[ Index ]

PHP Cross Reference of MantisBT

title

Body

[close]

/core/ -> form_api.php (source)

[Summary view] [Print] [Text view] 

   1  <?php
   2  # MantisBT - A PHP based bugtracking system
   3  
   4  # MantisBT is free software: you can redistribute it and/or modify
   5  # it under the terms of the GNU General Public License as published by
   6  # the Free Software Foundation, either version 2 of the License, or
   7  # (at your option) any later version.
   8  #
   9  # MantisBT is distributed in the hope that it will be useful,
  10  # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  # GNU General Public License for more details.
  13  #
  14  # You should have received a copy of the GNU General Public License
  15  # along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
  16  
  17  /**
  18   * Form API
  19   *
  20   * Handles form security and validation. Security methods are targeted to
  21   * work with both GET and POST form types and should allow multiple
  22   * simultaneous edits of the form to be submitted out-of-order.
  23   *
  24   * @package CoreAPI
  25   * @subpackage FormAPI
  26   * @copyright Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
  27   * @copyright Copyright (C) 2002 - 2011  MantisBT Team - mantisbt-dev@lists.sourceforge.net
  28   * @link http://www.mantisbt.org
  29   *
  30   * @uses config_api.php
  31   * @uses constant_inc.php
  32   * @uses crypto_api.php
  33   * @uses gpc_api.php
  34   * @uses php_api.php
  35   * @uses session_api.php
  36   */
  37  
  38  require_api( 'config_api.php' );
  39  require_api( 'constant_inc.php' );
  40  require_api( 'crypto_api.php' );
  41  require_api( 'gpc_api.php' );
  42  require_api( 'php_api.php' );
  43  require_api( 'session_api.php' );
  44  
  45  /**
  46   * Generate a random security token, prefixed by date, store it in the
  47   * user's session, and then return the string to be used as a form element
  48   * element with the security token as the value.
  49   * @param string Form name
  50   * @return string Security token string
  51   */
  52  function form_security_token( $p_form_name ) {
  53      if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
  54          return '';
  55      }
  56  
  57      $t_tokens = session_get( 'form_security_tokens', array() );
  58  
  59      # Create a new array for the form name if necessary
  60      if( !isset( $t_tokens[$p_form_name] ) || !is_array( $t_tokens[$p_form_name] ) ) {
  61          $t_tokens[$p_form_name] = array();
  62      }
  63  
  64      # Generate a nonce prefixed by date.
  65      # With a base64 output encoded nonce length of 32 characters, we are
  66      # generating a 192bit nonce.
  67      $t_date = date( 'Ymd' );
  68      $t_string = $t_date . crypto_generate_uri_safe_nonce( 32 );
  69  
  70      # Add the token to the user's session
  71      if ( !isset( $t_tokens[$p_form_name][$t_date] ) ) {
  72          $t_tokens[$p_form_name][$t_date] = array();
  73      }
  74  
  75      $t_tokens[$p_form_name][$t_date][$t_string] = true;
  76      session_set( 'form_security_tokens', $t_tokens );
  77  
  78      # The token string
  79      return $t_string;
  80  }
  81  
  82  /**
  83   * Get a hidden form element containing a generated form security token.
  84   * @param string Form name
  85   * @return string Hidden form element to output
  86   */
  87  function form_security_field( $p_form_name ) {
  88      if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
  89          return '';
  90      }
  91  
  92      $t_string = form_security_token( $p_form_name );
  93  
  94      # Create the form element HTML string for the security token
  95      $t_form_token = $p_form_name . '_token';
  96      $t_element = '<input type="hidden" name="%s" value="%s"/>';
  97      $t_element = sprintf( $t_element, $t_form_token, $t_string );
  98  
  99      return $t_element;
 100  }
 101  
 102  /**
 103   * Get a URL parameter containing a generated form security token.
 104   * @param string Form name
 105   * @return string Hidden form element to output
 106   */
 107  function form_security_param( $p_form_name ) {
 108      if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
 109          return '';
 110      }
 111  
 112      $t_string = form_security_token( $p_form_name );
 113  
 114      # Create the GET parameter to be used in a URL for a secure link
 115      $t_form_token = $p_form_name . '_token';
 116      $t_param = '&%s=%s';
 117      $t_param = sprintf( $t_param, $t_form_token, $t_string );
 118  
 119      return $t_param;
 120  }
 121  
 122  /**
 123   * Validate the security token for the given form name based on tokens
 124   * stored in the user's session.  While checking stored tokens, any that
 125   * are more than 3 days old will be purged.
 126   * @param string Form name
 127   * @return boolean Form is valid
 128   */
 129  function form_security_validate( $p_form_name ) {
 130      if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
 131          return true;
 132      }
 133  
 134      $t_tokens = session_get( 'form_security_tokens', array() );
 135  
 136      # Short-circuit if we don't have any tokens for the given form name
 137      if( !isset( $t_tokens[$p_form_name] ) || !is_array( $t_tokens[$p_form_name] ) || count( $t_tokens[$p_form_name] ) < 1 ) {
 138  
 139          trigger_error( ERROR_FORM_TOKEN_INVALID, ERROR );
 140          return false;
 141      }
 142  
 143      # Get the form input
 144      $t_form_token = $p_form_name . '_token';
 145      $t_input = gpc_get_string( $t_form_token, '' );
 146  
 147      # No form input
 148      if( '' == $t_input ) {
 149          trigger_error( ERROR_FORM_TOKEN_INVALID, ERROR );
 150          return false;
 151      }
 152  
 153      # Get the date claimed by the token
 154      $t_date = utf8_substr( $t_input, 0, 8 );
 155  
 156      # Check if the token exists
 157      if ( isset( $t_tokens[$p_form_name][$t_date][$t_input] ) ) {
 158          return true;
 159      }
 160  
 161      # Token does not exist
 162      trigger_error( ERROR_FORM_TOKEN_INVALID, ERROR );
 163      return false;
 164  }
 165  
 166  /**
 167   * Purge form security tokens that are older than 3 days, or used
 168   * for form validation.
 169   * @param string Form name
 170   */
 171  function form_security_purge( $p_form_name ) {
 172      if ( PHP_CLI == php_mode() || OFF == config_get_global( 'form_security_validation' ) ) {
 173          return;
 174      }
 175  
 176      $t_tokens = session_get( 'form_security_tokens', array() );
 177  
 178      # Short-circuit if we don't have any tokens for the given form name
 179      if( !isset( $t_tokens[$p_form_name] ) || !is_array( $t_tokens[$p_form_name] ) || count( $t_tokens[$p_form_name] ) < 1 ) {
 180          return;
 181      }
 182  
 183      # Get the form input
 184      $t_form_token = $p_form_name . '_token';
 185      $t_input = gpc_get_string( $t_form_token, '' );
 186  
 187      # Get the date claimed by the token
 188      $t_date = utf8_substr( $t_input, 0, 8 );
 189  
 190      # Generate a date string of three days ago
 191      $t_purge_date = date( 'Ymd', time() - ( 3 * 24 * 60 * 60 ) );
 192  
 193      # Purge old token data, and the currently-used token
 194      unset( $t_tokens[$p_form_name][$t_date][$t_input] );
 195  
 196      foreach( $t_tokens as $t_form_name => $t_dates ) {
 197          foreach( $t_dates as $t_date => $t_date_tokens ) {
 198              if ( $t_date < $t_purge_date ) {
 199                  unset( $t_tokens[$t_form_name][$t_date] );
 200              }
 201          }
 202      }
 203  
 204      session_set( 'form_security_tokens', $t_tokens );
 205  
 206      return;
 207  }

Body

Body

Body

Body


Generated: Thu Jul 28 15:48:31 2011 Cross-referenced by PHPXref 0.7