/core/form_api.php

https://github.com/fusenigk/mantisbt-1 · PHP · 207 lines · 89 code · 37 blank · 81 comment · 33 complexity · 53af06d46da796742942c821dc4c55a6 MD5 · raw file 

    

  1. <?php
    2. 

  2. # MantisBT - A PHP based bugtracking system
    3. 

  3. 

  4. # MantisBT is free software: you can redistribute it and/or modify
    5. 

  5. # it under the terms of the GNU General Public License as published by
    6. 

  6. # the Free Software Foundation, either version 2 of the License, or
    7. 

  7. # (at your option) any later version.
    8. 

  8. #
    9. 

  9. # MantisBT is distributed in the hope that it will be useful,
    10. 

  10. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    11. 

  11. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12. 

  12. # GNU General Public License for more details.
    13. 

  13. #
    14. 

  14. # You should have received a copy of the GNU General Public License
    15. 

  15. # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
    16. 

  16. 

  17. /**
    18. 

  18.  * Form API
    19. 

  19.  *
    20. 

  20.  * Handles form security and validation. Security methods are targeted to
    21. 

  21.  * work with both GET and POST form types and should allow multiple
    22. 

  22.  * simultaneous edits of the form to be submitted out-of-order.
    23. 

  23.  *
    24. 

  24.  * @package CoreAPI
    25. 

  25.  * @subpackage FormAPI
    26. 

  26.  * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
    27. 

  27.  * @copyright Copyright (C) 2002 - 2011  MantisBT Team - mantisbt-dev@lists.sourceforge.net
    28. 

  28.  * @link http://www.mantisbt.org
    29. 

  29.  *
    30. 

  30.  * @uses config_api.php
    31. 

  31.  * @uses constant_inc.php
    32. 

  32.  * @uses crypto_api.php
    33. 

  33.  * @uses gpc_api.php
    34. 

  34.  * @uses php_api.php
    35. 

  35.  * @uses session_api.php
    36. 

  36.  */
    37. 

  37. 

  38. require_api( 'config_api.php' );
    39. 

  39. require_api( 'constant_inc.php' );
    40. 

  40. require_api( 'crypto_api.php' );
    41. 

  41. require_api( 'gpc_api.php' );
    42. 

  42. require_api( 'php_api.php' );
    43. 

  43. require_api( 'session_api.php' );
    44. 

  44. 

  45. /**
    46. 

  46.  * Generate a random security token, prefixed by date, store it in the
    47. 

  47.  * user's session, and then return the string to be used as a form element
    48. 

  48.  * element with the security token as the value.
    49. 

  49.  * @param string Form name
    50. 

  50.  * @return string Security token string
    51. 

  51.  */
    52. 

  52. function form_security_token( $p_form_name ) {
    53. 

  53. 	if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
    54. 

  54. 		return '';
    55. 

  55. 	}
    56. 

  56. 

  57. 	$t_tokens = session_get( 'form_security_tokens', array() );
    58. 

  58. 

  59. 	# Create a new array for the form name if necessary
    60. 

  60. 	if( !isset( $t_tokens[$p_form_name] ) || !is_array( $t_tokens[$p_form_name] ) ) {
    61. 

  61. 		$t_tokens[$p_form_name] = array();
    62. 

  62. 	}
    63. 

  63. 

  64. 	# Generate a nonce prefixed by date.
    65. 

  65. 	# With a base64 output encoded nonce length of 32 characters, we are
    66. 

  66. 	# generating a 192bit nonce.
    67. 

  67. 	$t_date = date( 'Ymd' );
    68. 

  68. 	$t_string = $t_date . crypto_generate_uri_safe_nonce( 32 );
    69. 

  69. 

  70. 	# Add the token to the user's session
    71. 

  71. 	if ( !isset( $t_tokens[$p_form_name][$t_date] ) ) {
    72. 

  72. 		$t_tokens[$p_form_name][$t_date] = array();
    73. 

  73. 	}
    74. 

  74. 

  75. 	$t_tokens[$p_form_name][$t_date][$t_string] = true;
    76. 

  76. 	session_set( 'form_security_tokens', $t_tokens );
    77. 

  77. 

  78. 	# The token string
    79. 

  79. 	return $t_string;
    80. 

  80. }
    81. 

  81. 

  82. /**
    83. 

  83.  * Get a hidden form element containing a generated form security token.
    84. 

  84.  * @param string Form name
    85. 

  85.  * @return string Hidden form element to output
    86. 

  86.  */
    87. 

  87. function form_security_field( $p_form_name ) {
    88. 

  88. 	if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
    89. 

  89. 		return '';
    90. 

  90. 	}
    91. 

  91. 

  92. 	$t_string = form_security_token( $p_form_name );
    93. 

  93. 

  94. 	# Create the form element HTML string for the security token
    95. 

  95. 	$t_form_token = $p_form_name . '_token';
    96. 

  96. 	$t_element = '<input type="hidden" name="%s" value="%s"/>';
    97. 

  97. 	$t_element = sprintf( $t_element, $t_form_token, $t_string );
    98. 

  98. 

  99. 	return $t_element;
    100. 

  100. }
    101. 

  101. 

  102. /**
    103. 

  103.  * Get a URL parameter containing a generated form security token.
    104. 

  104.  * @param string Form name
    105. 

  105.  * @return string Hidden form element to output
    106. 

  106.  */
    107. 

  107. function form_security_param( $p_form_name ) {
    108. 

  108. 	if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
    109. 

  109. 		return '';
    110. 

  110. 	}
    111. 

  111. 

  112. 	$t_string = form_security_token( $p_form_name );
    113. 

  113. 

  114. 	# Create the GET parameter to be used in a URL for a secure link
    115. 

  115. 	$t_form_token = $p_form_name . '_token';
    116. 

  116. 	$t_param = '&%s=%s';
    117. 

  117. 	$t_param = sprintf( $t_param, $t_form_token, $t_string );
    118. 

  118. 

  119. 	return $t_param;
    120. 

  120. }
    121. 

  121. 

  122. /**
    123. 

  123.  * Validate the security token for the given form name based on tokens
    124. 

  124.  * stored in the user's session.  While checking stored tokens, any that
    125. 

  125.  * are more than 3 days old will be purged.
    126. 

  126.  * @param string Form name
    127. 

  127.  * @return boolean Form is valid
    128. 

  128.  */
    129. 

  129. function form_security_validate( $p_form_name ) {
    130. 

  130. 	if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
    131. 

  131. 		return true;
    132. 

  132. 	}
    133. 

  133. 

  134. 	$t_tokens = session_get( 'form_security_tokens', array() );
    135. 

  135. 

  136. 	# Short-circuit if we don't have any tokens for the given form name
    137. 

  137. 	if( !isset( $t_tokens[$p_form_name] ) || !is_array( $t_tokens[$p_form_name] ) || count( $t_tokens[$p_form_name] ) < 1 ) {
    138. 

  138. 

  139. 		trigger_error( ERROR_FORM_TOKEN_INVALID, ERROR );
    140. 

  140. 		return false;
    141. 

  141. 	}
    142. 

  142. 

  143. 	# Get the form input
    144. 

  144. 	$t_form_token = $p_form_name . '_token';
    145. 

  145. 	$t_input = gpc_get_string( $t_form_token, '' );
    146. 

  146. 

  147. 	# No form input
    148. 

  148. 	if( '' == $t_input ) {
    149. 

  149. 		trigger_error( ERROR_FORM_TOKEN_INVALID, ERROR );
    150. 

  150. 		return false;
    151. 

  151. 	}
    152. 

  152. 

  153. 	# Get the date claimed by the token
    154. 

  154. 	$t_date = utf8_substr( $t_input, 0, 8 );
    155. 

  155. 

  156. 	# Check if the token exists
    157. 

  157. 	if ( isset( $t_tokens[$p_form_name][$t_date][$t_input] ) ) {
    158. 

  158. 		return true;
    159. 

  159. 	}
    160. 

  160. 

  161. 	# Token does not exist
    162. 

  162. 	trigger_error( ERROR_FORM_TOKEN_INVALID, ERROR );
    163. 

  163. 	return false;
    164. 

  164. }
    165. 

  165. 

  166. /**
    167. 

  167.  * Purge form security tokens that are older than 3 days, or used
    168. 

  168.  * for form validation.
    169. 

  169.  * @param string Form name
    170. 

  170.  */
    171. 

  171. function form_security_purge( $p_form_name ) {
    172. 

  172. 	if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
    173. 

  173. 		return;
    174. 

  174. 	}
    175. 

  175. 

  176. 	$t_tokens = session_get( 'form_security_tokens', array() );
    177. 

  177. 

  178. 	# Short-circuit if we don't have any tokens for the given form name
    179. 

  179. 	if( !isset( $t_tokens[$p_form_name] ) || !is_array( $t_tokens[$p_form_name] ) || count( $t_tokens[$p_form_name] ) < 1 ) {
    180. 

  180. 		return;
    181. 

  181. 	}
    182. 

  182. 

  183. 	# Get the form input
    184. 

  184. 	$t_form_token = $p_form_name . '_token';
    185. 

  185. 	$t_input = gpc_get_string( $t_form_token, '' );
    186. 

  186. 

  187. 	# Get the date claimed by the token
    188. 

  188. 	$t_date = utf8_substr( $t_input, 0, 8 );
    189. 

  189. 

  190. 	# Generate a date string of three days ago
    191. 

  191. 	$t_purge_date = date( 'Ymd', time() - ( 3 * 24 * 60 * 60 ) );
    192. 

  192. 

  193. 	# Purge old token data, and the currently-used token
    194. 

  194. 	unset( $t_tokens[$p_form_name][$t_date][$t_input] );
    195. 

  195. 

  196. 	foreach( $t_tokens as $t_form_name => $t_dates ) {
    197. 

  197. 		foreach( $t_dates as $t_date => $t_date_tokens ) {
    198. 

  198. 			if ( $t_date < $t_purge_date ) {
    199. 

  199. 				unset( $t_tokens[$t_form_name][$t_date] );
    200. 

  200. 			}
    201. 

  201. 		}
    202. 

  202. 	}
    203. 

  203. 

  204. 	session_set( 'form_security_tokens', $t_tokens );
    205. 

  205. 

  206. 	return;
    207. 

  207. }
    208.