1: <?php
  2: /**
  3:  * This file contains the the request validator class.
  4:  *
  5:  * @package    Core
  6:  * @subpackage Security
  7:  * @author     Mischa Holz
  8:  * @author     Andreas Kummer
  9:  * @copyright  four for business AG <www.4fb.de>
 10:  * @license    http://www.contenido.org/license/LIZENZ.txt
 11:  * @link       http://www.4fb.de
 12:  * @link       http://www.contenido.org
 13:  */
 14: 
 15: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 16: 
 17: /**
 18:  * Class to check get and post variables
 19:  *
 20:  * @package    Core
 21:  * @subpackage Security
 22:  */
 23: class cRequestValidator {
 24: 
 25:     /**
 26:      * Instance of this class.
 27:      *
 28:      * @var cRequestValidator
 29:      */
 30:     private static $_instance = null;
 31: 
 32:     /**
 33:      * Path and filename of logfile.
 34:      *
 35:      * @var string
 36:      */
 37:     protected $_logPath;
 38: 
 39:     /**
 40:      * Flag whether to write log or not.
 41:      *
 42:      * @var bool
 43:      */
 44:     protected $_log = true;
 45: 
 46:     /**
 47:      * Path to config file.
 48:      *
 49:      * @var string
 50:      */
 51:     protected $_configPath;
 52: 
 53:     /**
 54:      * Array with all possible parameters and parameter formats.
 55:      * Structure has to be:
 56:      * <code>
 57:      * $check['GET']['param1'] = VALIDATE_FORMAT;
 58:      * $check['POST']['param2'] = VALIDATE_FORMAT;
 59:      * </code>
 60:      * Possible formats are defined as constants in top of these class file.
 61:      *
 62:      * @var array
 63:      */
 64:     protected $_check = array();
 65: 
 66:     /**
 67:      * Array with forbidden parameters.
 68:      * If any of these is set the request will be invalid.
 69:      *
 70:      * @var array
 71:      */
 72:     protected $_blacklist = array();
 73: 
 74:     /**
 75:      * Contains first invalid parameter name.
 76:      *
 77:      * @var string
 78:      */
 79:     protected $_failure = '';
 80: 
 81:     /**
 82:      * Current mode.
 83:      *
 84:      * @var string
 85:      */
 86:     protected $_mode = '';
 87: 
 88:     /**
 89:      * Regexp for integers.
 90:      *
 91:      * @var string
 92:      */
 93:     const CHECK_INTEGER = '/^[0-9]*$/';
 94: 
 95:     /**
 96:      * Regexp for primitive strings.
 97:      *
 98:      * @var string
 99:      */
100:     const CHECK_PRIMITIVESTRING = '/^[a-zA-Z0-9 -_]*$/';
101: 
102:     /**
103:      * Regexp for strings.
104:      *
105:      * @var string
106:      */
107:     const CHECK_STRING = '/^[\w0-9 -_]*$/';
108: 
109:     /**
110:      * Regexp for 32 character hash.
111:      *
112:      * @var string
113:      */
114:     const CHECK_HASH32 = '/^[a-zA-Z0-9]{32}$/';
115: 
116:     /**
117:      * Regexp for valid belang values.
118:      *
119:      * @var string
120:      */
121:     const CHECK_BELANG = '/^[a-z]{2}_[A-Z]{2}$/';
122: 
123:     /**
124:      * Regexp for valid area values.
125:      *
126:      * @var string
127:      */
128:     const CHECK_AREASTRING = '/^[a-zA-Z_]*$/';
129: 
130:     /**
131:      * Regexp for validating file upload paths.
132:      *
133:      * @var string
134:      */
135:     const CHECK_PATHSTRING = '!([*]*\/)|(dbfs:\/[*]*)|(dbfs:)|(^)$!';
136: 
137:     /**
138:      * Constructor to create an instance of this class.
139:      * The constructor sets up the singleton object and reads the config from
140:      *     'data/config/' . CON_ENVIRONMENT . '/config.http_check.php'
141:      * It also reads existing local config from
142:      *     'data/config/' . CON_ENVIRONMENT . '/config.http_check.local.php'
143:      *
144:      * @throws cFileNotFoundException if the configuration can not be loaded
145:      */
146:     private function __construct() {
147: 
148:         // globals from config.http_check.php file which is included below
149:         global $bLog, $sMode, $aCheck, $aBlacklist;
150: 
151:         // some paths...
152:         $installationPath = str_replace('\\', '/', realpath(dirname(__FILE__) . '/../..'));
153:         $configPath       = $installationPath . '/data/config/' . CON_ENVIRONMENT;
154: 
155:         $this->_logPath = $installationPath . '/data/logs/security.txt';
156: 
157:         // check config and logging path
158:         if (cFileHandler::exists($configPath . '/config.http_check.php')) {
159:             $this->_configPath = $configPath;
160:         } else {
161:             throw new cFileNotFoundException('Could not load cRequestValidator configuration! (invalid path) ' . $configPath . '/config.http_check.php');
162:         }
163: 
164:         // include configuration
165:         require($this->_configPath . '/config.http_check.php');
166: 
167:         // if custom config exists, include it also here
168:         if (cFileHandler::exists($this->_configPath . '/config.http_check.local.php')) {
169:             require($this->_configPath . '/config.http_check.local.php');
170:         }
171: 
172:         $this->_log  = $bLog;
173:         $this->_mode = $sMode;
174: 
175:         if ($this->_log === true) {
176:             if (empty($this->_logPath) || !is_writeable(dirname($this->_logPath))) {
177:                 $this->_log = false;
178:             }
179:         }
180: 
181:         $this->_check = $aCheck;
182:         foreach ($aBlacklist as $elem) {
183:             $this->_blacklist[] = strtolower($elem);
184:         }
185:     }
186: 
187:     /**
188:      * Returns the instance of this class.
189:      *
190:      * @return cRequestValidator
191:      */
192:     public static function getInstance() {
193: 
194:         if (self::$_instance === null) {
195:             self::$_instance = new self();
196:         }
197: 
198:         return self::$_instance;
199:     }
200: 
201:     /**
202:      * Checks every given parameter.
203:      * Parameters which aren't defined in config.http_check.php
204:      * are considered to be fine.
205:      *
206:      * @return bool
207:      *         True if every parameter is fine
208:      */
209:     public function checkParams() {
210: 
211:         if ((!$this->checkGetParams()) || (!$this->checkPostParams() || (!$this->checkCookieParams()))) {
212:             $this->logHackTrial();
213: 
214:             if ($this->_mode == 'stop') {
215:                 ob_end_clean();
216:                 $msg = 'Parameter check failed! (%s = %s %s %s)';
217:                 // prevent XSS!
218:                 $msg = sprintf($msg, htmlentities($this->_failure), htmlentities($_GET[$this->_failure]), htmlentities($_POST[$this->_failure]), htmlentities($_COOKIE[$this->_failure]));
219:                 die($msg);
220:             }
221:         }
222: 
223:         return true;
224:     }
225: 
226:     /**
227:      * Checks GET parameters only.
228:      *
229:      * @see    cRequestValidator::checkParams()
230:      * @return bool
231:      *         True if every parameter is fine
232:      */
233:     public function checkGetParams() {
234: 
235:         return $this->checkArray($_GET, 'GET');
236:     }
237: 
238:     /**
239:      * Checks POST parameters only.
240:      *
241:      * @see    cRequestValidator::checkParams()
242:      * @return bool
243:      *         True if every parameter is fine
244:      */
245:     public function checkPostParams() {
246: 
247:         return $this->checkArray($_POST, 'POST');
248:     }
249: 
250:     /**
251:      * Checks COOKIE parameters only.
252:      *
253:      * @see    cRequestValidator::checkParams()
254:      * @return bool
255:      *         True if every parameter is fine
256:      */
257:     public function checkCookieParams() {
258: 
259:         return $this->checkArray($_COOKIE, 'COOKIE');
260:     }
261: 
262: 
263:     /**
264:      * Checks a single parameter.
265:      *
266:      * @see cRequestValidator::checkParams()
267:      *
268:      * @param string $type
269:      *         GET or POST
270:      * @param string $key
271:      *         the key of the parameter
272:      * @param mixed  $value
273:      *         the value of the parameter
274:      *
275:      * @return bool
276:      *         True if the parameter is fine
277:      */
278:     public function checkParameter($type, $key, $value) {
279: 
280:         $result = false;
281: 
282:         if (in_array(strtolower($key), $this->_blacklist)) {
283:             return false;
284:         }
285: 
286:         if (in_array(strtoupper($type), array(
287:             'GET',
288:             'POST',
289:             'COOKIE'
290:         ))) {
291:             if (!isset($this->_check[$type][$key]) && (is_null($value) || empty($value))) {
292:                 // if unknown but empty the value is unaesthetic but ok
293:                 $result = true;
294:             } elseif (isset($this->_check[$type][$key])) {
295:                 // parameter is known, check it...
296:                 $result = preg_match($this->_check[$type][$key], $value);
297:             } else {
298:                 // unknown parameter. Will return true
299:                 $result = true;
300:             }
301:         }
302: 
303:         return $result;
304:     }
305: 
306:     /**
307:      * Returns the first bad parameter.
308:      *
309:      * @return string
310:      *         the key of the bad parameter
311:      */
312:     public function getBadParameter() {
313: 
314:         return $this->_failure;
315:     }
316: 
317:     /**
318:      * Writes a log entry containing information about the request which
319:      * led to the halt of the execution.
320:      */
321:     protected function logHackTrial() {
322: 
323:         if ($this->_log === true && !empty($this->_logPath)) {
324:             $content = date('Y-m-d H:i:s') . '    ';
325:             $content .= $_SERVER['REMOTE_ADDR'] . str_repeat(' ', 17 - strlen($_SERVER['REMOTE_ADDR'])) . "\n";
326:             $content .= '    Query String: ' . $_SERVER['QUERY_STRING'] . "\n";
327:             $content .= '    Bad parameter: ' . $this->getBadParameter() . "\n";
328:             $content .= '    POST array: ' . print_r($_POST, true) . "\n";
329:             $content .= '    GET array: ' . print_r($_GET, true) . "\n";
330:             $content .= '    COOKIE array: ' . print_r($_COOKIE, true) . "\n";
331:             cFileHandler::write($this->_logPath, $content, true);
332:         } elseif ($this->_mode == 'continue') {
333:             echo "\n<br>VIOLATION: URL contains invalid or undefined paramaters! URL: '" . conHtmlentities($_SERVER['QUERY_STRING']) . "' <br>\n";
334:         }
335:     }
336: 
337:     /**
338:      * This function removes unwished chars from given string
339:      *
340:      * @param string $param
341:      *
342:      * @return string
343:      */
344:     public static function cleanParameter($param) {
345: 
346:         $charsToReplace = array(
347:             '<', '>', '?', '&', '$', '{', '}', '(', ')'
348:         );
349: 
350:         foreach ($charsToReplace as $char) {
351:             $param = str_replace($char, '', $param);
352:         }
353: 
354:         return $param;
355:     }
356: 
357:     /**
358:      * Checks an array for validity.
359:      *
360:      * @param array  $arr
361:      *         the array which has to be checked
362:      * @param string $type
363:      *         GET or POST
364:      *
365:      * @return bool
366:      *         true if everything is fine.
367:      */
368:     protected function checkArray($arr, $type) {
369: 
370:         $result = true;
371: 
372:         foreach ($arr as $key => $value) {
373:             if (!$this->checkParameter(strtoupper($type), $key, $value)) {
374:                 $this->_failure = $key;
375:                 $result         = false;
376:                 break;
377:             }
378:         }
379: 
380:         return $result;
381:     }
382: 
383: }
384: