Overview

Packages

  • Core
    • Authentication
    • Backend
    • Cache
    • CEC
    • Chain
    • ContentType
    • Database
    • Datatype
    • Debug
    • Exception
    • Frontend
      • Search
      • URI
      • Util
    • GenericDB
      • Model
    • GUI
      • HTML
    • I18N
    • LayoutHandler
    • Log
    • Security
    • Session
    • Util
    • Validation
    • Versioning
    • XML
  • Module
    • ContentSitemapHtml
    • ContentSitemapXml
    • ContentUserForum
    • NavigationMain
    • NavigationTop
  • mpAutoloaderClassMap
  • None
  • Plugin
    • ContentAllocation
    • CronjobOverview
    • FormAssistant
    • FrontendLogic
    • FrontendUsers
    • Linkchecker
    • ModRewrite
    • Newsletter
    • Repository
      • FrontendNavigation
      • KeywordDensity
    • SearchSolr
    • SmartyWrapper
    • UrlShortener
    • UserForum
    • Workflow
  • PluginManager
  • Setup
    • Form
    • GUI
    • Helper
      • Environment
      • Filesystem
      • MySQL
      • PHP
    • UpgradeJob

Classes

  • cRequestValidator
  • cSecurity
  • cUpdateNotifier
  • Overview
  • Package
  • Class
  • Tree
  • Deprecated
  • Todo 
  1: <?php
  2: /**
  3:  * This file contains the the request validator class.
  4:  *
  5:  * @package    Core
  6:  * @subpackage Security
  7:  * @version    SVN Revision $Rev:$
  8:  *
  9:  * @author     Mischa Holz, Andreas Kummer
 10:  * @copyright  four for business AG <www.4fb.de>
 11:  * @license    http://www.contenido.org/license/LIZENZ.txt
 12:  * @link       http://www.4fb.de
 13:  * @link       http://www.contenido.org
 14:  */
 15: 
 16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 17: 
 18: /**
 19:  * Class to check get and post variables
 20:  *
 21:  * @package    Core
 22:  * @subpackage Security
 23:  */
 24: class cRequestValidator {
 25: 
 26:     /**
 27:      * Instance of this class
 28:      *
 29:      * @var cRequestValidator
 30:      */
 31:     private static $_instance = null;
 32: 
 33:     /**
 34:      * Path and filename of logfile
 35:      *
 36:      * @var string
 37:      */
 38:     protected $_logPath;
 39: 
 40:     /**
 41:      * Flag whether to write log or not.
 42:      *
 43:      * @var boolean
 44:      */
 45:     protected $_log = true;
 46: 
 47:     /**
 48:      * Path to config file.
 49:      *
 50:      * @var string
 51:      */
 52:     protected $_configPath;
 53: 
 54:     /**
 55:      * Array with all possible parameters and parameter formats.
 56:      * Structure has to be:
 57:      *
 58:      * <code>
 59:      * $check['GET']['param1'] = VALIDATE_FORMAT;
 60:      * $check['POST']['param2'] = VALIDATE_FORMAT;
 61:      * </code>
 62:      *
 63:      * Possible formats are defined as constants in top of these class file.
 64:      *
 65:      * @var array
 66:      */
 67:     protected $_check = array();
 68: 
 69:     /**
 70:      * Array with forbidden parameters.
 71:      * If any of these is set the request will be invalid
 72:      *
 73:      * @var array
 74:      */
 75:     protected $_blacklist = array();
 76: 
 77:     /**
 78:      * Contains first invalid parameter name.
 79:      *
 80:      * @var string
 81:      */
 82:     protected $_failure = '';
 83: 
 84:     /**
 85:      * Current mode
 86:      *
 87:      * @var string
 88:      */
 89:     protected $_mode = '';
 90: 
 91:     /**
 92:      * Regexp for integers.
 93:      *
 94:      * @var string
 95:      */
 96:     const CHECK_INTEGER = '/^[0-9]*$/';
 97: 
 98:     /**
 99:      * Regexp for primitive strings.
100:      *
101:      * @var string
102:      */
103:     const CHECK_PRIMITIVESTRING = '/^[a-zA-Z0-9 -_]*$/';
104: 
105:     /**
106:      * Regexp for strings.
107:      *
108:      * @var string
109:      */
110:     const CHECK_STRING = '/^[\w0-9 -_]*$/';
111: 
112:     /**
113:      * Regexp for 32 character hash.
114:      *
115:      * @var string
116:      */
117:     const CHECK_HASH32 = '/^[a-zA-Z0-9]{32}$/';
118: 
119:     /**
120:      * Regexp for valid belang values.
121:      *
122:      * @var string
123:      */
124:     const CHECK_BELANG = '/^de_DE|en_US|fr_FR|it_IT|nl_NL$/';
125: 
126:     /**
127:      * Regexp for valid area values.
128:      *
129:      * @var string
130:      */
131:     const CHECK_AREASTRING = '/^[a-zA-Z_]*$/';
132: 
133:     /**
134:      * Regexp for validating file upload paths.
135:      *
136:      * @var string
137:      */
138:     const CHECK_PATHSTRING = '!([*]*\/)|(dbfs:\/[*]*)|(dbfs:)|(^)$!';
139: 
140:     /**
141:      * The constructor sets up the singleton object and reads the config from
142:      * 'data/config/' .
143:      * CON_ENVIRONMENT . '/config.http_check.php'.
144:      *
145:      * @throws cFileNotFoundException if the configuration can not be loaded
146:      */
147:     private function __construct() {
148:         // globals from config.http_check.php file which is included below
149:         global $bLog, $sMode, $aCheck, $aBlacklist;
150: 
151:         $this->_logPath = str_replace('\\', '/', realpath(dirname(__FILE__) . '/../..')) . '/data/logs/security.txt';
152: 
153:         // check config and logging path
154:         if (cFileHandler::exists(realpath(dirname(__FILE__) . '/../..') . '/data/config/' . CON_ENVIRONMENT . '/config.http_check.php')) {
155:             $this->_configPath = realpath(dirname(__FILE__) . '/../..') . '/data/config/' . CON_ENVIRONMENT;
156:         } else {
157:             throw new cFileNotFoundException('Could not load cRequestValidator configuration! (invalid path) ' . realpath(dirname(__FILE__) . '/../..') . '/data/config/' . CON_ENVIRONMENT . '/config.http_check.php');
158:         }
159: 
160:         // include configuration
161:         require ($this->_configPath . '/config.http_check.php');
162: 
163:         // if custom config exists, include it also here
164:         if (cFileHandler::exists(dirname($this->_configPath) . '/config.http_check.local.php')) {
165:             require (dirname($this->_configPath) . '/config.http_check.local.php');
166:         }
167: 
168:         $this->_log = $bLog;
169:         $this->_mode = $sMode;
170: 
171:         if ($this->_log === true) {
172:             if (empty($this->_logPath) || !is_writeable(dirname($this->_logPath))) {
173:                 $this->_log = false;
174:             }
175:         }
176: 
177:         $this->_check = $aCheck;
178:         foreach ($aBlacklist as $elem) {
179:             $this->_blacklist[] = strtolower($elem);
180:         }
181:     }
182: 
183:     /**
184:      * Returns the instance of this class.
185:      *
186:      * @return cRequestValidator
187:      */
188:     public static function getInstance() {
189:         if (self::$_instance === null) {
190:             self::$_instance = new self();
191:         }
192: 
193:         return self::$_instance;
194:     }
195: 
196:     /**
197:      * Checks every given parameter.
198:      * Parameters which aren't defined in config.http_check.php are considered
199:      * to be fine
200:      *
201:      * @return bool True if every parameter is fine
202:      */
203:     public function checkParams() {
204:         if ((!$this->checkGetParams()) || (!$this->checkPostParams())) {
205:             $this->logHackTrial();
206: 
207:             if ($this->_mode == 'stop') {
208:                 ob_end_clean();
209:                 die('Parameter check failed! (' . $this->_failure . '=' . $_GET[$this->_failure] . $_POST[$this->_failure] . ')');
210:             }
211:         }
212: 
213:         return true;
214:     }
215: 
216:     /**
217:      * Checks GET parameters only.
218:      *
219:      * @see cRequestValidator::checkParams()
220:      * @return bool True if every parameter is fine
221:      */
222:     public function checkGetParams() {
223:         return $this->checkArray($_GET, 'GET');
224:     }
225: 
226:     /**
227:      * Checks POST parameters only.
228:      *
229:      * @see cRequestValidator::checkParams()
230:      * @return bool True if every parameter is fine
231:      */
232:     public function checkPostParams() {
233:         return $this->checkArray($_POST, 'POST');
234:     }
235: 
236:     /**
237:      * Checks a single parameter.
238:      *
239:      * @see cRequestValidator::checkParams()
240:      *
241:      * @param string GET or POST
242:      * @param string the key of the parameter
243:      * @param mixed the value of the parameter
244:      * @return bool True if the parameter is fine
245:      */
246:     public function checkParameter($type, $key, $value) {
247:         $result = false;
248: 
249:         if (in_array(strtolower($key), $this->_blacklist)) {
250:             return false;
251:         }
252: 
253:         if (in_array(strtoupper($type), array(
254:             'GET',
255:             'POST'
256:         ))) {
257:             if (!isset($this->_check[$type][$key]) && (is_null($value) || empty($value))) {
258:                 // if unknown but empty the value is unaesthetic but ok
259:                 $result = true;
260:             } elseif (isset($this->_check[$type][$key])) {
261:                 // parameter is known, check it...
262:                 $result = preg_match($this->_check[$type][$key], $value);
263:             } else {
264:                 // unknown parameter. Will return tru
265:                 $result = true;
266:             }
267:         }
268: 
269:         return $result;
270:     }
271: 
272:     /**
273:      * Returns the first bad parameter
274:      *
275:      * @return string the key of the bad parameter
276:      */
277:     public function getBadParameter() {
278:         return $this->_failure;
279:     }
280: 
281:     /**
282:      * Writes a log entry containing information about the request which led to
283:      * the halt of the execution
284:      */
285:     protected function logHackTrial() {
286:         if ($this->_log === true && !empty($this->_logPath)) {
287:             $content = date('Y-m-d H:i:s') . '    ';
288:             $content .= $_SERVER['REMOTE_ADDR'] . str_repeat(' ', 17 - strlen($_SERVER['REMOTE_ADDR'])) . "\n";
289:             $content .= '    Query String: ' . $_SERVER['QUERY_STRING'] . "\n";
290:             $content .= '    Bad parameter: ' . $this->getBadParameter() . "\n";
291:             $content .= '    POST array: ' . print_r($_POST, true) . "\n";
292:             cFileHandler::write($this->_logPath, $content, true);
293:         } elseif ($this->_mode == 'continue') {
294:             echo "\n<br />VIOLATION: URL contains invalid or undefined paramaters! URL: '" . conHtmlentities($_SERVER['QUERY_STRING']) . "' <br />\n";
295:         }
296:     }
297: 
298:     /**
299:      * Checks an array for validity.
300:      *
301:      * @param array the array which has to be checked
302:      * @param string GET or POST
303:      *
304:      * @return bool true if everything is fine.
305:      */
306:     protected function checkArray($arr, $type) {
307:         $result = true;
308: 
309:         foreach ($arr as $key => $value) {
310:             if (!$this->checkParameter(strtoupper($type), $key, $value)) {
311:                 $this->_failure = $key;
312:                 $result = false;
313:                 break;
314:             }
315:         }
316: 
317:         return $result;
318:     }
319: 
320: }
321:
CMS CONTENIDO 4.9.0 API documentation generated by ApiGen 2.8.0