OpenXE/phpwf/plugins/class.secure.php

345 lines
9.3 KiB
PHP

<?php
/*
**** COPYRIGHT & LICENSE NOTICE *** DO NOT REMOVE ****
*
* Xentral (c) Xentral ERP Sorftware GmbH, Fuggerstrasse 11, D-86150 Augsburg, * Germany 2019
*
* This file is licensed under the Embedded Projects General Public License *Version 3.1.
*
* You should have received a copy of this license from your vendor and/or *along with this file; If not, please visit www.wawision.de/Lizenzhinweis
* to obtain the text of the corresponding license version.
*
**** END OF COPYRIGHT & LICENSE NOTICE *** DO NOT REMOVE ****
*/
?>
<?php
/// Secure Layer, SQL Inject. Check, Syntax Check
class Secure
{
public $GET;
public $POST;
/**
* Secure constructor.
*
* @param ApplicationCore $app
*/
public function __construct($app){
$this->app = $app;
// clear global variables, that everybody have to go over secure layer
$this->GET = $_GET;
if(isset($this->GET['msgs']) && isset($this->app->Location)) {
$this->GET['msg'] = $this->app->Location->getMessage($this->GET['msgs']);
}
// $_GET="";
$this->POST = $_POST;
// $_POST="";
if(!isset($this->app->stringcleaner) && file_exists(__DIR__. '/class.stringcleaner.php')) {
if(!class_exists('StringCleaner')) {
require_once __DIR__ . '/class.stringcleaner.php';
}
$this->app->stringcleaner = new StringCleaner($this->app);
}
$this->AddRule('notempty','reg','.'); // at least one sign
$this->AddRule('alpha','reg','[a-zA-Z]');
$this->AddRule('digit','reg','[0-9]');
$this->AddRule('space','reg','[ ]');
$this->AddRule('specialchars','reg','[_-]');
$this->AddRule('email','reg','^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$');
$this->AddRule('datum','reg','([0-9]{1,2})\.([0-9]{1,2})\.([0-9]{4})');
$this->AddRule('username','glue','alpha+digit');
$this->AddRule('password','glue','alpha+digit+specialchars');
}
/**
* @param string $name
* @param null $rule
* @param string $maxlength
* @param string $sqlcheckoff
*
* @return array|mixed|string
*/
public function GetGET($name,$rule=null,$maxlength='',$sqlcheckoff='')
{
if($name === 'msg' && isset($this->app->erp) && method_exists($this, 'xss_clean')) {
$ret = $this->Syntax(isset($this->GET[$name])?$this->GET[$name]:'','',$maxlength,$sqlcheckoff);
$ret = $this->app->erp->base64_url_decode($ret);
if(strpos($ret,'"button"') === false){
$ret = $this->xss_clean($ret);
}
return $this->app->erp->base64_url_encode($ret);
}
if($rule === null) {
$rule = $this->NameToRule($name);
}
return $this->Syntax(isset($this->GET[$name])?$this->GET[$name]:'',$rule,$maxlength,$sqlcheckoff);
}
function NameToRule($name)
{
switch($name)
{
case 'id':
return 'doppelid';
break;
case 'sid':
return 'alphadigits';
break;
case 'module':
case 'smodule':
case 'action':
case 'saction':
return 'module';
break;
case 'cmd':
return 'moduleminus';
break;
}
return 'nothtml';
}
public function GetPOST($name,$rule=null,$maxlength="",$sqlcheckoff="")
{
if($rule === null) {
$rule = $this->NameToRule($name);
if(isset($this->POST['ishtml_cke_'.$name]) && $this->POST['ishtml_cke_'.$name]) {
$rule = 'nojs';
}
}
return $this->Syntax(isset($this->POST[$name])?$this->POST[$name]:'',$rule,$maxlength,$sqlcheckoff);
}
public function GetPOSTForForms($name,$rule="",$maxlength="",$sqlcheckoff="")
{
return $this->SyntaxForForms($this->POST[$name],$rule,$maxlength,$sqlcheckoff);
}
public function CleanString($string, $rule='nohtml',$sqlcheckoff='')
{
return $this->Syntax($string, $rule, '', $sqlcheckoff);
}
public function xss_clean($data)
{
return $this->app->stringcleaner->xss_clean($data);
}
public function GetPOSTArray()
{
if(!empty($this->POST) && count($this->POST)>0)
{
foreach($this->POST as $key=>$value)
{
$value = $this->GetPOST($key);
if ($value !== null) {
$ret[$key] = $value;
}
}
}
if(!empty($ret))
{
return $ret;
}
return null;
}
public function GetGETArray()
{
if(!empty($this->GET) && count($this->GET)>0)
{
foreach($this->GET as $key=>$value)
{
$value = $this->GetGET($key);
if ($value !== null) {
$ret[$key] = $value;
}
}
}
if(!empty($ret))
{
return $ret;
}
return null;
}
function stripallslashes($string) {
while(strstr($string,'\\')) {
$string = stripslashes($string);
}
return $string;
}
public function smartstripslashes($str) {
$cd1 = substr_count($str, "\"");
$cd2 = substr_count($str, "\\\"");
$cs1 = substr_count($str, "'");
$cs2 = substr_count($str, "\\'");
$tmp = strtr($str, array("\\\"" => "", "\\'" => ""));
$cb1 = substr_count($tmp, "\\");
$cb2 = substr_count($tmp, "\\\\");
if ($cd1 == $cd2 && $cs1 == $cs2 && $cb1 == 2 * $cb2) {
return strtr($str, array("\\\"" => "\"", "\\'" => "'", "\\\\" => "\\"));
}
return $str;
}
public function SyntaxForForms($value,$rule,$maxlength="",$sqlcheckoff="")
{
return $value;//mysqli_real_escape_string($this->app->DB->connection,$value);//mysqli_real_escape_string($value);
}
// check actual value with given rule
public function Syntax($value,$rule,$maxlength='',$sqlcheckoff='')
{
$striptags = false;
if(is_array($value))
{
if($sqlcheckoff != '')
{
return $value;
}
foreach($value as $k => $v)
{
if(is_array($v))
{
$value[$k] = $v;
}else{
$v = str_replace("\xef\xbb\xbf","NONBLOCKINGZERO",$v);
if($striptags){
$v = $this->stripallslashes($v);
$v = $this->smartstripslashes($v);
$v = $this->app->erp->superentities($v);
}
$value[$k] = $this->app->DB->real_escape_string($v);
}
}
return $value;
}
$value = str_replace("\xef\xbb\xbf","NONBLOCKINGZERO",$value);
if($striptags){
$value = $this->stripallslashes($value);
$value = $this->smartstripslashes($value);
$value = $this->app->erp->superentities($value);
}
if(!empty($this->app->stringcleaner)) {
if( $sqlcheckoff == '') {
return $this->app->DB->real_escape_string($this->app->stringcleaner->CleanString($value, $rule));
}
return $this->app->stringcleaner->CleanString($value, $rule);
}
if($rule === 'nohtml') {
if( $sqlcheckoff == '') {
return $this->app->DB->real_escape_string(strip_tags($value));
}
return strip_tags($value);
}
if($rule === 'nojs') {
if( $sqlcheckoff == '') {
return $this->app->DB->real_escape_string($this->xss_clean($value));
}
return $this->xss_clean($value);
}
if($rule=='' && $sqlcheckoff == '') {
return $this->app->DB->real_escape_string($value);//mysqli_real_escape_string($value);
}
if($rule=='' && $sqlcheckoff != '') {
return $value;
}
// build complete regexp
// check if rule exists
if($this->GetRegexp($rule)!=''){
//$v = '/^['.$this->GetRegexp($rule).']+$/';
$v = $this->GetRegexp($rule);
if (preg_match_all('/'.$v.'/i', $value, $teffer) ) {
if($sqlcheckoff==''){
return $this->app->DB->real_escape_string($value);//mysqli_real_escape_string($value);
}
return $value;
}
return '';
}
echo "<table border=\"1\" width=\"100%\" bgcolor=\"#FFB6C1\">
<tr><td>Rule <b>$rule</b> doesn't exists!</td></tr></table>";
return '';
}
function RuleCheck($value,$rule)
{
$found = false;
if(!empty($this->app->stringcleaner)) {
$value_ = $this->app->stringcleaner->RuleCheck($value, $rule, $found);
if($found) {
if($value_) {
return true;
}
return false;
}
}
$v = $this->GetRegexp($rule);
if (preg_match_all('/'.$v.'/i', $value, $teffer) ){
return true;
}
return false;
}
function AddRule($name,$type,$rule)
{
// type: reg = regular expression
// type: glue ( already exists rules copy to new e.g. number+digit)
$this->rules[$name]=array('type'=>$type,'rule'=>$rule);
}
// get complete regexp by rule name
function GetRegexp($rule)
{
$rules = explode('+',$rule);
$ret = '';
foreach($rules as $key) {
// check if rule is last in glue string
if($this->rules[$key]['type']==='glue') {
$subrules = explode('+',$this->rules[$key]['rule']);
if(count($subrules)>0) {
foreach($subrules as $subkey) {
$ret .= $this->GetRegexp($subkey);
}
}
}
elseif($this->rules[$key]['type']==='reg') {
$ret .= $this->rules[$key]['rule'];
}
}
if($ret==''){
$ret = 'none';
}
return $ret;
}
}