PageRenderTime 46ms CodeModel.GetById 14ms RepoModel.GetById 0ms app.codeStats 0ms

/lib/user/blacklistlib.php

https://gitlab.com/ElvisAns/tiki
PHP | 360 lines | 283 code | 22 blank | 55 comment | 8 complexity | a600c9b3bcdc51ed80c1ef1d91921589 MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. // (c) Copyright by authors of the Tiki Wiki CMS Groupware Project
    4. 

  4. //
    5. 

  5. // All Rights Reserved. See copyright.txt for details and a complete list of authors.
    6. 

  6. // Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details.
    7. 

  7. // $Id$
    8. 

  8. 

  9. 

  10. /**
    11. 

  11.  *
    12. 

  12.  * A Group of functions related to Password Blacklist & Password Index Handling
    13. 

  13.  *
    14. 

  14.  * Class blacklist
    15. 

  15.  */
    16. 

  16. 

  17. class blacklistLib extends TikiLib
    18. 

  18. {
    19. 

  19.     /**
    20. 

  20.      * @var int the number of passwords to generate (limit) or actual number, after the fact.
    21. 

  21.      */
    22. 

  22.     public $limit;
    23. 

  23.     /**
    24. 

  24.      * @var int the actual number of passwords generated.
    25. 

  25.      */
    26. 

  26.     public $actual;
    27. 

  27. 

  28. 

  29.     /**
    30. 

  30.      * Set default values
    31. 

  31.      *
    32. 

  32.      * blacklist constructor.
    33. 

  33.      */
    34. 

  34.     public function __construct()
    35. 

  35.     {
    36. 

  36.         $this->limit = 1000; // the number of passwords to generate (limit)
    37. 

  37.     }
    38. 

  38. 

  39.     /**
    40. 

  40.      * removes the password index databse, if it exists.
    41. 

  41.      */
    42. 

  42.     public function deletePassIndex()
    43. 

  43.     {
    44. 

  44.         $query = 'DROP TABLE IF EXISTS tiki_password_index;';
    45. 

  45. 

  46.         $this->query($query, []);
    47. 

  47.     }
    48. 

  48. 

  49.     /**
    50. 

  50.      * Creates the word index database table.
    51. 

  51.      */
    52. 

  52.     public function createPassIndex()
    53. 

  53.     {
    54. 

  54.         $query = 'CREATE TABLE `tiki_password_index` (
    55. 

  55. `id` INT UNSIGNED NOT NULL AUTO_INCREMENT ,
    56. 

  56. `password` VARCHAR(30) NOT NULL , UNIQUE (`password`) ,
    57. 

  57. `length` TINYINT(30) NULL DEFAULT NULL ,
    58. 

  58. `numchar` BOOLEAN NULL DEFAULT NULL ,
    59. 

  59. `special` BOOLEAN NULL , PRIMARY KEY (`id`), UNIQUE (`password`)) ENGINE = InnoDB;';
    60. 

    61. 

  61.         $this->query($query, []);
    62. 

  62.     }
    63. 

  63. 

  64.     /**
    65. 

  65.      *
    66. 

  66.      * Given a filename, it will load the pass index database with its contents.
    67. 

  67.      * Files should be word lists separated by new lines.
    68. 

  68.      *
    69. 

  69.      * @param $filename string
    70. 

  70.      * @param $load bool        Specifies if LOAD DATA INFILE is used. One needs to
    71. 

  71.      *                          be running mysql locally and have permission to use it
    72. 

  72.      *                          however it can handle much larger sets of data.
    73. 

  73.      */
    74. 

  74.     public function loadPassIndex($filename, $load = false)
    75. 

  75.     {
    76. 

  76. 

  77.         if ($load) {
    78. 

  78.             $query = "LOAD DATA INFILE '" . $filename . "' IGNORE INTO TABLE `tiki_password_index` LINES TERMINATED BY '\n' (`password`);";
    79. 

  79.             $this->query($query, []);
    80. 

  80.         } else {
    81. 

  81.             $passwords = file($filename, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
    82. 

  82.             $passwords = array_map('strtolower', $passwords);
    83. 

  83.             $passwords = array_map('trim', $passwords);
    84. 

  84.             $passwords = array_unique($passwords);
    85. 

  85.             $passwords = array_map('addslashes', $passwords);
    86. 

  86.             $passwords = "('" . implode("'),('", $passwords) . "')";
    87. 

  87.             $query = "INSERT INTO tiki_password_index (password) VALUES $passwords";
    88. 

  88.             $this->query($query);
    89. 

  89.         }
    90. 

  90. 

  91.         unlink($filename); // delete used temp file.
    92. 

  92. 

  93.         $query = 'UPDATE tiki_password_index SET password = LOWER(password), length = CHAR_LENGTH(password), numchar = IF(password REGEXP \'[a-z]\' && password REGEXP \'[0-9]\',1,0), special = password REGEXP \'[!@#$%^&*()=+?><\\,.`;:{}~\\\'/"]\'';
    94. 

  94. // the above indexes the password list with length, if the pasword contains both a letter and number, and if it contains special charactes (except for [], casue i couldnt figure it out!
    95. 

  95. 

  96.         $this->query($query, []);
    97. 

  97.     }
    98. 

  98. 

  99.     /**
    100. 

  100.      * Find the number of indexed passwords currently stored
    101. 

  101.      *@$result TikiDb_Pdo_Result
    102. 

  102.      *
    103. 

  103.      * @return int
    104. 

  104.      */
    105. 

  105.     public function passIndexNum()
    106. 

  106.     {
    107. 

  107. 

  108. // first check if table exists, and return 0 if it does not.
    109. 

  109.         $query = 'SELECT 1 FROM information_schema.COLUMNS
    110. 

  110. WHERE table_name = \'tiki_password_index\'
    111. 

  111. LIMIT 1;';
    112. 

  112.         $result = $this->query($query, []);
    113. 

  113.         $tableExists = $result->fetchRow();
    114. 

  114.         if ($tableExists[1] != 1) {
    115. 

  115.             return 0;
    116. 

  116.         }
    117. 

  117. 

  118. // if table does exits, find number of results and return.
    119. 

  119.         $query = 'SELECT MAX(id) FROM tiki_password_index';
    120. 

  120.         $result = $this->query($query, []);
    121. 

  121.         $num_rows = $result->fetchRow();
    122. 

  122. 

  123.         return $num_rows['MAX(id)'];
    124. 

  124.     }
    125. 

  125. 

  126.     /**
    127. 

  127.      *
    128. 

  128.      * Generates a formatted list of passwords, with new lines separating each password
    129. 

  129.      *
    130. 

  130.      * @param $toDisk bool if the file is written to disk or to screen.
    131. 

  131.      *
    132. 

  132.      * @return bool true on success and false on failure.
    133. 

  133.      */
    134. 

  134.     public function generatePassList($toDisk)
    135. 

  135.     {
    136. 

  136.         global $prefs;
    137. 

  137. 

  138.         $query = 'SELECT password FROM tiki_password_index WHERE length >= ?';
    139. 

  139.         if ($prefs['pass_chr_special']) {
    140. 

  140.             $query .= ' && special';
    141. 

  141.         }
    142. 

  142.         if ($prefs['pass_chr_num']) {
    143. 

  143.             $query .= ' && numchar';
    144. 

  144.         }
    145. 

  145.         $query .= ' ORDER BY id ASC LIMIT ' . $this->limit;
    146. 

  146. 

  147.         $result = $this->query($query, [$prefs['min_pass_length']]);
    148. 

  148.         $this->actual = $result->NumRows();
    149. 

  149.         if ($this->actual == 0) {
    150. 

  150.             Feedback::error(tr('There is no passwords that fit your criteria. You will need a more extensive word list to generate a password list.'));
    151. 

  151.         } elseif ($this->actual < $this->limit) {
    152. 

  152.             Feedback::warning("There wasn't enough words to meet your password limit. There was $this->actual passwords blacklisted.");
    153. 

  153.         }
    154. 

  154. 

  155.         if ($toDisk) {
    156. 

  156.             $filename = $this->generateBlacklistName();
    157. 

  157.             if (! is_dir(dirname($filename))) {
    158. 

  158.                 if (! mkdir(dirname($filename))) {  // if the directory isnt there create it.
    159. 

  159.                     Feedback::error(tr('Could not create /storage/pass_blacklists directory.'));
    160. 

  160.                     return false;
    161. 

  161.                 }
    162. 

  162.             }
    163. 

  163.             if (file_exists($filename)) {
    164. 

  164.                 if (unlink($filename)) {            // if the file already exists, then delete.
    165. 

  165.                     Feedback::warning(tr('Existing password blacklist file was overwritten.'));
    166. 

  166.                 } else {
    167. 

  167.                     Feedback::error(tr('Existing password blacklist file could not be overwritten.'));
    168. 

  168.                     return false;
    169. 

  169.                 }
    170. 

  170.             }
    171. 

  171.             $pointer = @fopen($filename, 'x');
    172. 

  172.             if (! $pointer) {
    173. 

  173.                 Feedback::error(tr('File Error. Password file not created.'));
    174. 

  174.                 return false;
    175. 

  175.             };
    176. 

  176.             while ($foo = $result->fetchrow()) {
    177. 

  177.                 if (! fwrite($pointer, $foo['password'] . PHP_EOL)) {
    178. 

  178.                     Feedback::error(tr('File Error. Password file generation interrupted.'));
    179. 

  179.                     return false;
    180. 

  180.                 }
    181. 

  181.             }
    182. 

  182.             fclose($pointer);
    183. 

  183.         } else {
    184. 

  184.             while ($foo = $result->fetchrow()) {
    185. 

  185.                 echo $foo['password'] . PHP_EOL;
    186. 

  186.             }
    187. 

  187.         }
    188. 

  188.         Feedback::success(tr('Password blacklist file generated.'));
    189. 

  189.         return true;
    190. 

  190.     }
    191. 

  191. 

  192.     /**
    193. 

  193.      * Generates the name for a password file
    194. 

  194.      *
    195. 

  195.      * @param bool $asFile should the directory be returned as a file name with directory, if false only the name without extension
    196. 

  196.      *
    197. 

  197.      * @return string
    198. 

  198.      *
    199. 

  199.      */
    200. 

  200.     public function generateBlacklistName($asFile = true)
    201. 

  201.     {
    202. 

  202.         global $prefs;
    203. 

  203. 

  204.         $filename = '';
    205. 

  205.         if ($asFile) {
    206. 

  206.             $filename = 'storage/pass_blacklists/'; // directory
    207. 

  207.         }
    208. 

  208.         $filename .= $prefs['pass_chr_num'];
    209. 

  209.         $filename .= '-' . $prefs['pass_chr_special'];
    210. 

  210.         $filename .= '-' . $prefs['min_pass_length'];
    211. 

  211.         $filename .= '-1-'; // indicates user created file
    212. 

  212.         $filename .= $this->actual;
    213. 

  213.         if (! $asFile) {
    214. 

  214.             return $filename;
    215. 

  215.         }
    216. 

  216.         $filename .= '.txt';
    217. 

  217. 

  218.         return $filename;
    219. 

  219.     }
    220. 

  220. 

  221.     public function whatFileUsing()
    222. 

  222.     {
    223. 

  223.         if ($GLOBALS['prefs']['pass_blacklist'] == 'n' || ! isset($GLOBALS['prefs']['pass_blacklist'])) {
    224. 

  224.             return 'Disabled';
    225. 

  225.         } elseif ($GLOBALS['prefs']['pass_blacklist_file'] == 'auto') {
    226. 

  226.             return $this->readableBlackName(explode('-', $GLOBALS['prefs']['pass_auto_blacklist'])) . ' - Auto Selected';
    227. 

  227.         } else {
    228. 

  228.             return $this->readableBlackName(explode('-', $GLOBALS['prefs']['pass_blacklist_file']));
    229. 

  229.         }
    230. 

  230.     }
    231. 

  231. 

  232.     /**
    233. 

  233.      * Formatts a blacklist file name into a human readable description.
    234. 

  234.      *
    235. 

  235.      * @param $NameArray array of blacklist file specifycations
    236. 

  236.      *
    237. 

  237.      * @return string
    238. 

  238.      *
    239. 

  239.      */
    240. 

  240. 

  241.     private function readableBlackName($NameArray)
    242. 

  242.     {
    243. 

  243. 

  244.         $readable = 'Num & Let: ' . $NameArray['0'];
    245. 

  245.         $readable .= ', Special: ' . $NameArray['1'];
    246. 

  246.         $readable .= ', Min Len: ' . $NameArray['2'];
    247. 

  247.         $readable .= ', Custom: ' . $NameArray['3'];
    248. 

  248.         $readable .= ', Word Count: ' . $NameArray['4'];
    249. 

  249.         return $readable;
    250. 

  250.     }
    251. 

  251. 

  252.     /**
    253. 

  253.      *
    254. 

  254.      * populates the password blacklist database table with the contents of a file of passwords.
    255. 

  255.      *
    256. 

  256.      * @param $filename string the name & path of the saved password
    257. 

  257.      */
    258. 

  258.     public function loadBlacklist($filename)
    259. 

  259.     {
    260. 

  260.         if (is_readable($filename)) {
    261. 

  261.             $passwords = file($filename, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
    262. 

  262.             $passwords = array_map('strtolower', $passwords);
    263. 

  263.             $passwords = array_map('trim', $passwords);
    264. 

  264.             $passwords = array_unique($passwords);
    265. 

  265.             $passwords = array_map('addslashes', $passwords);
    266. 

  266.             $passwords = "('" . implode("'),('", $passwords) . "')";
    267. 

  267. 

  268.             $tikiDb = new TikiDb_Bridge();
    269. 

  269.             $query = "TRUNCATE TABLE tiki_password_blacklist";
    270. 

  270.             $tikiDb->query($query, []);
    271. 

  271. 

  272.             $query = "INSERT INTO tiki_password_blacklist (password) VALUES $passwords";
    273. 

  273.             $tikiDb->query($query);
    274. 

  274.         } else {
    275. 

  275.             Feedback::error(tr('Unable to Populate Blacklist: File "%0" does not exist or is not readable.', $filename));
    276. 

  276.         }
    277. 

  277.     }
    278. 

  278. 

  279.     /**
    280. 

  280.      * Obtains blacklists available, and returns one according to which one is best suited to current settings.
    281. 

  281.      * This function may only be called when values being updated, as it relies on the $_POST vars differing from
    282. 

  282.      * saved settings
    283. 

  283.      *
    284. 

  284.      * @var $file[0] bool chracter & number
    285. 

  285.      * @var $file[1] bool special character
    286. 

  286.      * @var $file[2] int  minimum number of characters
    287. 

  287.      * @var $file[3] bool is user generated
    288. 

  288.      * @var $file[4] int  number of passwords (limit)
    289. 

  289.      *
    290. 

  290.      * @param $pass_chr_num string the post var being updated
    291. 

  291.      * @param $pass_chr_num string the post var beign updated
    292. 

  292.      * @param $length string length value being updated
    293. 

  293.      *
    294. 

  294.      *
    295. 

  295.      * @return array|bool the file name (without extension) that is best suited to govern the blacklist, or false on no suitable files.
    296. 

  296.      */
    297. 

  297.     public function selectBestBlacklist($pass_chr_num, $pass_chr_special, $length)
    298. 

  298.     {
    299. 

  299.         $fileIndex = $this->genIndexedBlacks(false);
    300. 

  300.         $bestFile = false;
    301. 

  301.         $chrnum = false;
    302. 

  302.         $special = false;
    303. 

  303.         if ($pass_chr_num == 'on') {
    304. 

  304.             $chrnum = true;
    305. 

  305.         }
    306. 

  306.         if ($pass_chr_special == 'on') {
    307. 

  307.             $special = true;
    308. 

  308.         }
    309. 

  309. 

  310.         foreach ($fileIndex as $file) {
    311. 

  311.             if (
    312. 

  312.                 $file[0] == $chrnum &&       // first qualify the options
    313. 

  313.                 $file[1] == $special &&
    314. 

  314.                 $file[2] <= $length
    315. 

  315.             ) {
    316. 

  316.                 $count = 2;
    317. 

  317.                 while ($count < 5) {         // then pick the best option
    318. 

  318.                     if ($file[$count] >= $bestFile[$count]) {
    319. 

  319.                         if ($file[$count] > $bestFile[$count]) {
    320. 

  320.                             $bestFile = $file;
    321. 

  321.                         }
    322. 

  322.                         $count++;
    323. 

  323.                     } else {
    324. 

  324.                         $count = 5;
    325. 

  325.                     }
    326. 

  326.                 }
    327. 

  327.             }
    328. 

  328.         }
    329. 

  329. 

  330.         return $bestFile;
    331. 

  331.     }
    332. 

  332. 

  333.         /**
    334. 

  334.          * reads available password list files from disk and returns a sorted array of files
    335. 

  335.          *
    336. 

  336.          * @param $returnFormatted bool if false, will return a human readable array, if false, will return the same array with only numbers.
    337. 

  337.          *
    338. 

  338.          * @return array
    339. 

  339.          */
    340. 

  340. 

  341.     public function genIndexedBlacks($returnFormatted = true)
    342. 

  342.     {
    343. 

  343. 

  344.         $blacklist_options = array_diff(scandir(__DIR__ . '/../pass_blacklists'), ['..', '.', 'index.php', '.htaccess', '.svn', '.DS_Store', 'readme.txt']);
    345. 

  345.         if (is_dir('storage/pass_blacklists')) {
    346. 

  346.             $blacklist_options = array_merge($blacklist_options, array_diff(scandir(__DIR__ . '/../../storage/pass_blacklists'), ['..', '.', 'index.php', '.htaccess', '.svn', '.DS_Store', 'readme.txt']));
    347. 

  347.         }
    348. 

  348.         sort($blacklist_options);
    349. 

  349. 

  350.         $fileindex = [];
    351. 

  351.         foreach ($blacklist_options as $blacklist_file) {
    352. 

  352.             $blacklist_file = substr($blacklist_file, 0, -4);
    353. 

  353.             $fileindex[$blacklist_file] = explode('-', $blacklist_file);
    354. 

  354.             if ($returnFormatted) {
    355. 

  355.                 $fileindex[$blacklist_file] = $this->readableBlackName($fileindex[$blacklist_file]);
    356. 

  356.             }
    357. 

  357.         }
    358. 

  358.         return $fileindex;
    359. 

  359.     }
    360. 

  360. }
    361. 

  361.