1: <?php
  2: /**
  3:  * This file contains the the request validator class.
  4:  *
  5:  * @package    Core
  6:  * @subpackage Security
  7:  * @version    SVN Revision $Rev:$
  8:  *
  9:  * @author     Mischa Holz, Andreas Kummer
 10:  * @copyright  four for business AG <www.4fb.de>
 11:  * @license    http://www.contenido.org/license/LIZENZ.txt
 12:  * @link       http://www.4fb.de
 13:  * @link       http://www.contenido.org
 14:  */
 15: 
 16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 17: 
 18: /**
 19:  * Class to check get and post variables
 20:  *
 21:  * @package    Core
 22:  * @subpackage Security
 23:  */
 24: class cRequestValidator {
 25: 
 26:     /**
 27:      * Instance of this class
 28:      *
 29:      * @var cRequestValidator
 30:      */
 31:     private static $_instance = NULL;
 32: 
 33:     /**
 34:      * Path and filename of logfile
 35:      *
 36:      * @var string
 37:      */
 38:     protected $_logPath;
 39: 
 40:     /**
 41:      * Flag whether to write log or not.
 42:      *
 43:      * @var boolean
 44:      */
 45:     protected $_log = true;
 46: 
 47:     /**
 48:      * Path to config file.
 49:      *
 50:      * @var string
 51:      */
 52:     protected $_configPath;
 53: 
 54:     /**
 55:      * Array with all possible parameters and parameter formats.
 56:      * Structure has to be:
 57:      *
 58:      * <code>
 59:      * $check['GET']['param1'] = VALIDATE_FORMAT;
 60:      * $check['POST']['param2'] = VALIDATE_FORMAT;
 61:      * </code>
 62:      *
 63:      * Possible formats are defined as constants in top of these class file.
 64:      *
 65:      * @var array
 66:      */
 67:     protected $_check = array();
 68: 
 69:     /**
 70:      * Array with forbidden parameters.
 71:      * If any of these is set the request will be invalid
 72:      *
 73:      * @var array
 74:      */
 75:     protected $_blacklist = array();
 76: 
 77:     /**
 78:      * Contains first invalid parameter name.
 79:      *
 80:      * @var string
 81:      */
 82:     protected $_failure = '';
 83: 
 84:     /**
 85:      * Current mode
 86:      *
 87:      * @var string
 88:      */
 89:     protected $_mode = '';
 90: 
 91:     /**
 92:      * Regexp for integers.
 93:      *
 94:      * @var string
 95:      */
 96:     const CHECK_INTEGER = '/^[0-9]*$/';
 97: 
 98:     /**
 99:      * Regexp for primitive strings.
100:      *
101:      * @var string
102:      */
103:     const CHECK_PRIMITIVESTRING = '/^[a-zA-Z0-9 -_]*$/';
104: 
105:     /**
106:      * Regexp for strings.
107:      *
108:      * @var string
109:      */
110:     const CHECK_STRING = '/^[\w0-9 -_]*$/';
111: 
112:     /**
113:      * Regexp for 32 character hash.
114:      *
115:      * @var string
116:      */
117:     const CHECK_HASH32 = '/^[a-zA-Z0-9]{32}$/';
118: 
119:     /**
120:      * Regexp for valid belang values.
121:      *
122:      * @var string
123:      */
124:     const CHECK_BELANG = '/^[a-z]{2}_[A-Z]{2}$/';
125: 
126:     /**
127:      * Regexp for valid area values.
128:      *
129:      * @var string
130:      */
131:     const CHECK_AREASTRING = '/^[a-zA-Z_]*$/';
132: 
133:     /**
134:      * Regexp for validating file upload paths.
135:      *
136:      * @var string
137:      */
138:     const CHECK_PATHSTRING = '!([*]*\/)|(dbfs:\/[*]*)|(dbfs:)|(^)$!';
139: 
140:     /**
141:      * The constructor sets up the singleton object and reads the config from
142:      *     'data/config/' . CON_ENVIRONMENT . '/config.http_check.php'
143:      * It also reads existing local config from
144:      *     'data/config/' . CON_ENVIRONMENT . '/config.http_check.local.php'
145:      *
146:      * @throws cFileNotFoundException if the configuration can not be loaded
147:      */
148:     private function __construct() {
149:         // globals from config.http_check.php file which is included below
150:         global $bLog, $sMode, $aCheck, $aBlacklist;
151: 
152:         // some paths...
153:         $installationPath = str_replace('\\', '/', realpath(dirname(__FILE__) . '/../..'));
154:         $configPath = $installationPath . '/data/config/' . CON_ENVIRONMENT;
155: 
156:         $this->_logPath = $installationPath . '/data/logs/security.txt';
157: 
158:         // check config and logging path
159:         if (cFileHandler::exists($configPath . '/config.http_check.php')) {
160:             $this->_configPath = $configPath;
161:         } else {
162:             throw new cFileNotFoundException('Could not load cRequestValidator configuration! (invalid path) ' . $configPath . '/config.http_check.php');
163:         }
164: 
165:         // include configuration
166:         require($this->_configPath . '/config.http_check.php');
167: 
168:         // if custom config exists, include it also here
169:         if (cFileHandler::exists($this->_configPath . '/config.http_check.local.php')) {
170:             require($this->_configPath . '/config.http_check.local.php');
171:         }
172: 
173:         $this->_log = $bLog;
174:         $this->_mode = $sMode;
175: 
176:         if ($this->_log === true) {
177:             if (empty($this->_logPath) || !is_writeable(dirname($this->_logPath))) {
178:                 $this->_log = false;
179:             }
180:         }
181: 
182:         $this->_check = $aCheck;
183:         foreach ($aBlacklist as $elem) {
184:             $this->_blacklist[] = strtolower($elem);
185:         }
186:     }
187: 
188:     /**
189:      * Returns the instance of this class.
190:      *
191:      * @return cRequestValidator
192:      */
193:     public static function getInstance() {
194:         if (self::$_instance === NULL) {
195:             self::$_instance = new self();
196:         }
197: 
198:         return self::$_instance;
199:     }
200: 
201:     /**
202:      * Checks every given parameter.
203:      * Parameters which aren't defined in config.http_check.php are considered
204:      * to be fine
205:      *
206:      * @return bool True if every parameter is fine
207:      */
208:     public function checkParams() {
209:         if ((!$this->checkGetParams()) || (!$this->checkPostParams())) {
210:             $this->logHackTrial();
211: 
212:             if ($this->_mode == 'stop') {
213:                 ob_end_clean();
214:                 $msg = 'Parameter check failed! (%s = %s %s)';
215:                 // prevent XSS!
216:                 $msg = sprintf($msg, htmlentities($this->_failure), htmlentities($_GET[$this->_failure]), htmlentities($_POST[$this->_failure]));
217:                 die($msg);
218:             }
219:         }
220: 
221:         return true;
222:     }
223: 
224:     /**
225:      * Checks GET parameters only.
226:      *
227:      * @see cRequestValidator::checkParams()
228:      * @return bool True if every parameter is fine
229:      */
230:     public function checkGetParams() {
231:         return $this->checkArray($_GET, 'GET');
232:     }
233: 
234:     /**
235:      * Checks POST parameters only.
236:      *
237:      * @see cRequestValidator::checkParams()
238:      * @return bool True if every parameter is fine
239:      */
240:     public function checkPostParams() {
241:         return $this->checkArray($_POST, 'POST');
242:     }
243: 
244:     /**
245:      * Checks a single parameter.
246:      *
247:      * @see cRequestValidator::checkParams()
248:      *
249:      * @param string $type GET or POST
250:      * @param string $key the key of the parameter
251:      * @param mixed $value the value of the parameter
252:      * @return bool True if the parameter is fine
253:      */
254:     public function checkParameter($type, $key, $value) {
255:         $result = false;
256: 
257:         if (in_array(strtolower($key), $this->_blacklist)) {
258:             return false;
259:         }
260: 
261:         if (in_array(strtoupper($type), array(
262:             'GET',
263:             'POST'
264:         ))) {
265:             if (!isset($this->_check[$type][$key]) && (is_null($value) || empty($value))) {
266:                 // if unknown but empty the value is unaesthetic but ok
267:                 $result = true;
268:             } elseif (isset($this->_check[$type][$key])) {
269:                 // parameter is known, check it...
270:                 $result = preg_match($this->_check[$type][$key], $value);
271:             } else {
272:                 // unknown parameter. Will return true
273:                 $result = true;
274:             }
275:         }
276: 
277:         return $result;
278:     }
279: 
280:     /**
281:      * Returns the first bad parameter
282:      *
283:      * @return string the key of the bad parameter
284:      */
285:     public function getBadParameter() {
286:         return $this->_failure;
287:     }
288: 
289:     /**
290:      * Writes a log entry containing information about the request which led to
291:      * the halt of the execution
292:      */
293:     protected function logHackTrial() {
294:         if ($this->_log === true && !empty($this->_logPath)) {
295:             $content = date('Y-m-d H:i:s') . '    ';
296:             $content .= $_SERVER['REMOTE_ADDR'] . str_repeat(' ', 17 - strlen($_SERVER['REMOTE_ADDR'])) . "\n";
297:             $content .= '    Query String: ' . $_SERVER['QUERY_STRING'] . "\n";
298:             $content .= '    Bad parameter: ' . $this->getBadParameter() . "\n";
299:             $content .= '    POST array: ' . print_r($_POST, true) . "\n";
300:             cFileHandler::write($this->_logPath, $content, true);
301:         } elseif ($this->_mode == 'continue') {
302:             echo "\n<br>VIOLATION: URL contains invalid or undefined paramaters! URL: '" . conHtmlentities($_SERVER['QUERY_STRING']) . "' <br>\n";
303:         }
304:     }
305: 
306:     /**
307:      * Checks an array for validity.
308:      *
309:      * @param array the array which has to be checked
310:      * @param string GET or POST
311:      *
312:      * @return bool true if everything is fine.
313:      */
314:     protected function checkArray($arr, $type) {
315:         $result = true;
316: 
317:         foreach ($arr as $key => $value) {
318:             if (!$this->checkParameter(strtoupper($type), $key, $value)) {
319:                 $this->_failure = $key;
320:                 $result = false;
321:                 break;
322:             }
323:         }
324: 
325:         return $result;
326:     }
327: 
328: }
329: