123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491 |
- <?php
- /* For licensing terms, see /license.txt */
- use Chamilo\CoreBundle\Component\HTMLPurifier\Filter\AllowIframes;
- /**
- * This is the security library for Chamilo.
- *
- * This library is based on recommendations found in the PHP5 Certification
- * Guide published at PHP|Architect, and other recommendations found on
- * http://www.phpsec.org/
- * The principles here are that all data is tainted (most scripts of Chamilo are
- * open to the public or at least to a certain public that could be malicious
- * under specific circumstances). We use the white list approach, where as we
- * consider that data can only be used in the database or in a file if it has
- * been filtered.
- *
- * For session fixation, use ...
- * For session hijacking, use get_ua() and check_ua()
- * For Cross-Site Request Forgeries, use get_token() and check_tocken()
- * For basic filtering, use filter()
- * For files inclusions (using dynamic paths) use check_rel_path() and check_abs_path()
- *
- * @package chamilo.library
- * @author Yannick Warnier <ywarnier@beeznest.org>
- */
- /**
- * Security class
- *
- * Include/require it in your code and call Security::function()
- * to use its functionalities.
- *
- * This class can also be used as a container for filtered data, by creating
- * a new Security object and using $secure->filter($new_var,[more options])
- * and then using $secure->clean['var'] as a filtered equivalent, although
- * this is *not* mandatory at all.
- */
- class Security
- {
- public static $clean = array();
- /**
- * Checks if the absolute path (directory) given is really under the
- * checker path (directory)
- * @param string Absolute path to be checked (with trailing slash)
- * @param string Checker path under which the path
- * should be (absolute path, with trailing slash, get it from api_get_path(SYS_COURSE_PATH))
- * @return bool True if the path is under the checker, false otherwise
- */
- public static function check_abs_path($abs_path, $checker_path)
- {
- // The checker path must be set.
- if (empty($checker_path)) {
- return false;
- }
- $true_path = str_replace("\\", '/', realpath($abs_path));
- $checker_path = str_replace("\\", '/', realpath($checker_path));
- if (empty($checker_path)) {
- return false;
- }
- $found = strpos($true_path.'/', $checker_path);
- if ($found === 0) {
- return true;
- } else {
- // Code specific to Windows and case-insensitive behaviour
- if (api_is_windows_os()) {
- $found = stripos($true_path.'/', $checker_path);
- if ($found === 0) {
- return true;
- }
- }
- }
- return false;
- }
- /**
- * Checks if the relative path (directory) given is really under the
- * checker path (directory)
- * @param string Relative path to be checked (relative to the current directory) (with trailing slash)
- * @param string Checker path under which the path
- * should be (absolute path, with trailing slash, get it from api_get_path(SYS_COURSE_PATH))
- * @return bool True if the path is under the checker, false otherwise
- */
- public static function check_rel_path($rel_path, $checker_path)
- {
- // The checker path must be set.
- if (empty($checker_path)) {
- return false;
- }
- $current_path = getcwd(); // No trailing slash.
- if (substr($rel_path, -1, 1) != '/') {
- $rel_path = '/'.$rel_path;
- }
- $abs_path = $current_path.$rel_path;
- $true_path = str_replace("\\", '/', realpath($abs_path));
- $found = strpos($true_path.'/', $checker_path);
- if ($found === 0) {
- return true;
- }
- return false;
- }
- /**
- * Filters dangerous filenames (*.php[.]?* and .htaccess) and returns it in
- * a non-executable form (for PHP and htaccess, this is still vulnerable to
- * other languages' files extensions)
- * @param string $filename Unfiltered filename
- * @return string
- */
- public static function filter_filename($filename)
- {
- return disable_dangerous_file($filename);
- }
- /**
- * This function checks that the token generated in get_token() has been kept (prevents
- * Cross-Site Request Forgeries attacks)
- * @param string The array in which to get the token ('get' or 'post')
- * @return bool True if it's the right token, false otherwise
- */
- public static function check_token($request_type = 'post')
- {
- switch ($request_type) {
- case 'request':
- if (isset($_SESSION['sec_token']) && isset($_REQUEST['sec_token']) && $_SESSION['sec_token'] === $_REQUEST['sec_token']) {
- return true;
- }
- return false;
- case 'get':
- if (isset($_SESSION['sec_token']) && isset($_GET['sec_token']) && $_SESSION['sec_token'] === $_GET['sec_token']) {
- return true;
- }
- return false;
- case 'post':
- if (isset($_SESSION['sec_token']) && isset($_POST['sec_token']) && $_SESSION['sec_token'] === $_POST['sec_token']) {
- return true;
- }
- return false;
- default:
- if (isset($_SESSION['sec_token']) && isset($request_type) && $_SESSION['sec_token'] === $request_type) {
- return true;
- }
- return false;
- }
- return false; // Just in case, don't let anything slip.
- }
- /**
- * Checks the user agent of the client as recorder by get_ua() to prevent
- * most session hijacking attacks.
- * @return bool True if the user agent is the same, false otherwise
- */
- public static function check_ua()
- {
- if (isset($_SESSION['sec_ua']) && $_SESSION['sec_ua'] === $_SERVER['HTTP_USER_AGENT'].$_SESSION['sec_ua_seed']) {
- return true;
- }
- return false;
- }
- /**
- * Clear the security token from the session
- * @return void
- */
- public static function clear_token()
- {
- $_SESSION['sec_token'] = null;
- unset($_SESSION['sec_token']);
- }
- /**
- * This function sets a random token to be included in a form as a hidden field
- * and saves it into the user's session. Returns an HTML form element
- * This later prevents Cross-Site Request Forgeries by checking that the user is really
- * the one that sent this form in knowingly (this form hasn't been generated from
- * another website visited by the user at the same time).
- * Check the token with check_token()
- * @return string Hidden-type input ready to insert into a form
- */
- public static function get_HTML_token()
- {
- $token = md5(uniqid(rand(), true));
- $string = '<input type="hidden" name="sec_token" value="'.$token.'" />';
- $_SESSION['sec_token'] = $token;
- return $string;
- }
- /**
- * This function sets a random token to be included in a form as a hidden field
- * and saves it into the user's session.
- * This later prevents Cross-Site Request Forgeries by checking that the user is really
- * the one that sent this form in knowingly (this form hasn't been generated from
- * another website visited by the user at the same time).
- * Check the token with check_token()
- * @return string Token
- */
- public static function get_token()
- {
- $token = md5(uniqid(rand(), true));
- $_SESSION['sec_token'] = $token;
- return $token;
- }
- /**
- * @return string
- */
- public static function get_existing_token()
- {
- if (isset($_SESSION['sec_token']) && !empty($_SESSION['sec_token'])) {
- return $_SESSION['sec_token'];
- } else {
- return self::get_token();
- }
- }
- /**
- * Gets the user agent in the session to later check it with check_ua() to prevent
- * most cases of session hijacking.
- * @return void
- */
- public static function get_ua()
- {
- $_SESSION['sec_ua_seed'] = uniqid(rand(), true);
- $_SESSION['sec_ua'] = $_SERVER['HTTP_USER_AGENT'].$_SESSION['sec_ua_seed'];
- }
- /**
- * This function returns a variable from the clean array. If the variable doesn't exist,
- * it returns null
- * @param string Variable name
- * @return mixed Variable or NULL on error
- */
- public static function get($varname)
- {
- if (isset(self::$clean[$varname])) {
- return self::$clean[$varname];
- }
- return null;
- }
- /**
- * This function tackles the XSS injections.
- * Filtering for XSS is very easily done by using the htmlentities() function.
- * This kind of filtering prevents JavaScript snippets to be understood as such.
- * @param string The variable to filter for XSS, this params can be a string or an array (example : array(x,y))
- * @param int The user status,constant allowed (STUDENT, COURSEMANAGER, ANONYMOUS, COURSEMANAGERLOWSECURITY)
- * @param bool $filter_terms
- * @return mixed Filtered string or array
- */
- public static function remove_XSS($var, $user_status = null, $filter_terms = false)
- {
- if ($filter_terms) {
- $var = self::filter_terms($var);
- }
- if (empty($user_status)) {
- if (api_is_anonymous()) {
- $user_status = ANONYMOUS;
- } else {
- if (api_is_allowed_to_edit()) {
- $user_status = COURSEMANAGER;
- } else {
- $user_status = STUDENT;
- }
- }
- }
- if ($user_status == COURSEMANAGERLOWSECURITY) {
- return $var; // No filtering.
- }
- static $purifier = array();
- if (!isset($purifier[$user_status])) {
- $cache_dir = api_get_path(SYS_ARCHIVE_PATH).'Serializer';
- if (!file_exists($cache_dir)) {
- mkdir($cache_dir, 0777);
- }
- $config = HTMLPurifier_Config::createDefault();
- $config->set('Cache.SerializerPath', $cache_dir);
- $config->set('Core.Encoding', api_get_system_encoding());
- $config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
- $config->set('HTML.MaxImgLength', '2560');
- $config->set('HTML.TidyLevel', 'light');
- $config->set('Core.ConvertDocumentToFragment', false);
- $config->set('Core.RemoveProcessingInstructions', true);
- if (api_get_setting('enable_iframe_inclusion') == 'true') {
- $config->set('Filter.Custom', array(new AllowIframes()));
- }
- // Shows _target attribute in anchors
- $config->set('Attr.AllowedFrameTargets', array('_blank', '_top', '_self', '_parent'));
- if ($user_status == STUDENT) {
- global $allowed_html_student;
- $config->set('HTML.SafeEmbed', true);
- $config->set('HTML.SafeObject', true);
- $config->set('Filter.YouTube', true);
- $config->set('HTML.FlashAllowFullScreen', true);
- $config->set('HTML.Allowed', $allowed_html_student);
- } elseif ($user_status == COURSEMANAGER) {
- global $allowed_html_teacher;
- $config->set('HTML.SafeEmbed', true);
- $config->set('HTML.SafeObject', true);
- $config->set('Filter.YouTube', true);
- $config->set('HTML.FlashAllowFullScreen', true);
- $config->set('HTML.Allowed', $allowed_html_teacher);
- } else {
- global $allowed_html_anonymous;
- $config->set('HTML.Allowed', $allowed_html_anonymous);
- }
- // We need it for example for the flv player (ids of surrounding div-tags have to be preserved).
- $config->set('Attr.EnableID', true);
- $config->set('CSS.AllowImportant', true);
- // We need for the flv player the css definition display: none;
- $config->set('CSS.AllowTricky', true);
- $config->set('CSS.Proprietary', true);
- // Allow uri scheme.
- $config->set('URI.AllowedSchemes', array(
- 'http' => true,
- 'https' => true,
- 'mailto' => true,
- 'ftp' => true,
- 'nntp' => true,
- 'news' => true,
- 'data' => true,
- ));
- $purifier[$user_status] = new HTMLPurifier($config);
- }
- if (is_array($var)) {
- return $purifier[$user_status]->purifyArray($var);
- } else {
- return $purifier[$user_status]->purify($var);
- }
- }
- /**
- * Filter content
- * @param string $text to be filter
- * @return string
- */
- public static function filter_terms($text)
- {
- static $bad_terms = array();
- if (empty($bad_terms)) {
- $list = api_get_setting('filter_terms');
- if (!empty($list)) {
- $list = explode("\n", $list);
- $list = array_filter($list);
- if (!empty($list)) {
- foreach ($list as $term) {
- $term = str_replace(array("\r\n", "\r", "\n", "\t"), '', $term);
- $html_entities_value = api_htmlentities($term, ENT_QUOTES, api_get_system_encoding());
- $bad_terms[] = $term;
- if ($term != $html_entities_value) {
- $bad_terms[] = $html_entities_value;
- }
- }
- }
- $bad_terms = array_filter($bad_terms);
- }
- }
- $replace = '***';
- if (!empty($bad_terms)) {
- // Fast way
- $new_text = str_ireplace($bad_terms, $replace, $text, $count);
- $text = $new_text;
- }
- return $text;
- }
- /**
- * This method provides specific protection (against XSS and other kinds of attacks) for static images (icons) used by the system.
- * Image paths are supposed to be given by programmers - people who know what they do, anyway, this method encourages
- * a safe practice for generating icon paths, without using heavy solutions based on HTMLPurifier for example.
- * @param string $img_path The input path of the image, it could be relative or absolute URL.
- * @return string Returns sanitized image path or an empty string when the image path is not secure.
- * @author Ivan Tcholakov, March 2011
- */
- public static function filter_img_path($image_path)
- {
- static $allowed_extensions = array('png', 'gif', 'jpg', 'jpeg', 'svg', 'webp');
- $image_path = htmlspecialchars(trim($image_path)); // No html code is allowed.
- // We allow static images only, query strings are forbidden.
- if (strpos($image_path, '?') !== false) {
- return '';
- }
- if (($pos = strpos($image_path, ':')) !== false) {
- // Protocol has been specified, let's check it.
- if (stripos($image_path, 'javascript:') !== false) {
- // Javascript everywhere in the path is not allowed.
- return '';
- }
- // We allow only http: and https: protocols for now.
- //if (!preg_match('/^https?:\/\//i', $image_path)) {
- // return '';
- //}
- if (stripos($image_path, 'http://') !== 0 && stripos($image_path, 'https://') !== 0) {
- return '';
- }
- }
- // We allow file extensions for images only.
- //if (!preg_match('/.+\.(png|gif|jpg|jpeg)$/i', $image_path)) {
- // return '';
- //}
- if (($pos = strrpos($image_path, '.')) !== false) {
- if (!in_array(strtolower(substr($image_path, $pos + 1)), $allowed_extensions)) {
- return '';
- }
- } else {
- return '';
- }
- return $image_path;
- }
- /**
- * Get password requirements
- * It checks config value 'password_requirements' or uses the "classic"
- * Chamilo password requirements.
- *
- * @return array
- */
- public static function getPasswordRequirements()
- {
- // Default
- $requirements = [
- 'min' => [
- 'lowercase' => 0,
- 'uppercase' => 0,
- 'numeric' => 2,
- 'length' => 5
- ]
- ];
- $passwordRequirements = api_get_configuration_value('password_requirements');
- if (!empty($passwordRequirements)) {
- $requirements = $passwordRequirements;
- }
- return $requirements;
- }
- /**
- * Gets password requirements in the platform language using get_lang
- * based in platform settings. See function 'self::getPasswordRequirements'
- * @return string
- */
- public static function getPasswordRequirementsToString($passedConditions = [])
- {
- $output = '';
- $setting = self::getPasswordRequirements();
- foreach ($setting as $type => $rules) {
- foreach ($rules as $rule => $parameter) {
- if (empty($parameter)) {
- continue;
- }
- $output .= sprintf(
- get_lang(
- 'NewPasswordRequirement'.ucfirst($type).'X'.ucfirst($rule)
- ),
- $parameter
- );
- $output .= '<br />';
- }
- }
- return $output;
- }
- }
|