XOOPS  2.6.0
Security.php
Go to the documentation of this file.
1 <?php
2 /*
3  * You may not change or alter any portion of this comment or credits
4  * of supporting developers from this source code or any supporting source code
5  * which is considered copyrighted (c) material of the original comment or credit authors.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
10  */
11 
12 namespace Xoops\Core;
13 
26 class Security
27 {
28  private $errors = array();
29 
39  public function check($clearIfValid = true, $token = false, $name = 'XOOPS_TOKEN')
40  {
41  return $this->validateToken($token, $clearIfValid, $name);
42  }
43 
52  public function createToken($timeout = 300, $name = 'XOOPS_TOKEN')
53  {
54  $this->garbageCollection($name);
55  $timeout = ($timeout <= 0) ? 300 : $timeout;
56  $token_id = Random::generateOneTimeToken();
57  // save token data on the server
58  if (!isset($_SESSION[$name . '_SESSION'])) {
59  $_SESSION[$name . '_SESSION'] = array();
60  }
61  $token_data = array(
62  'id' => $token_id, 'expire' => time() + intval($timeout)
63  );
64  array_push($_SESSION[$name . '_SESSION'], $token_data);
65  return $token_id;
66  }
67 
77  public function validateToken($token = false, $clearIfValid = true, $name = 'XOOPS_TOKEN')
78  {
79  $ret = false;
80  $log = array();
81  $token = ($token !== false)
82  ? $token
83  : (isset($_REQUEST[$name . '_REQUEST']) ? $_REQUEST[$name . '_REQUEST'] : '');
84  if (empty($token) || empty($_SESSION[$name . '_SESSION'])) {
85  $str = 'No valid token found in request/session';
86  $this->setErrors($str);
87  $log[] = array('Token Validation', $str);
88  } else {
89  $token_data =& $_SESSION[$name . '_SESSION'];
90  if (is_array($token_data)) {
91  foreach (array_keys($token_data) as $i) {
92  if ($token === $token_data[$i]['id']) {
93  if ($this->filterToken($token_data[$i])) {
94  if ($clearIfValid) {
95  // token should be valid once, so clear it once validated
96  unset($token_data[$i]);
97  }
98  $log[] = array('Token Validation', 'Valid token found');
99  $ret = true;
100  } else {
101  $str = 'Valid token expired';
102  $this->setErrors($str);
103  $log[] = array('Token Validation', $str);
104  }
105  }
106  }
107  }
108  if (!$ret) {
109  $log[] = array('Token Validation', 'No valid token found');
110  }
111  $this->garbageCollection($name);
112  }
113  \Xoops::getInstance()->preload()->triggerEvent('core.security.validatetoken.end', array($log));
114  return $ret;
115  }
116 
124  public function clearTokens($name = 'XOOPS_TOKEN')
125  {
126  $_SESSION[$name . '_SESSION'] = array();
127  }
128 
136  public function filterToken($token)
137  {
138  return (!empty($token['expire']) && $token['expire'] >= time());
139  }
140 
148  public function garbageCollection($name = 'XOOPS_TOKEN')
149  {
150  $sessionName = $name . '_SESSION';
151  if (!empty($_SESSION[$sessionName]) && is_array($_SESSION[$sessionName])) {
152  $_SESSION[$sessionName] = array_filter($_SESSION[$sessionName], array($this, 'filterToken'));
153  }
154  }
155 
163  public function checkReferer($docheck = 1)
164  {
165  $ref = \Xoops::getInstance()->getEnv('HTTP_REFERER');
166  if ($docheck == 0) {
167  return true;
168  }
169  if ($ref == '') {
170  return false;
171  }
172  if (strpos($ref, \XoopsBaseConfig::get('url')) !== 0) {
173  return false;
174  }
175  return true;
176  }
177 
184  public function checkBadips()
185  {
186  $xoops = \Xoops::getInstance();
187  if ($xoops->getConfig('enable_badips') == 1
188  && isset($_SERVER['REMOTE_ADDR'])
189  && $_SERVER['REMOTE_ADDR'] != ''
190  ) {
191  foreach ($xoops->getConfig('bad_ips') as $bi) {
192  if (!empty($bi) && preg_match('/' . $bi . '/', $_SERVER['REMOTE_ADDR'])) {
193  exit();
194  }
195  }
196  }
197  }
198 
207  public function getTokenHTML($name = 'XOOPS_TOKEN')
208  {
209  $token = new \Xoops\Form\Token($name);
210  return $token->render();
211  }
212 
220  public function setErrors($error)
221  {
222  $this->errors[] = trim($error);
223  }
224 
232  public function getErrors($ashtml = false)
233  {
234  if (!$ashtml) {
235  return $this->errors;
236  } else {
237  $ret = '';
238  if (is_array($this->errors)) {
239  $ret = implode('<br />', $this->errors) . '<br />';
240  }
241  return $ret;
242  }
243  }
244 }
$_SESSION
$_SESSION['RF']["verify"]
Definition: dialog.php:4
$error
if(empty($settings['ROOT_PATH'])) elseif(empty($settings['DB_PARAMETERS'])) $error
Definition: page_configsave.php:41
$i
$i
Definition: dialog.php:68
Xoops\getInstance
static getInstance()
Definition: Xoops.php:160
$_SERVER
$_SERVER['REQUEST_URI']
Definition: comment_delete.php:23
Xoops\Core\Random\generateOneTimeToken
static generateOneTimeToken($hash= 'sha512', $bytes=64)
Definition: Random.php:41
exit
exit
Definition: browse.php:104
Xoops\Core\Security\clearTokens
clearTokens($name= 'XOOPS_TOKEN')
Definition: Security.php:124
$xoops
$xoops
Definition: admin.php:25
Xoops\Core\Security\createToken
createToken($timeout=300, $name= 'XOOPS_TOKEN')
Definition: Security.php:52
XoopsBaseConfig\get
static get($name)
Definition: XoopsBaseConfig.php:117
Xoops\Core\Security\checkReferer
checkReferer($docheck=1)
Definition: Security.php:163
Xoops\Core\Security\getErrors
getErrors($ashtml=false)
Definition: Security.php:232
Xoops\Core\Security\getTokenHTML
getTokenHTML($name= 'XOOPS_TOKEN')
Definition: Security.php:207
$name
$name
Definition: force_download.php:15
Xoops\Core\Security\check
check($clearIfValid=true, $token=false, $name= 'XOOPS_TOKEN')
Definition: Security.php:39
Xoops\Core\Security\garbageCollection
garbageCollection($name= 'XOOPS_TOKEN')
Definition: Security.php:148
Xoops\Core\Security\validateToken
validateToken($token=false, $clearIfValid=true, $name= 'XOOPS_TOKEN')
Definition: Security.php:77