Overview

Packages

  • Core
    • Authentication
    • Backend
    • Cache
    • CEC
    • Chain
    • ContentType
    • Database
    • Datatype
    • Debug
    • Exception
    • Frontend
      • Search
      • URI
      • Util
    • GenericDB
      • Model
    • GUI
      • HTML
    • I18N
    • LayoutHandler
    • Log
    • Security
    • Session
    • Util
    • Validation
    • Versioning
    • XML
  • Module
    • ContentSitemapHtml
    • ContentSitemapXml
    • ContentUserForum
    • NavigationTop
  • mpAutoloaderClassMap
  • None
  • Plugin
    • ContentAllocation
    • CronjobOverview
    • FormAssistant
    • FrontendLogic
    • FrontendUsers
    • Linkchecker
    • ModRewrite
    • Newsletter
    • Repository
      • FrontendNavigation
      • KeywordDensity
    • SearchSolr
    • SmartyWrapper
    • UrlShortener
    • UserForum
    • Workflow
  • PluginManager
  • Setup
    • Form
    • GUI
    • Helper
      • Environment
      • Filesystem
      • MySQL
      • PHP
    • UpgradeJob

Classes

  • cRequestValidator
  • cSecurity
  • cUpdateNotifier
  • Overview
  • Package
  • Class
  • Tree
  • Deprecated
  • Todo 
  1: <?php
  2: /**
  3:  * This file contains the the request validator class.
  4:  *
  5:  * @package    Core
  6:  * @subpackage Security
  7:  * @version    SVN Revision $Rev:$
  8:  *
  9:  * @author     Mischa Holz, Andreas Kummer
 10:  * @copyright  four for business AG <www.4fb.de>
 11:  * @license    http://www.contenido.org/license/LIZENZ.txt
 12:  * @link       http://www.4fb.de
 13:  * @link       http://www.contenido.org
 14:  */
 15: 
 16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 17: 
 18: /**
 19:  * Class to check get and post variables
 20:  *
 21:  * @package    Core
 22:  * @subpackage Security
 23:  */
 24: class cRequestValidator {
 25: 
 26:     /**
 27:      * Instance of this class
 28:      *
 29:      * @var cRequestValidator
 30:      */
 31:     private static $_instance = NULL;
 32: 
 33:     /**
 34:      * Path and filename of logfile
 35:      *
 36:      * @var string
 37:      */
 38:     protected $_logPath;
 39: 
 40:     /**
 41:      * Flag whether to write log or not.
 42:      *
 43:      * @var boolean
 44:      */
 45:     protected $_log = true;
 46: 
 47:     /**
 48:      * Path to config file.
 49:      *
 50:      * @var string
 51:      */
 52:     protected $_configPath;
 53: 
 54:     /**
 55:      * Array with all possible parameters and parameter formats.
 56:      * Structure has to be:
 57:      *
 58:      * <code>
 59:      * $check['GET']['param1'] = VALIDATE_FORMAT;
 60:      * $check['POST']['param2'] = VALIDATE_FORMAT;
 61:      * </code>
 62:      *
 63:      * Possible formats are defined as constants in top of these class file.
 64:      *
 65:      * @var array
 66:      */
 67:     protected $_check = array();
 68: 
 69:     /**
 70:      * Array with forbidden parameters.
 71:      * If any of these is set the request will be invalid
 72:      *
 73:      * @var array
 74:      */
 75:     protected $_blacklist = array();
 76: 
 77:     /**
 78:      * Contains first invalid parameter name.
 79:      *
 80:      * @var string
 81:      */
 82:     protected $_failure = '';
 83: 
 84:     /**
 85:      * Current mode
 86:      *
 87:      * @var string
 88:      */
 89:     protected $_mode = '';
 90: 
 91:     /**
 92:      * Regexp for integers.
 93:      *
 94:      * @var string
 95:      */
 96:     const CHECK_INTEGER = '/^[0-9]*$/';
 97: 
 98:     /**
 99:      * Regexp for primitive strings.
100:      *
101:      * @var string
102:      */
103:     const CHECK_PRIMITIVESTRING = '/^[a-zA-Z0-9 -_]*$/';
104: 
105:     /**
106:      * Regexp for strings.
107:      *
108:      * @var string
109:      */
110:     const CHECK_STRING = '/^[\w0-9 -_]*$/';
111: 
112:     /**
113:      * Regexp for 32 character hash.
114:      *
115:      * @var string
116:      */
117:     const CHECK_HASH32 = '/^[a-zA-Z0-9]{32}$/';
118: 
119:     /**
120:      * Regexp for valid belang values.
121:      *
122:      * @var string
123:      */
124:     const CHECK_BELANG = '/^[a-z]{2}_[A-Z]{2}$/';
125: 
126:     /**
127:      * Regexp for valid area values.
128:      *
129:      * @var string
130:      */
131:     const CHECK_AREASTRING = '/^[a-zA-Z_]*$/';
132: 
133:     /**
134:      * Regexp for validating file upload paths.
135:      *
136:      * @var string
137:      */
138:     const CHECK_PATHSTRING = '!([*]*\/)|(dbfs:\/[*]*)|(dbfs:)|(^)$!';
139: 
140:     /**
141:      * The constructor sets up the singleton object and reads the config from
142:      *     'data/config/' . CON_ENVIRONMENT . '/config.http_check.php'
143:      * It also reads existing local config from
144:      *     'data/config/' . CON_ENVIRONMENT . '/config.http_check.local.php'
145:      *
146:      * @throws cFileNotFoundException if the configuration can not be loaded
147:      */
148:     private function __construct() {
149:         // globals from config.http_check.php file which is included below
150:         global $bLog, $sMode, $aCheck, $aBlacklist;
151: 
152:         // some paths...
153:         $installationPath = str_replace('\\', '/', realpath(dirname(__FILE__) . '/../..'));
154:         $configPath = $installationPath . '/data/config/' . CON_ENVIRONMENT;
155: 
156:         $this->_logPath = $installationPath . '/data/logs/security.txt';
157: 
158:         // check config and logging path
159:         if (cFileHandler::exists($configPath . '/config.http_check.php')) {
160:             $this->_configPath = $configPath;
161:         } else {
162:             throw new cFileNotFoundException('Could not load cRequestValidator configuration! (invalid path) ' . $configPath . '/config.http_check.php');
163:         }
164: 
165:         // include configuration
166:         require($this->_configPath . '/config.http_check.php');
167: 
168:         // if custom config exists, include it also here
169:         if (cFileHandler::exists($this->_configPath . '/config.http_check.local.php')) {
170:             require($this->_configPath . '/config.http_check.local.php');
171:         }
172: 
173:         $this->_log = $bLog;
174:         $this->_mode = $sMode;
175: 
176:         if ($this->_log === true) {
177:             if (empty($this->_logPath) || !is_writeable(dirname($this->_logPath))) {
178:                 $this->_log = false;
179:             }
180:         }
181: 
182:         $this->_check = $aCheck;
183:         foreach ($aBlacklist as $elem) {
184:             $this->_blacklist[] = strtolower($elem);
185:         }
186:     }
187: 
188:     /**
189:      * Returns the instance of this class.
190:      *
191:      * @return cRequestValidator
192:      */
193:     public static function getInstance() {
194:         if (self::$_instance === NULL) {
195:             self::$_instance = new self();
196:         }
197: 
198:         return self::$_instance;
199:     }
200: 
201:     /**
202:      * Checks every given parameter.
203:      * Parameters which aren't defined in config.http_check.php are considered
204:      * to be fine
205:      *
206:      * @return bool True if every parameter is fine
207:      */
208:     public function checkParams() {
209:         if ((!$this->checkGetParams()) || (!$this->checkPostParams())) {
210:             $this->logHackTrial();
211: 
212:             if ($this->_mode == 'stop') {
213:                 ob_end_clean();
214:                 die('Parameter check failed! (' . $this->_failure . '=' . $_GET[$this->_failure] . $_POST[$this->_failure] . ')');
215:             }
216:         }
217: 
218:         return true;
219:     }
220: 
221:     /**
222:      * Checks GET parameters only.
223:      *
224:      * @see cRequestValidator::checkParams()
225:      * @return bool True if every parameter is fine
226:      */
227:     public function checkGetParams() {
228:         return $this->checkArray($_GET, 'GET');
229:     }
230: 
231:     /**
232:      * Checks POST parameters only.
233:      *
234:      * @see cRequestValidator::checkParams()
235:      * @return bool True if every parameter is fine
236:      */
237:     public function checkPostParams() {
238:         return $this->checkArray($_POST, 'POST');
239:     }
240: 
241:     /**
242:      * Checks a single parameter.
243:      *
244:      * @see cRequestValidator::checkParams()
245:      *
246:      * @param string $type GET or POST
247:      * @param string $key the key of the parameter
248:      * @param mixed $value the value of the parameter
249:      * @return bool True if the parameter is fine
250:      */
251:     public function checkParameter($type, $key, $value) {
252:         $result = false;
253: 
254:         if (in_array(strtolower($key), $this->_blacklist)) {
255:             return false;
256:         }
257: 
258:         if (in_array(strtoupper($type), array(
259:             'GET',
260:             'POST'
261:         ))) {
262:             if (!isset($this->_check[$type][$key]) && (is_null($value) || empty($value))) {
263:                 // if unknown but empty the value is unaesthetic but ok
264:                 $result = true;
265:             } elseif (isset($this->_check[$type][$key])) {
266:                 // parameter is known, check it...
267:                 $result = preg_match($this->_check[$type][$key], $value);
268:             } else {
269:                 // unknown parameter. Will return tru
270:                 $result = true;
271:             }
272:         }
273: 
274:         return $result;
275:     }
276: 
277:     /**
278:      * Returns the first bad parameter
279:      *
280:      * @return string the key of the bad parameter
281:      */
282:     public function getBadParameter() {
283:         return $this->_failure;
284:     }
285: 
286:     /**
287:      * Writes a log entry containing information about the request which led to
288:      * the halt of the execution
289:      */
290:     protected function logHackTrial() {
291:         if ($this->_log === true && !empty($this->_logPath)) {
292:             $content = date('Y-m-d H:i:s') . '    ';
293:             $content .= $_SERVER['REMOTE_ADDR'] . str_repeat(' ', 17 - strlen($_SERVER['REMOTE_ADDR'])) . "\n";
294:             $content .= '    Query String: ' . $_SERVER['QUERY_STRING'] . "\n";
295:             $content .= '    Bad parameter: ' . $this->getBadParameter() . "\n";
296:             $content .= '    POST array: ' . print_r($_POST, true) . "\n";
297:             cFileHandler::write($this->_logPath, $content, true);
298:         } elseif ($this->_mode == 'continue') {
299:             echo "\n<br>VIOLATION: URL contains invalid or undefined paramaters! URL: '" . conHtmlentities($_SERVER['QUERY_STRING']) . "' <br>\n";
300:         }
301:     }
302: 
303:     /**
304:      * Checks an array for validity.
305:      *
306:      * @param array the array which has to be checked
307:      * @param string GET or POST
308:      *
309:      * @return bool true if everything is fine.
310:      */
311:     protected function checkArray($arr, $type) {
312:         $result = true;
313: 
314:         foreach ($arr as $key => $value) {
315:             if (!$this->checkParameter(strtoupper($type), $key, $value)) {
316:                 $this->_failure = $key;
317:                 $result = false;
318:                 break;
319:             }
320:         }
321: 
322:         return $result;
323:     }
324: 
325: }
326:
CMS CONTENIDO 4.9.4 API documentation generated by ApiGen 2.8.0