XOOPS 2.5.6  Final
 All Classes Namespaces Files Functions Variables Pages
xoopssecurity.php
Go to the documentation of this file.
1 <?php
19 defined('XOOPS_ROOT_PATH') or die('Restricted access');
20 
22 {
23  var $errors = array();
24 
29  function XoopsSecurity()
30  {
31  }
32 
42  function check($clearIfValid = true, $token = false, $name = 'XOOPS_TOKEN')
43  {
44  return $this->validateToken($token, $clearIfValid, $name);
45  }
46 
55  function createToken($timeout = 0, $name = 'XOOPS_TOKEN')
56  {
57  $this->garbageCollection($name);
58  if ($timeout == 0) {
59  $expire = @ini_get('session.gc_maxlifetime');
60  $timeout = ($expire > 0) ? $expire : 900;
61  }
62  $token_id = md5(uniqid(rand(), true));
63  // save token data on the server
64  if (!isset($_SESSION[$name . '_SESSION'])) {
65  $_SESSION[$name . '_SESSION'] = array();
66  }
67  $token_data = array(
68  'id' => $token_id ,
69  'expire' => time() + intval($timeout));
70  array_push($_SESSION[$name . '_SESSION'], $token_data);
71  return md5($token_id . $_SERVER['HTTP_USER_AGENT'] . XOOPS_DB_PREFIX);
72  }
73 
83  function validateToken($token = false, $clearIfValid = true, $name = 'XOOPS_TOKEN')
84  {
85  global $xoopsLogger;
86  $token = ($token !== false) ? $token : (isset($_REQUEST[$name . '_REQUEST']) ? $_REQUEST[$name . '_REQUEST'] : '');
87  if (empty($token) || empty($_SESSION[$name . '_SESSION'])) {
88  $xoopsLogger->addExtra('Token Validation', 'No valid token found in request/session');
89  return false;
90  }
91  $validFound = false;
92  $token_data = & $_SESSION[$name . '_SESSION'];
93  foreach (array_keys($token_data) as $i) {
94  if ($token === md5($token_data[$i]['id'] . $_SERVER['HTTP_USER_AGENT'] . XOOPS_DB_PREFIX)) {
95  if ($this->filterToken($token_data[$i])) {
96  if ($clearIfValid) {
97  // token should be valid once, so clear it once validated
98  unset($token_data[$i]);
99  }
100  $xoopsLogger->addExtra('Token Validation', 'Valid token found');
101  $validFound = true;
102  } else {
103  $str = 'Valid token expired';
104  $this->setErrors($str);
105  $xoopsLogger->addExtra('Token Validation', $str);
106  }
107  }
108  }
109  if (!$validFound) {
110  $xoopsLogger->addExtra('Token Validation', 'No valid token found');
111  }
112  $this->garbageCollection($name);
113  return $validFound;
114  }
115 
121  function clearTokens($name = 'XOOPS_TOKEN')
122  {
123  $_SESSION[$name . '_SESSION'] = array();
124  }
125 
133  function filterToken($token)
134  {
135  return (!empty($token['expire']) && $token['expire'] >= time());
136  }
137 
145  function garbageCollection($name = 'XOOPS_TOKEN')
146  {
147  if (isset($_SESSION[$name . '_SESSION']) && count($_SESSION[$name . '_SESSION']) > 0) {
148  $_SESSION[$name . '_SESSION'] = array_filter($_SESSION[$name . '_SESSION'], array(
149  $this ,
150  'filterToken'));
151  }
152  }
160  function checkReferer($docheck = 1)
161  {
162  $ref = xoops_getenv('HTTP_REFERER');
163  if ($docheck == 0) {
164  return true;
165  }
166  if ($ref == '') {
167  return false;
168  }
169  if (strpos($ref, XOOPS_URL) !== 0) {
170  return false;
171  }
172  return true;
173  }
174 
180  function checkSuperglobals()
181  {
182  foreach(array(
183  'GLOBALS' ,
184  '_SESSION' ,
185  'HTTP_SESSION_VARS' ,
186  '_GET' ,
187  'HTTP_GET_VARS' ,
188  '_POST' ,
189  'HTTP_POST_VARS' ,
190  '_COOKIE' ,
191  'HTTP_COOKIE_VARS' ,
192  '_REQUEST' ,
193  '_SERVER' ,
194  'HTTP_SERVER_VARS' ,
195  '_ENV' ,
196  'HTTP_ENV_VARS' ,
197  '_FILES' ,
198  'HTTP_POST_FILES' ,
199  'xoopsDB' ,
200  'xoopsUser' ,
201  'xoopsUserId' ,
202  'xoopsUserGroups' ,
203  'xoopsUserIsAdmin' ,
204  'xoopsConfig' ,
205  'xoopsOption' ,
206  'xoopsModule' ,
207  'xoopsModuleConfig' ,
208  'xoopsRequestUri') as $bad_global) {
209  if (isset($_REQUEST[$bad_global])) {
210  header('Location: ' . XOOPS_URL . '/');
211  exit();
212  }
213  }
214  }
215 
222  function checkBadips()
223  {
224  global $xoopsConfig;
225  if ($xoopsConfig['enable_badips'] == 1 && isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] != '') {
226  foreach($xoopsConfig['bad_ips'] as $bi) {
227  if (!empty($bi) && preg_match('/' . $bi . '/', $_SERVER['REMOTE_ADDR'])) {
228  exit();
229  }
230  }
231  }
232  unset($bi);
233  unset($bad_ips);
234  unset($xoopsConfig['badips']);
235  }
236 
242  function getTokenHTML($name = 'XOOPS_TOKEN')
243  {
244  require_once XOOPS_ROOT_PATH . '/class/xoopsformloader.php';
245  $token = new XoopsFormHiddenToken($name);
246  return $token->render();
247  }
248 
254  function setErrors($error)
255  {
256  $this->errors[] = trim($error);
257  }
258 
266  function &getErrors($ashtml = false)
267  {
268  if (!$ashtml) {
269  return $this->errors;
270  } else {
271  $ret = '';
272  if (count($this->errors) > 0) {
273  foreach ($this->errors as $error) {
274  $ret .= $error . '<br />';
275  }
276  }
277  return $ret;
278  }
279  }
280 }
281 ?>