Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 2138) +++ branches/2.8.x/CHANGELOG (revision 2139) @@ -10,6 +10,8 @@ # = Bugfix ! = Update/Change =============================================================================== +10 Dec -2015 Build 2139 Manuela v.d.Decken(DarkViper) +# class SecureTokens: ::buildFingerprint() fixed server identification an add protection of file SecureTokens.php 05 Nov -2015 Build 2138 Manuela v.d.Decken(DarkViper) ! class SecureTokens: added handling of all kind of IPv6 notations 30 Oct -2015 Build 2137 Manuela v.d.Decken(DarkViper) Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 2138) +++ branches/2.8.x/wb/admin/interface/version.php (revision 2139) @@ -51,5 +51,5 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.4'); -if(!defined('REVISION')) define('REVISION', '2138'); +if(!defined('REVISION')) define('REVISION', '2139'); if(!defined('SP')) define('SP', ''); Index: branches/2.8.x/wb/framework/SecureTokens.php =================================================================== --- branches/2.8.x/wb/framework/SecureTokens.php (revision 2138) +++ branches/2.8.x/wb/framework/SecureTokens.php (revision 2139) @@ -62,13 +62,13 @@ 'default' => array('value' => 0, 'expire' => 0, 'instance' => 0) ); /** the salt for this instance */ - private $sSalt = ''; + private $sSalt = ''; /** fingerprint of the current connection */ - private $sFingerprint = ''; + private $sFingerprint = ''; /** the FTAN token which is valid for this instance */ - private $aLastCreatedFtan = null; + private $aLastCreatedFtan = null; /** the time when tokens expired if they created in this instance */ - private $iExpireTime = 0; + private $iExpireTime = 0; /** remove selected tokens only and update all others */ private $bPreserveAllOtherTokens = false; /** id of the current instance */ @@ -79,13 +79,13 @@ private $sInstanceToUpdate = null; /* --- settings for SecureTokens ------------------------------------------------------ */ /** use fingerprinting to encode */ - private $bUseFingerprint = true; + private $bUseFingerprint = true; /** maximum lifetime of a token in seconds */ - private $iTokenLifeTime = 1800; // between LIFETIME_MIN and LIFETIME_MAX (default = 30min) + private $iTokenLifeTime = 1800; // between LIFETIME_MIN and LIFETIME_MAX (default = 30min) /** bit length of the IPv4 Netmask (0-32 // 0 = off default = 24) */ - private $iNetmaskLengthV4 = 0; + private $iNetmaskLengthV4 = 0; /** bit length of the IPv6 Netmask (0-128 // 0 = off default = 64) */ - private $iNetmaskLengthV6 = 0; + private $iNetmaskLengthV6 = 0; /** * constructor @@ -271,7 +271,7 @@ default: $sTokenName = $sFieldname; } - if (preg_match('/[0-9a-f]{16}$/i', $sTokenName)) { + if (preg_match('/^[0-9a-f]{16}$/i', $sTokenName)) { // key must be a 16-digit hexvalue if (array_key_exists($sTokenName, $this->aTokens)) { // check if key is stored in IDKEYs-list @@ -412,12 +412,13 @@ }else if (array_key_exists('HTTP_CLIENT_IP', $_SERVER)) { $sClientIp = $_SERVER['HTTP_CLIENT_IP']; } - return - __FILE__.PHP_VERSION - . isset($_SERVER['SERVER_SIGNATURE']) ? $_SERVER['SERVER_SIGNATURE'] : 'unknown' - . isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'AGENT' - . $this->calcClientIpHash($sClientIp) - ; + $aTmp = array_chunk(stat(__FILE__), 11); + unset($aTmp[0][8]); + return md5( + __FILE__ . PHP_VERSION . implode('', $aTmp[0]) + . (array_key_exists('HTTP_USER_AGENT', $_SERVER) ? $_SERVER['HTTP_USER_AGENT'] : 'AGENT') + . $this->calcClientIpHash($sClientIp) + ); } /** @@ -449,13 +450,16 @@ // check if IP includes a IPv4 part and convert this into IPv6 format $sPattern = '/^([:a-f0-9]*?)\:([0-9]{1,3}(?:\.[0-9]{1,3}){3})$/is'; if (preg_match($sPattern, $sRawIp, $aMatches)) { + // convert IPv4 into full size 32bit binary string $sIpV4Bin = str_pad((string)decbin(ip2long($aMatches[2])), 32, '0', STR_PAD_LEFT) ; + // split into 2 parts of 16bit $aIpV6Hex = str_split($sIpV4Bin, 16); + // concate the IPv6/96 part and hex of both IPv4 parts $sRawIp = $aMatches[1].':'.dechex(bindec($aIpV6Hex[0])).':'.dechex(bindec($aIpV6Hex[1])); } - // calculate number of missing words + // calculate number of missing IPv6 words $iWords = 8 - count(preg_split('/:/', $sRawIp, null, PREG_SPLIT_NO_EMPTY)); - // build replacement for '::' + // build multiple ':0000:' replacements for '::' $sReplacement = $iWords ? implode(':', array_fill(0, $iWords, '0000')) : ''; // insert replacements and remove trailing/leading ':' $sClientIp = trim(preg_replace('/\:\:/', ':'.$sReplacement.':', $sRawIp), ':'); @@ -511,11 +515,11 @@ $this->bUseFingerprint = isset($this->oReg->SecTokenFingerprint) ? $this->oReg->SecTokenFingerprint : $this->bUseFingerprint; - $this->iNetmaskLengthV4 = isset($this->oReg->SecTokenNetmask4) - ? $this->oReg->SecTokenNetmask4 + $this->iNetmaskLengthV4 = isset($this->oReg->SecTokenIpv4Netmask) + ? $this->oReg->SecTokenIpv4Netmask : $this->iNetmaskLengthV4; - $this->iNetmaskLengthV6 = isset($this->oReg->SecTokenNetmask6) - ? $this->oReg->SecTokenNetmask6 + $this->iNetmaskLengthV6 = isset($this->oReg->SecTokenIpv6PrefixLength) + ? $this->oReg->SecTokenIpv6PrefixLength : $this->iNetmaskLengthV6; $this->iTokenLifeTime = isset($this->oReg->SecTokenLifeTime) ? $this->oReg->SecTokenLifeTime