*/ /** * Security class * * Include/require it in your code and call Security::function() * to use its functionalities. * * This class can also be used as a container for filtered data, by creating * a new Security object and using $secure->filter($new_var,[more options]) * and then using $secure->clean['var'] as a filtered equivalent, although * this is *not* mandatory at all. */ class Security { public static $clean = array(); /** * Checks if the absolute path (directory) given is really under the * checker path (directory) * @param string Absolute path to be checked (with trailing slash) * @param string Checker path under which the path * should be (absolute path, with trailing slash, get it from api_get_path(SYS_COURSE_PATH)) * @return bool True if the path is under the checker, false otherwise */ public static function check_abs_path($abs_path, $checker_path) { // The checker path must be set. if (empty($checker_path)) { return false; } $true_path = str_replace("\\", '/', realpath($abs_path)); $checker_path = str_replace("\\", '/', realpath($checker_path)); if (empty($checker_path)) { return false; } $found = strpos($true_path.'/', $checker_path); if ($found === 0) { return true; } else { // Code specific to Windows and case-insensitive behaviour if (api_is_windows_os()) { $found = stripos($true_path.'/', $checker_path); if ($found === 0) { return true; } } } return false; } /** * Checks if the relative path (directory) given is really under the * checker path (directory) * @param string Relative path to be checked (relative to the current directory) (with trailing slash) * @param string Checker path under which the path * should be (absolute path, with trailing slash, get it from api_get_path(SYS_COURSE_PATH)) * @return bool True if the path is under the checker, false otherwise */ public static function check_rel_path($rel_path, $checker_path) { // The checker path must be set. if (empty($checker_path)) { return false; } $current_path = getcwd(); // No trailing slash. if (substr($rel_path, -1, 1) != '/') { $rel_path = '/'.$rel_path; } $abs_path = $current_path.$rel_path; $true_path = str_replace("\\", '/', realpath($abs_path)); $found = strpos($true_path.'/', $checker_path); if ($found === 0) { return true; } return false; } /** * Filters dangerous filenames (*.php[.]?* and .htaccess) and returns it in * a non-executable form (for PHP and htaccess, this is still vulnerable to * other languages' files extensions) * @param string $filename Unfiltered filename * @return string */ public static function filter_filename($filename) { return disable_dangerous_file($filename); } /** * This function checks that the token generated in get_token() has been kept (prevents * Cross-Site Request Forgeries attacks) * @param string The array in which to get the token ('get' or 'post') * @return bool True if it's the right token, false otherwise */ public static function check_token($request_type = 'post') { switch ($request_type) { case 'request': if (isset($_SESSION['sec_token']) && isset($_REQUEST['sec_token']) && $_SESSION['sec_token'] === $_REQUEST['sec_token']) { return true; } return false; case 'get': if (isset($_SESSION['sec_token']) && isset($_GET['sec_token']) && $_SESSION['sec_token'] === $_GET['sec_token']) { return true; } return false; case 'post': if (isset($_SESSION['sec_token']) && isset($_POST['sec_token']) && $_SESSION['sec_token'] === $_POST['sec_token']) { return true; } return false; default: if (isset($_SESSION['sec_token']) && isset($request_type) && $_SESSION['sec_token'] === $request_type) { return true; } return false; } return false; // Just in case, don't let anything slip. } /** * Checks the user agent of the client as recorder by get_ua() to prevent * most session hijacking attacks. * @return bool True if the user agent is the same, false otherwise */ public static function check_ua() { if (isset($_SESSION['sec_ua']) && $_SESSION['sec_ua'] === $_SERVER['HTTP_USER_AGENT'].$_SESSION['sec_ua_seed']) { return true; } return false; } /** * Clear the security token from the session * @return void */ public static function clear_token() { $_SESSION['sec_token'] = null; unset($_SESSION['sec_token']); } /** * This function sets a random token to be included in a form as a hidden field * and saves it into the user's session. Returns an HTML form element * This later prevents Cross-Site Request Forgeries by checking that the user is really * the one that sent this form in knowingly (this form hasn't been generated from * another website visited by the user at the same time). * Check the token with check_token() * @return string Hidden-type input ready to insert into a form */ public static function get_HTML_token() { $token = md5(uniqid(rand(), true)); $string = ''; $_SESSION['sec_token'] = $token; return $string; } /** * This function sets a random token to be included in a form as a hidden field * and saves it into the user's session. * This later prevents Cross-Site Request Forgeries by checking that the user is really * the one that sent this form in knowingly (this form hasn't been generated from * another website visited by the user at the same time). * Check the token with check_token() * @return string Token */ public static function get_token() { $token = md5(uniqid(rand(), true)); $_SESSION['sec_token'] = $token; return $token; } /** * @return string */ public static function get_existing_token() { if (isset($_SESSION['sec_token']) && !empty($_SESSION['sec_token'])) { return $_SESSION['sec_token']; } else { return self::get_token(); } } /** * Gets the user agent in the session to later check it with check_ua() to prevent * most cases of session hijacking. * @return void */ public static function get_ua() { $_SESSION['sec_ua_seed'] = uniqid(rand(), true); $_SESSION['sec_ua'] = $_SERVER['HTTP_USER_AGENT'].$_SESSION['sec_ua_seed']; } /** * This function returns a variable from the clean array. If the variable doesn't exist, * it returns null * @param string Variable name * @return mixed Variable or NULL on error */ public static function get($varname) { if (isset(self::$clean[$varname])) { return self::$clean[$varname]; } return null; } /** * This function tackles the XSS injections. * Filtering for XSS is very easily done by using the htmlentities() function. * This kind of filtering prevents JavaScript snippets to be understood as such. * @param string The variable to filter for XSS, this params can be a string or an array (example : array(x,y)) * @param int The user status,constant allowed (STUDENT, COURSEMANAGER, ANONYMOUS, COURSEMANAGERLOWSECURITY) * @param bool $filter_terms * @return mixed Filtered string or array */ public static function remove_XSS($var, $user_status = null, $filter_terms = false) { if ($filter_terms) { $var = self::filter_terms($var); } if (empty($user_status)) { if (api_is_anonymous()) { $user_status = ANONYMOUS; } else { if (api_is_allowed_to_edit()) { $user_status = COURSEMANAGER; } else { $user_status = STUDENT; } } } if ($user_status == COURSEMANAGERLOWSECURITY) { return $var; // No filtering. } static $purifier = array(); if (!isset($purifier[$user_status])) { $cache_dir = api_get_path(SYS_ARCHIVE_PATH).'Serializer'; if (!file_exists($cache_dir)) { mkdir($cache_dir, 0777); } $config = HTMLPurifier_Config::createDefault(); $config->set('Cache.SerializerPath', $cache_dir); $config->set('Core.Encoding', api_get_system_encoding()); $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); $config->set('HTML.MaxImgLength', '2560'); $config->set('HTML.TidyLevel', 'light'); $config->set('Core.ConvertDocumentToFragment', false); $config->set('Core.RemoveProcessingInstructions', true); if (api_get_setting('enable_iframe_inclusion') == 'true') { $config->set('Filter.Custom', array(new AllowIframes())); } // Shows _target attribute in anchors $config->set('Attr.AllowedFrameTargets', array('_blank', '_top', '_self', '_parent')); if ($user_status == STUDENT) { global $allowed_html_student; $config->set('HTML.SafeEmbed', true); $config->set('HTML.SafeObject', true); $config->set('Filter.YouTube', true); $config->set('HTML.FlashAllowFullScreen', true); $config->set('HTML.Allowed', $allowed_html_student); } elseif ($user_status == COURSEMANAGER) { global $allowed_html_teacher; $config->set('HTML.SafeEmbed', true); $config->set('HTML.SafeObject', true); $config->set('Filter.YouTube', true); $config->set('HTML.FlashAllowFullScreen', true); $config->set('HTML.Allowed', $allowed_html_teacher); } else { global $allowed_html_anonymous; $config->set('HTML.Allowed', $allowed_html_anonymous); } // We need it for example for the flv player (ids of surrounding div-tags have to be preserved). $config->set('Attr.EnableID', true); $config->set('CSS.AllowImportant', true); // We need for the flv player the css definition display: none; $config->set('CSS.AllowTricky', true); $config->set('CSS.Proprietary', true); // Allow uri scheme. $config->set('URI.AllowedSchemes', array( 'http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true, 'data' => true, )); $purifier[$user_status] = new HTMLPurifier($config); } if (is_array($var)) { return $purifier[$user_status]->purifyArray($var); } else { return $purifier[$user_status]->purify($var); } } /** * Filter content * @param string $text to be filter * @return string */ public static function filter_terms($text) { static $bad_terms = array(); if (empty($bad_terms)) { $list = api_get_setting('filter_terms'); if (!empty($list)) { $list = explode("\n", $list); $list = array_filter($list); if (!empty($list)) { foreach ($list as $term) { $term = str_replace(array("\r\n", "\r", "\n", "\t"), '', $term); $html_entities_value = api_htmlentities($term, ENT_QUOTES, api_get_system_encoding()); $bad_terms[] = $term; if ($term != $html_entities_value) { $bad_terms[] = $html_entities_value; } } } $bad_terms = array_filter($bad_terms); } } $replace = '***'; if (!empty($bad_terms)) { // Fast way $new_text = str_ireplace($bad_terms, $replace, $text, $count); $text = $new_text; } return $text; } /** * This method provides specific protection (against XSS and other kinds of attacks) for static images (icons) used by the system. * Image paths are supposed to be given by programmers - people who know what they do, anyway, this method encourages * a safe practice for generating icon paths, without using heavy solutions based on HTMLPurifier for example. * @param string $img_path The input path of the image, it could be relative or absolute URL. * @return string Returns sanitized image path or an empty string when the image path is not secure. * @author Ivan Tcholakov, March 2011 */ public static function filter_img_path($image_path) { static $allowed_extensions = array('png', 'gif', 'jpg', 'jpeg', 'svg', 'webp'); $image_path = htmlspecialchars(trim($image_path)); // No html code is allowed. // We allow static images only, query strings are forbidden. if (strpos($image_path, '?') !== false) { return ''; } if (($pos = strpos($image_path, ':')) !== false) { // Protocol has been specified, let's check it. if (stripos($image_path, 'javascript:') !== false) { // Javascript everywhere in the path is not allowed. return ''; } // We allow only http: and https: protocols for now. //if (!preg_match('/^https?:\/\//i', $image_path)) { // return ''; //} if (stripos($image_path, 'http://') !== 0 && stripos($image_path, 'https://') !== 0) { return ''; } } // We allow file extensions for images only. //if (!preg_match('/.+\.(png|gif|jpg|jpeg)$/i', $image_path)) { // return ''; //} if (($pos = strrpos($image_path, '.')) !== false) { if (!in_array(strtolower(substr($image_path, $pos + 1)), $allowed_extensions)) { return ''; } } else { return ''; } return $image_path; } /** * Get password requirements * It checks config value 'password_requirements' or uses the "classic" * Chamilo password requirements. * * @return array */ public static function getPasswordRequirements() { // Default $requirements = [ 'min' => [ 'lowercase' => 0, 'uppercase' => 0, 'numeric' => 2, 'length' => 5 ] ]; $passwordRequirements = api_get_configuration_value('password_requirements'); if (!empty($passwordRequirements)) { $requirements = $passwordRequirements; } return $requirements; } /** * Gets password requirements in the platform language using get_lang * based in platform settings. See function 'self::getPasswordRequirements' * @return string */ public static function getPasswordRequirementsToString($passedConditions = []) { $output = ''; $setting = self::getPasswordRequirements(); foreach ($setting as $type => $rules) { foreach ($rules as $rule => $parameter) { if (empty($parameter)) { continue; } $output .= sprintf( get_lang( 'NewPasswordRequirement'.ucfirst($type).'X'.ucfirst($rule) ), $parameter ); $output .= '
'; } } return $output; } }