PageRenderTime 24ms CodeModel.GetById 0ms RepoModel.GetById 0ms app.codeStats 0ms

/lib/Cake/Controller/Component/SecurityComponent.php

https://bitbucket.org/udeshika/fake_twitter
PHP | 575 lines | 267 code | 55 blank | 253 comment | 77 complexity | 655eb9e062645509d534ecb0c14f1e32 MD5 | raw file
  1. <?php
  2. /**
  3. * Security Component
  4. *
  5. * PHP 5
  6. *
  7. * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
  8. * Copyright 2005-2011, Cake Software Foundation, Inc. (http://cakefoundation.org)
  9. *
  10. * Licensed under The MIT License
  11. * Redistributions of files must retain the above copyright notice.
  12. *
  13. * @copyright Copyright 2005-2011, Cake Software Foundation, Inc. (http://cakefoundation.org)
  14. * @link http://cakephp.org CakePHP(tm) Project
  15. * @package Cake.Controller.Component
  16. * @since CakePHP(tm) v 0.10.8.2156
  17. * @license MIT License (http://www.opensource.org/licenses/mit-license.php)
  18. */
  19. App::uses('Component', 'Controller');
  20. App::uses('String', 'Utility');
  21. App::uses('Security', 'Utility');
  22. /**
  23. * The Security Component creates an easy way to integrate tighter security in
  24. * your application. It provides methods for various tasks like:
  25. *
  26. * - Restricting which HTTP methods your application accepts.
  27. * - CSRF protection.
  28. * - Form tampering protection
  29. * - Requiring that SSL be used.
  30. * - Limiting cross controller communication.
  31. *
  32. * @package Cake.Controller.Component
  33. * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html
  34. */
  35. class SecurityComponent extends Component {
  36. /**
  37. * The controller method that will be called if this request is black-hole'd
  38. *
  39. * @var string
  40. */
  41. public $blackHoleCallback = null;
  42. /**
  43. * List of controller actions for which a POST request is required
  44. *
  45. * @var array
  46. * @see SecurityComponent::requirePost()
  47. */
  48. public $requirePost = array();
  49. /**
  50. * List of controller actions for which a GET request is required
  51. *
  52. * @var array
  53. * @see SecurityComponent::requireGet()
  54. */
  55. public $requireGet = array();
  56. /**
  57. * List of controller actions for which a PUT request is required
  58. *
  59. * @var array
  60. * @see SecurityComponent::requirePut()
  61. */
  62. public $requirePut = array();
  63. /**
  64. * List of controller actions for which a DELETE request is required
  65. *
  66. * @var array
  67. * @see SecurityComponent::requireDelete()
  68. */
  69. public $requireDelete = array();
  70. /**
  71. * List of actions that require an SSL-secured connection
  72. *
  73. * @var array
  74. * @see SecurityComponent::requireSecure()
  75. */
  76. public $requireSecure = array();
  77. /**
  78. * List of actions that require a valid authentication key
  79. *
  80. * @var array
  81. * @see SecurityComponent::requireAuth()
  82. */
  83. public $requireAuth = array();
  84. /**
  85. * Controllers from which actions of the current controller are allowed to receive
  86. * requests.
  87. *
  88. * @var array
  89. * @see SecurityComponent::requireAuth()
  90. */
  91. public $allowedControllers = array();
  92. /**
  93. * Actions from which actions of the current controller are allowed to receive
  94. * requests.
  95. *
  96. * @var array
  97. * @see SecurityComponent::requireAuth()
  98. */
  99. public $allowedActions = array();
  100. /**
  101. * Deprecated property, superseded by unlockedFields.
  102. *
  103. * @var array
  104. * @deprecated
  105. * @see SecurityComponent::$unlockedFields
  106. */
  107. public $disabledFields = array();
  108. /**
  109. * Form fields to exclude from POST validation. Fields can be unlocked
  110. * either in the Component, or with FormHelper::unlockField().
  111. * Fields that have been unlocked are not required to be part of the POST
  112. * and hidden unlocked fields do not have their values checked.
  113. *
  114. * @var array
  115. */
  116. public $unlockedFields = array();
  117. /**
  118. * Whether to validate POST data. Set to false to disable for data coming from 3rd party
  119. * services, etc.
  120. *
  121. * @var boolean
  122. */
  123. public $validatePost = true;
  124. /**
  125. * Whether to use CSRF protected forms. Set to false to disable CSRF protection on forms.
  126. *
  127. * @var boolean
  128. * @see http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
  129. * @see SecurityComponent::$csrfExpires
  130. */
  131. public $csrfCheck = true;
  132. /**
  133. * The duration from when a CSRF token is created that it will expire on.
  134. * Each form/page request will generate a new token that can only be submitted once unless
  135. * it expires. Can be any value compatible with strtotime()
  136. *
  137. * @var string
  138. */
  139. public $csrfExpires = '+30 minutes';
  140. /**
  141. * Controls whether or not CSRF tokens are use and burn. Set to false to not generate
  142. * new tokens on each request. One token will be reused until it expires. This reduces
  143. * the chances of users getting invalid requests because of token consumption.
  144. * It has the side effect of making CSRF less secure, as tokens are reusable.
  145. *
  146. * @var boolean
  147. */
  148. public $csrfUseOnce = true;
  149. /**
  150. * Other components used by the Security component
  151. *
  152. * @var array
  153. */
  154. public $components = array('Session');
  155. /**
  156. * Holds the current action of the controller
  157. *
  158. * @var string
  159. */
  160. protected $_action = null;
  161. /**
  162. * Request object
  163. *
  164. * @var CakeRequest
  165. */
  166. public $request;
  167. /**
  168. * Component startup. All security checking happens here.
  169. *
  170. * @param Controller $controller Instantiating controller
  171. * @return void
  172. */
  173. public function startup($controller) {
  174. $this->request = $controller->request;
  175. $this->_action = $this->request->params['action'];
  176. $this->_methodsRequired($controller);
  177. $this->_secureRequired($controller);
  178. $this->_authRequired($controller);
  179. $isPost = ($this->request->is('post') || $this->request->is('put'));
  180. $isNotRequestAction = (
  181. !isset($controller->request->params['requested']) ||
  182. $controller->request->params['requested'] != 1
  183. );
  184. if ($isPost && $isNotRequestAction && $this->validatePost) {
  185. if ($this->_validatePost($controller) === false) {
  186. return $this->blackHole($controller, 'auth');
  187. }
  188. }
  189. if ($isPost && $isNotRequestAction && $this->csrfCheck) {
  190. if ($this->_validateCsrf($controller) === false) {
  191. return $this->blackHole($controller, 'csrf');
  192. }
  193. }
  194. $this->_generateToken($controller);
  195. if ($isPost) {
  196. unset($controller->request->data['_Token']);
  197. }
  198. }
  199. /**
  200. * Sets the actions that require a POST request, or empty for all actions
  201. *
  202. * @return void
  203. * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::requirePost
  204. */
  205. public function requirePost() {
  206. $args = func_get_args();
  207. $this->_requireMethod('Post', $args);
  208. }
  209. /**
  210. * Sets the actions that require a GET request, or empty for all actions
  211. *
  212. * @return void
  213. */
  214. public function requireGet() {
  215. $args = func_get_args();
  216. $this->_requireMethod('Get', $args);
  217. }
  218. /**
  219. * Sets the actions that require a PUT request, or empty for all actions
  220. *
  221. * @return void
  222. */
  223. public function requirePut() {
  224. $args = func_get_args();
  225. $this->_requireMethod('Put', $args);
  226. }
  227. /**
  228. * Sets the actions that require a DELETE request, or empty for all actions
  229. *
  230. * @return void
  231. */
  232. public function requireDelete() {
  233. $args = func_get_args();
  234. $this->_requireMethod('Delete', $args);
  235. }
  236. /**
  237. * Sets the actions that require a request that is SSL-secured, or empty for all actions
  238. *
  239. * @return void
  240. * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::requireSecure
  241. */
  242. public function requireSecure() {
  243. $args = func_get_args();
  244. $this->_requireMethod('Secure', $args);
  245. }
  246. /**
  247. * Sets the actions that require an authenticated request, or empty for all actions
  248. *
  249. * @return void
  250. * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::requireAuth
  251. */
  252. public function requireAuth() {
  253. $args = func_get_args();
  254. $this->_requireMethod('Auth', $args);
  255. }
  256. /**
  257. * Black-hole an invalid request with a 400 error or custom callback. If SecurityComponent::$blackHoleCallback
  258. * is specified, it will use this callback by executing the method indicated in $error
  259. *
  260. * @param Controller $controller Instantiating controller
  261. * @param string $error Error method
  262. * @return mixed If specified, controller blackHoleCallback's response, or no return otherwise
  263. * @see SecurityComponent::$blackHoleCallback
  264. * @link http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#handling-blackhole-callbacks
  265. * @throws BadRequestException
  266. */
  267. public function blackHole($controller, $error = '') {
  268. if ($this->blackHoleCallback == null) {
  269. throw new BadRequestException(__d('cake_dev', 'The request has been black-holed'));
  270. } else {
  271. return $this->_callback($controller, $this->blackHoleCallback, array($error));
  272. }
  273. }
  274. /**
  275. * Sets the actions that require a $method HTTP request, or empty for all actions
  276. *
  277. * @param string $method The HTTP method to assign controller actions to
  278. * @param array $actions Controller actions to set the required HTTP method to.
  279. * @return void
  280. */
  281. protected function _requireMethod($method, $actions = array()) {
  282. if (isset($actions[0]) && is_array($actions[0])) {
  283. $actions = $actions[0];
  284. }
  285. $this->{'require' . $method} = (empty($actions)) ? array('*'): $actions;
  286. }
  287. /**
  288. * Check if HTTP methods are required
  289. *
  290. * @param Controller $controller Instantiating controller
  291. * @return boolean true if $method is required
  292. */
  293. protected function _methodsRequired($controller) {
  294. foreach (array('Post', 'Get', 'Put', 'Delete') as $method) {
  295. $property = 'require' . $method;
  296. if (is_array($this->$property) && !empty($this->$property)) {
  297. $require = $this->$property;
  298. if (in_array($this->_action, $require) || $this->$property == array('*')) {
  299. if (!$this->request->is($method)) {
  300. if (!$this->blackHole($controller, $method)) {
  301. return null;
  302. }
  303. }
  304. }
  305. }
  306. }
  307. return true;
  308. }
  309. /**
  310. * Check if access requires secure connection
  311. *
  312. * @param Controller $controller Instantiating controller
  313. * @return boolean true if secure connection required
  314. */
  315. protected function _secureRequired($controller) {
  316. if (is_array($this->requireSecure) && !empty($this->requireSecure)) {
  317. $requireSecure = $this->requireSecure;
  318. if (in_array($this->_action, $requireSecure) || $this->requireSecure == array('*')) {
  319. if (!$this->request->is('ssl')) {
  320. if (!$this->blackHole($controller, 'secure')) {
  321. return null;
  322. }
  323. }
  324. }
  325. }
  326. return true;
  327. }
  328. /**
  329. * Check if authentication is required
  330. *
  331. * @param Controller $controller Instantiating controller
  332. * @return boolean true if authentication required
  333. */
  334. protected function _authRequired($controller) {
  335. if (is_array($this->requireAuth) && !empty($this->requireAuth) && !empty($this->request->data)) {
  336. $requireAuth = $this->requireAuth;
  337. if (in_array($this->request->params['action'], $requireAuth) || $this->requireAuth == array('*')) {
  338. if (!isset($controller->request->data['_Token'] )) {
  339. if (!$this->blackHole($controller, 'auth')) {
  340. return null;
  341. }
  342. }
  343. if ($this->Session->check('_Token')) {
  344. $tData = $this->Session->read('_Token');
  345. if (!empty($tData['allowedControllers']) && !in_array($this->request->params['controller'], $tData['allowedControllers']) || !empty($tData['allowedActions']) && !in_array($this->request->params['action'], $tData['allowedActions'])) {
  346. if (!$this->blackHole($controller, 'auth')) {
  347. return null;
  348. }
  349. }
  350. } else {
  351. if (!$this->blackHole($controller, 'auth')) {
  352. return null;
  353. }
  354. }
  355. }
  356. }
  357. return true;
  358. }
  359. /**
  360. * Validate submitted form
  361. *
  362. * @param Controller $controller Instantiating controller
  363. * @return boolean true if submitted form is valid
  364. */
  365. protected function _validatePost($controller) {
  366. if (empty($controller->request->data)) {
  367. return true;
  368. }
  369. $data = $controller->request->data;
  370. if (!isset($data['_Token']) || !isset($data['_Token']['fields']) || !isset($data['_Token']['unlocked'])) {
  371. return false;
  372. }
  373. $locked = '';
  374. $check = $controller->request->data;
  375. $token = urldecode($check['_Token']['fields']);
  376. $unlocked = urldecode($check['_Token']['unlocked']);
  377. if (strpos($token, ':')) {
  378. list($token, $locked) = explode(':', $token, 2);
  379. }
  380. unset($check['_Token']);
  381. $locked = explode('|', $locked);
  382. $unlocked = explode('|', $unlocked);
  383. $lockedFields = array();
  384. $fields = Set::flatten($check);
  385. $fieldList = array_keys($fields);
  386. $multi = array();
  387. foreach ($fieldList as $i => $key) {
  388. if (preg_match('/\.\d+$/', $key)) {
  389. $multi[$i] = preg_replace('/\.\d+$/', '', $key);
  390. unset($fieldList[$i]);
  391. }
  392. }
  393. if (!empty($multi)) {
  394. $fieldList += array_unique($multi);
  395. }
  396. $unlockedFields = array_unique(
  397. array_merge((array)$this->disabledFields, (array)$this->unlockedFields, $unlocked)
  398. );
  399. foreach ($fieldList as $i => $key) {
  400. $isDisabled = false;
  401. $isLocked = (is_array($locked) && in_array($key, $locked));
  402. if (!empty($unlockedFields)) {
  403. foreach ($unlockedFields as $off) {
  404. $off = explode('.', $off);
  405. $field = array_values(array_intersect(explode('.', $key), $off));
  406. $isUnlocked = ($field === $off);
  407. if ($isUnlocked) {
  408. break;
  409. }
  410. }
  411. }
  412. if ($isUnlocked || $isLocked) {
  413. unset($fieldList[$i]);
  414. if ($isLocked) {
  415. $lockedFields[$key] = $fields[$key];
  416. }
  417. }
  418. }
  419. sort($unlocked, SORT_STRING);
  420. sort($fieldList, SORT_STRING);
  421. ksort($lockedFields, SORT_STRING);
  422. $fieldList += $lockedFields;
  423. $unlocked = implode('|', $unlocked);
  424. $check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'));
  425. return ($token === $check);
  426. }
  427. /**
  428. * Add authentication key for new form posts
  429. *
  430. * @param Controller $controller Instantiating controller
  431. * @return boolean Success
  432. */
  433. protected function _generateToken($controller) {
  434. if (isset($controller->request->params['requested']) && $controller->request->params['requested'] === 1) {
  435. if ($this->Session->check('_Token')) {
  436. $tokenData = $this->Session->read('_Token');
  437. $controller->request->params['_Token'] = $tokenData;
  438. }
  439. return false;
  440. }
  441. $authKey = Security::generateAuthKey();
  442. $token = array(
  443. 'key' => $authKey,
  444. 'allowedControllers' => $this->allowedControllers,
  445. 'allowedActions' => $this->allowedActions,
  446. 'unlockedFields' => array_merge($this->disabledFields, $this->unlockedFields),
  447. 'csrfTokens' => array()
  448. );
  449. $tokenData = array();
  450. if ($this->Session->check('_Token')) {
  451. $tokenData = $this->Session->read('_Token');
  452. if (!empty($tokenData['csrfTokens']) && is_array($tokenData['csrfTokens'])) {
  453. $token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']);
  454. }
  455. }
  456. if ($this->csrfCheck && ($this->csrfUseOnce || empty($token['csrfTokens'])) ) {
  457. $token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
  458. }
  459. if ($this->csrfCheck && $this->csrfUseOnce == false) {
  460. $csrfTokens = array_keys($token['csrfTokens']);
  461. $token['key'] = $csrfTokens[0];
  462. }
  463. $this->Session->write('_Token', $token);
  464. $controller->request->params['_Token'] = array(
  465. 'key' => $token['key'],
  466. 'unlockedFields' => $token['unlockedFields']
  467. );
  468. return true;
  469. }
  470. /**
  471. * Validate that the controller has a CSRF token in the POST data
  472. * and that the token is legit/not expired. If the token is valid
  473. * it will be removed from the list of valid tokens.
  474. *
  475. * @param Controller $controller A controller to check
  476. * @return boolean Valid csrf token.
  477. */
  478. protected function _validateCsrf($controller) {
  479. $token = $this->Session->read('_Token');
  480. $requestToken = $controller->request->data('_Token.key');
  481. if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) {
  482. if ($this->csrfUseOnce) {
  483. $this->Session->delete('_Token.csrfTokens.' . $requestToken);
  484. }
  485. return true;
  486. }
  487. return false;
  488. }
  489. /**
  490. * Expire CSRF nonces and remove them from the valid tokens.
  491. * Uses a simple timeout to expire the tokens.
  492. *
  493. * @param array $tokens An array of nonce => expires.
  494. * @return array An array of nonce => expires.
  495. */
  496. protected function _expireTokens($tokens) {
  497. $now = time();
  498. foreach ($tokens as $nonce => $expires) {
  499. if ($expires < $now) {
  500. unset($tokens[$nonce]);
  501. }
  502. }
  503. return $tokens;
  504. }
  505. /**
  506. * Calls a controller callback method
  507. *
  508. * @param Controller $controller Controller to run callback on
  509. * @param string $method Method to execute
  510. * @param array $params Parameters to send to method
  511. * @return mixed Controller callback method's response
  512. */
  513. protected function _callback($controller, $method, $params = array()) {
  514. if (is_callable(array($controller, $method))) {
  515. return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params);
  516. } else {
  517. return null;
  518. }
  519. }
  520. }