) {
|
| 413 | 413 |
$sClientIp = $_SERVER['HTTP_CLIENT_IP']; |
| 414 | 414 |
} |
| 415 |
return |
|
| 416 |
__FILE__.PHP_VERSION |
|
| 417 |
. isset($_SERVER['SERVER_SIGNATURE']) ? $_SERVER['SERVER_SIGNATURE'] : 'unknown' |
|
| 418 |
. isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'AGENT' |
|
| 419 |
. $this->calcClientIpHash($sClientIp) |
|
| 420 |
; |
|
| 415 |
$aTmp = array_chunk(stat(__FILE__), 11); |
|
| 416 |
unset($aTmp[0][8]); |
|
| 417 |
return md5( |
|
| 418 |
__FILE__ . PHP_VERSION . implode('', $aTmp[0])
|
|
| 419 |
. (array_key_exists('HTTP_USER_AGENT', $_SERVER) ? $_SERVER['HTTP_USER_AGENT'] : 'AGENT')
|
|
| 420 |
. $this->calcClientIpHash($sClientIp) |
|
| 421 |
); |
|
| 421 | 422 |
} |
| 422 | 423 |
|
| 423 | 424 |
/** |
| ... | ... | |
| 449 | 450 |
// check if IP includes a IPv4 part and convert this into IPv6 format |
| 450 | 451 |
$sPattern = '/^([:a-f0-9]*?)\:([0-9]{1,3}(?:\.[0-9]{1,3}){3})$/is';
|
| 451 | 452 |
if (preg_match($sPattern, $sRawIp, $aMatches)) {
|
| 453 |
// convert IPv4 into full size 32bit binary string |
|
| 452 | 454 |
$sIpV4Bin = str_pad((string)decbin(ip2long($aMatches[2])), 32, '0', STR_PAD_LEFT) ; |
| 455 |
// split into 2 parts of 16bit |
|
| 453 | 456 |
$aIpV6Hex = str_split($sIpV4Bin, 16); |
| 457 |
// concate the IPv6/96 part and hex of both IPv4 parts |
|
| 454 | 458 |
$sRawIp = $aMatches[1].':'.dechex(bindec($aIpV6Hex[0])).':'.dechex(bindec($aIpV6Hex[1])); |
| 455 | 459 |
} |
| 456 |
// calculate number of missing words |
|
| 460 |
// calculate number of missing IPv6 words
|
|
| 457 | 461 |
$iWords = 8 - count(preg_split('/:/', $sRawIp, null, PREG_SPLIT_NO_EMPTY));
|
| 458 |
// build replacement for '::'
|
|
| 462 |
// build multiple ':0000:' replacements for '::'
|
|
| 459 | 463 |
$sReplacement = $iWords ? implode(':', array_fill(0, $iWords, '0000')) : '';
|
| 460 | 464 |
// insert replacements and remove trailing/leading ':' |
| 461 | 465 |
$sClientIp = trim(preg_replace('/\:\:/', ':'.$sReplacement.':', $sRawIp), ':');
|
| ... | ... | |
| 511 | 515 |
$this->bUseFingerprint = isset($this->oReg->SecTokenFingerprint) |
| 512 | 516 |
? $this->oReg->SecTokenFingerprint |
| 513 | 517 |
: $this->bUseFingerprint; |
| 514 |
$this->iNetmaskLengthV4 = isset($this->oReg->SecTokenNetmask4)
|
|
| 515 |
? $this->oReg->SecTokenNetmask4
|
|
| 518 |
$this->iNetmaskLengthV4 = isset($this->oReg->SecTokenIpv4Netmask)
|
|
| 519 |
? $this->oReg->SecTokenIpv4Netmask
|
|
| 516 | 520 |
: $this->iNetmaskLengthV4; |
| 517 |
$this->iNetmaskLengthV6 = isset($this->oReg->SecTokenNetmask6)
|
|
| 518 |
? $this->oReg->SecTokenNetmask6
|
|
| 521 |
$this->iNetmaskLengthV6 = isset($this->oReg->SecTokenIpv6PrefixLength)
|
|
| 522 |
? $this->oReg->SecTokenIpv6PrefixLength
|
|
| 519 | 523 |
: $this->iNetmaskLengthV6; |
| 520 | 524 |
$this->iTokenLifeTime = isset($this->oReg->SecTokenLifeTime) |
| 521 | 525 |
? $this->oReg->SecTokenLifeTime |
Also available in: Unified diff