|
|
|
|
@ -13,13 +13,13 @@ use ChamiloSession as Session; |
|
|
|
|
* http://www.phpsec.org/ |
|
|
|
|
* The principles here are that all data is tainted (most scripts of Chamilo are |
|
|
|
|
* open to the public or at least to a certain public that could be malicious |
|
|
|
|
* under specific circumstances). We use the white list approach, where as we |
|
|
|
|
* under specific circumstances). We use the white list approach, whereas we |
|
|
|
|
* consider that data can only be used in the database or in a file if it has |
|
|
|
|
* been filtered. |
|
|
|
|
* |
|
|
|
|
* For session fixation, use ... |
|
|
|
|
* For session hijacking, use get_ua() and check_ua() |
|
|
|
|
* For Cross-Site Request Forgeries, use get_token() and check_tocken() |
|
|
|
|
* For Cross-Site Request Forgeries, use get_token() and check_token() |
|
|
|
|
* For basic filtering, use filter() |
|
|
|
|
* For files inclusions (using dynamic paths) use check_rel_path() and check_abs_path() |
|
|
|
|
* |
|
|
|
|
@ -44,19 +44,19 @@ class Security |
|
|
|
|
public const CHAR_DIGITS = '0123456789'; |
|
|
|
|
public const CHAR_SYMBOLS = '!"#$%&\'()*+,-./:;<=>?@[\]^_`{|}~'; |
|
|
|
|
|
|
|
|
|
public static $clean = []; |
|
|
|
|
public static Array $clean = []; |
|
|
|
|
|
|
|
|
|
/** |
|
|
|
|
* Checks if the absolute path (directory) given is really under the |
|
|
|
|
* checker path (directory). |
|
|
|
|
* |
|
|
|
|
* @param string Absolute path to be checked (with trailing slash) |
|
|
|
|
* @param string Checker path under which the path |
|
|
|
|
* @param string $abs_path Absolute path to be checked (with trailing slash) |
|
|
|
|
* @param string $checker_path Checker path under which the path |
|
|
|
|
* should be (absolute path, with trailing slash, get it from api_get_path(SYS_COURSE_PATH)) |
|
|
|
|
* |
|
|
|
|
* @return bool True if the path is under the checker, false otherwise |
|
|
|
|
*/ |
|
|
|
|
public static function check_abs_path($abs_path, $checker_path) |
|
|
|
|
public static function check_abs_path(string $abs_path, string $checker_path): bool |
|
|
|
|
{ |
|
|
|
|
// The checker path must be set. |
|
|
|
|
if (empty($checker_path)) { |
|
|
|
|
@ -93,13 +93,13 @@ class Security |
|
|
|
|
* Checks if the relative path (directory) given is really under the |
|
|
|
|
* checker path (directory). |
|
|
|
|
* |
|
|
|
|
* @param string Relative path to be checked (relative to the current directory) (with trailing slash) |
|
|
|
|
* @param string Checker path under which the path |
|
|
|
|
* @param string $rel_path Relative path to be checked (relative to the current directory) (with trailing slash) |
|
|
|
|
* @param string $checker_path Checker path under which the path |
|
|
|
|
* should be (absolute path, with trailing slash, get it from api_get_path(SYS_COURSE_PATH)) |
|
|
|
|
* |
|
|
|
|
* @return bool True if the path is under the checker, false otherwise |
|
|
|
|
*/ |
|
|
|
|
public static function check_rel_path($rel_path, $checker_path) |
|
|
|
|
public static function check_rel_path(string $rel_path, string $checker_path): bool |
|
|
|
|
{ |
|
|
|
|
// The checker path must be set. |
|
|
|
|
if (empty($checker_path)) { |
|
|
|
|
@ -128,7 +128,7 @@ class Security |
|
|
|
|
* |
|
|
|
|
* @return string |
|
|
|
|
*/ |
|
|
|
|
public static function filter_filename($filename) |
|
|
|
|
public static function filter_filename(string $filename): string |
|
|
|
|
{ |
|
|
|
|
return disable_dangerous_file($filename); |
|
|
|
|
} |
|
|
|
|
@ -136,7 +136,7 @@ class Security |
|
|
|
|
/** |
|
|
|
|
* @return string |
|
|
|
|
*/ |
|
|
|
|
public static function getTokenFromSession(string $prefix = '') |
|
|
|
|
public static function getTokenFromSession(string $prefix = ''): string |
|
|
|
|
{ |
|
|
|
|
$secTokenVariable = self::generateSecTokenVariable($prefix); |
|
|
|
|
|
|
|
|
|
@ -147,11 +147,13 @@ class Security |
|
|
|
|
* This function checks that the token generated in get_token() has been kept (prevents |
|
|
|
|
* Cross-Site Request Forgeries attacks). |
|
|
|
|
* |
|
|
|
|
* @param string The array in which to get the token ('get' or 'post') |
|
|
|
|
* @param string $requestType The array in which to get the token ('get' or 'post') |
|
|
|
|
* @param ?FormValidator $form |
|
|
|
|
* @param string $prefix |
|
|
|
|
* |
|
|
|
|
* @return bool True if it's the right token, false otherwise |
|
|
|
|
*/ |
|
|
|
|
public static function check_token($requestType = 'post', FormValidator $form = null, string $prefix = '') |
|
|
|
|
public static function check_token(string $requestType = 'post', FormValidator $form = null, string $prefix = ''): bool |
|
|
|
|
{ |
|
|
|
|
$secTokenVariable = self::generateSecTokenVariable($prefix); |
|
|
|
|
$sessionToken = Session::read($secTokenVariable); |
|
|
|
|
@ -186,8 +188,6 @@ class Security |
|
|
|
|
if (!empty($sessionToken) && isset($requestType) && $sessionToken === $requestType) { |
|
|
|
|
return true; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return false; // Just in case, don't let anything slip. |
|
|
|
|
@ -199,7 +199,7 @@ class Security |
|
|
|
|
* |
|
|
|
|
* @return bool True if the user agent is the same, false otherwise |
|
|
|
|
*/ |
|
|
|
|
public static function check_ua() |
|
|
|
|
public static function check_ua(): bool |
|
|
|
|
{ |
|
|
|
|
$security = Session::read('sec_ua'); |
|
|
|
|
$securitySeed = Session::read('sec_ua_seed'); |
|
|
|
|
@ -231,7 +231,7 @@ class Security |
|
|
|
|
* |
|
|
|
|
* @return string Hidden-type input ready to insert into a form |
|
|
|
|
*/ |
|
|
|
|
public static function get_HTML_token(string $prefix = '') |
|
|
|
|
public static function get_HTML_token(string $prefix = ''): string |
|
|
|
|
{ |
|
|
|
|
$secTokenVariable = self::generateSecTokenVariable($prefix); |
|
|
|
|
$token = md5(uniqid(rand(), true)); |
|
|
|
|
@ -251,7 +251,7 @@ class Security |
|
|
|
|
* |
|
|
|
|
* @return string Token |
|
|
|
|
*/ |
|
|
|
|
public static function get_token($prefix = '') |
|
|
|
|
public static function get_token($prefix = ''): string |
|
|
|
|
{ |
|
|
|
|
$secTokenVariable = self::generateSecTokenVariable($prefix); |
|
|
|
|
$token = md5(uniqid(rand(), true)); |
|
|
|
|
@ -263,7 +263,7 @@ class Security |
|
|
|
|
/** |
|
|
|
|
* @return string |
|
|
|
|
*/ |
|
|
|
|
public static function get_existing_token(string $prefix = '') |
|
|
|
|
public static function get_existing_token(string $prefix = ''): string |
|
|
|
|
{ |
|
|
|
|
$secTokenVariable = self::generateSecTokenVariable($prefix); |
|
|
|
|
$token = Session::read($secTokenVariable); |
|
|
|
|
@ -289,11 +289,11 @@ class Security |
|
|
|
|
* This function returns a variable from the clean array. If the variable doesn't exist, |
|
|
|
|
* it returns null. |
|
|
|
|
* |
|
|
|
|
* @param string Variable name |
|
|
|
|
* @param string $varname Variable name |
|
|
|
|
* |
|
|
|
|
* @return mixed Variable or NULL on error |
|
|
|
|
*/ |
|
|
|
|
public static function get($varname) |
|
|
|
|
public static function get(string $varname) |
|
|
|
|
{ |
|
|
|
|
if (isset(self::$clean[$varname])) { |
|
|
|
|
return self::$clean[$varname]; |
|
|
|
|
@ -307,13 +307,13 @@ class Security |
|
|
|
|
* Filtering for XSS is very easily done by using the htmlentities() function. |
|
|
|
|
* This kind of filtering prevents JavaScript snippets to be understood as such. |
|
|
|
|
* |
|
|
|
|
* @param string The variable to filter for XSS, this params can be a string or an array (example : array(x,y)) |
|
|
|
|
* @param int The user status,constant allowed (STUDENT, COURSEMANAGER, ANONYMOUS, COURSEMANAGERLOWSECURITY) |
|
|
|
|
* @param string|array $var The variable to filter for XSS, this params can be a string or an array (example : array(x,y)) |
|
|
|
|
* @param ?int $user_status The user status,constant allowed (STUDENT, COURSEMANAGER, ANONYMOUS, COURSEMANAGERLOWSECURITY) |
|
|
|
|
* @param bool $filter_terms |
|
|
|
|
* |
|
|
|
|
* @return mixed Filtered string or array |
|
|
|
|
*/ |
|
|
|
|
public static function remove_XSS($var, $user_status = null, $filter_terms = false) |
|
|
|
|
public static function remove_XSS($var, int $user_status = null, bool $filter_terms = false) |
|
|
|
|
{ |
|
|
|
|
if ($filter_terms) { |
|
|
|
|
$var = self::filter_terms($var); |
|
|
|
|
@ -456,11 +456,11 @@ class Security |
|
|
|
|
/** |
|
|
|
|
* Filter content. |
|
|
|
|
* |
|
|
|
|
* @param string $text to be filter |
|
|
|
|
* @param string $text to be filtered |
|
|
|
|
* |
|
|
|
|
* @return string |
|
|
|
|
*/ |
|
|
|
|
public static function filter_terms($text) |
|
|
|
|
public static function filter_terms(string $text): string |
|
|
|
|
{ |
|
|
|
|
static $bad_terms = []; |
|
|
|
|
|
|
|
|
|
@ -486,7 +486,7 @@ class Security |
|
|
|
|
$replace = '***'; |
|
|
|
|
if (!empty($bad_terms)) { |
|
|
|
|
// Fast way |
|
|
|
|
$new_text = str_ireplace($bad_terms, $replace, $text, $count); |
|
|
|
|
$new_text = str_ireplace($bad_terms, $replace, $text); |
|
|
|
|
$text = $new_text; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -506,7 +506,7 @@ class Security |
|
|
|
|
* |
|
|
|
|
* @author Ivan Tcholakov, March 2011 |
|
|
|
|
*/ |
|
|
|
|
public static function filter_img_path($image_path) |
|
|
|
|
public static function filter_img_path(string $image_path): string |
|
|
|
|
{ |
|
|
|
|
static $allowed_extensions = ['png', 'gif', 'jpg', 'jpeg', 'svg', 'webp']; |
|
|
|
|
$image_path = htmlspecialchars(trim($image_path)); // No html code is allowed. |
|
|
|
|
@ -550,7 +550,7 @@ class Security |
|
|
|
|
* |
|
|
|
|
* @return array |
|
|
|
|
*/ |
|
|
|
|
public static function getPasswordRequirements() |
|
|
|
|
public static function getPasswordRequirements(): array |
|
|
|
|
{ |
|
|
|
|
// Default |
|
|
|
|
$requirements = [ |
|
|
|
|
|
Yannick Warnier
2 years ago