From 9f98fbb9a8874871585f9c5898d5cfd8c24937e8 Mon Sep 17 00:00:00 2001 From: Miles Lott Date: Thu, 20 Dec 2001 16:19:55 +0000 Subject: [PATCH] crypto update; remove (un)serialize from common (en/de)crypt; add checks for data type to crypto (en/de)crypt; add optional debugging to crypto; add call to db_addslashes in appsession; silence file_exists calls in one common class function per skeeter --- phpgwapi/inc/class.common.inc.php | 10 +- phpgwapi/inc/class.crypto.inc.php | 186 ++++++++++++++++++++-------- phpgwapi/inc/class.sessions.inc.php | 31 +++-- 3 files changed, 160 insertions(+), 67 deletions(-) diff --git a/phpgwapi/inc/class.common.inc.php b/phpgwapi/inc/class.common.inc.php index cf664b9beb..aa9561ee57 100644 --- a/phpgwapi/inc/class.common.inc.php +++ b/phpgwapi/inc/class.common.inc.php @@ -771,15 +771,15 @@ $imagedir_default = '/'.$appname.'/templates/default/images'; $imagedir_olddefault = '/'.$appname.'/images'; - if(file_exists(PHPGW_SERVER_ROOT.$imagedir.'/'.$image)) + if(@file_exists(PHPGW_SERVER_ROOT.$imagedir.'/'.$image)) { $imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir.'/'.$image; } - elseif(file_exists(PHPGW_SERVER_ROOT.$imagedir_default.'/'.$image)) + elseif(@file_exists(PHPGW_SERVER_ROOT.$imagedir_default.'/'.$image)) { $imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_default.'/'.$image; } - elseif(file_exists(PHPGW_SERVER_ROOT.$imagedir_olddefault.'/'.$image)) + elseif(@file_exists(PHPGW_SERVER_ROOT.$imagedir_olddefault.'/'.$image)) { $imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_olddefault.'/'.$image; } @@ -926,7 +926,6 @@ */ function encrypt($data) { - $data = serialize($data); return $GLOBALS['phpgw']->crypto->encrypt($data); } /*! @@ -936,8 +935,7 @@ */ function decrypt($data) { - $data = $GLOBALS['phpgw']->crypto->decrypt($data); - return unserialize($data); + return $GLOBALS['phpgw']->crypto->decrypt($data); } /*! @function des_cryptpasswd diff --git a/phpgwapi/inc/class.crypto.inc.php b/phpgwapi/inc/class.crypto.inc.php index f03a6adc84..7fe182bebf 100644 --- a/phpgwapi/inc/class.crypto.inc.php +++ b/phpgwapi/inc/class.crypto.inc.php @@ -1,42 +1,56 @@ * - * Handles encrypting strings based on various encryption schemes * - * Copyright (C) 2000, 2001 Dan Kuykendall * - * ------------------------------------------------------------------------- * - * This library is part of the phpGroupWare API * - * http://www.phpgroupware.org/api * - * ------------------------------------------------------------------------ * - * This library is free software; you can redistribute it and/or modify it * - * under the terms of the GNU Lesser General Public License as published by * - * the Free Software Foundation; either version 2.1 of the License, * - * or any later version. * - * This library is distributed in the hope that it will be useful, but * - * WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * - * See the GNU Lesser General Public License for more details. * - * You should have received a copy of the GNU Lesser General Public License * - * along with this library; if not, write to the Free Software Foundation, * - * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * - \**************************************************************************/ + /**************************************************************************\ + * phpGroupWare API - Crypto * + * This file written by Joseph Engo * + * Handles encrypting strings based on various encryption schemes * + * Copyright (C) 2000, 2001 Dan Kuykendall * + * -------------------------------------------------------------------------* + * This library is part of the phpGroupWare API * + * http://www.phpgroupware.org/api * + * -------------------------------------------------------------------------* + * This library is free software; you can redistribute it and/or modify it * + * under the terms of the GNU Lesser General Public License as published by * + * the Free Software Foundation; either version 2.1 of the License, * + * or any later version. * + * This library is distributed in the hope that it will be useful, but * + * WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * + * See the GNU Lesser General Public License for more details. * + * You should have received a copy of the GNU Lesser General Public License * + * along with this library; if not, write to the Free Software Foundation, * + * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * + \**************************************************************************/ /* $Id$ */ - + class crypto { var $enabled = False; + var $debug = False; + var $mcrypt_version = ''; - var $td = False; // Handle for mcrypt + var $algo = MCRYPT_TRIPLEDES; + var $mode = MCRYPT_MODE_CBC; + var $td = False; /* Handle for mcrypt */ var $iv = ''; var $key = ''; function crypto($vars) { + /* _debug_array(mcrypt_list_algorithms()); */ $key = $vars[0]; $iv = $vars[1]; if ($GLOBALS['phpgw_info']['server']['mcrypt_enabled'] && extension_loaded('mcrypt')) { + if($GLOBALS['phpgw_info']['server']['mcrypt_algo']) + { + $this->algo = $GLOBALS['phpgw_info']['server']['mcrypt_algo']; + } + if($GLOBALS['phpgw_info']['server']['mcrypt_mode']) + { + $this->mode = $GLOBALS['phpgw_info']['server']['mcrypt_mode']; + } + $this->enabled = True; $this->mcrypt_version = $GLOBALS['phpgw_info']['server']['versions']['mcrypt']; if ($this->mcrypt_version == 'old') @@ -44,8 +58,8 @@ $this->td = False; if (phpversion() > '4.0.2pl1') { - $keysize = mcrypt_get_key_size(MCRYPT_TRIPLEDES); - $ivsize = mcrypt_get_iv_size(MCRYPT_TRIPLEDES,MCRYPT_MODE_CBC); + $keysize = mcrypt_get_key_size($this->algo); + $ivsize = mcrypt_get_iv_size($this->algo,$this->mode); } else { @@ -55,21 +69,21 @@ } else { - // Start up mcrypt - $this->td = mcrypt_module_open (MCRYPT_TRIPLEDES, '', MCRYPT_MODE_CBC, ''); + /* Start up mcrypt */ + $this->td = mcrypt_module_open ($this->algo, '', $this->mode, ''); $ivsize = mcrypt_enc_get_iv_size($this->td); $keysize = mcrypt_enc_get_key_size($this->td); } - // Hack IV to be the correct size + /* Hack IV to be the correct size */ $x = strlen($iv); for ($i = 0; $i < $ivsize; $i++) { $this->iv .= $iv[$i % $x]; } - // Hack Key to be the correct size + /* Hack Key to be the correct size */ $x = strlen($key); for ($i = 0; $i < $keysize; $i++) @@ -77,7 +91,7 @@ $this->key .= $key[$i % $x]; } } - // If mcrypt isn't loaded key and iv are not needed + /* If mcrypt isn't loaded, key and iv are not needed. */ } function cleanup() @@ -99,67 +113,141 @@ function encrypt($data) { - $data = serialize($data); - $data = addslashes($data); - - // Disable all encryption if the admin didn't set it up + if($this->debug) + { + echo '
' . time() . ' crypto->encrypt() unencrypted data: ---->>>>' . $data . "\n"; + } + + if(gettype($data) == 'array' || gettype($data) == 'object') + { + if($this->debug) + { + echo '
' . time() . ' crypto->encrypt() found an "' . gettype($data) . '". Serializing...' . "\n"; + } + $data = serialize($data); + $_obj = True; + } + else + { + if($this->debug) + { + echo '
' . time() . ' crypto->encrypt() found "' . gettype($data) . '". No serialization...' . "\n"; + } + } + + /* Disable all encryption if the admin didn't set it up */ if ($this->enabled) { + if($_obj) + { + if($this->debug) + { + echo '
' . time() . ' crypto->encrypt() adding slashes' . "\n"; + } + $data = addslashes($data); + } + + if($this->debug) + { + echo '
' . time() . ' crypto->encrypt() data: ---->>>>' . $data; + } + switch ($this->mcrypt_version) { - // The old code, only works with mcrypt <= 2.2.x case 'old': - { - $encrypteddata = mcrypt_cbc(MCRYPT_TripleDES, $this->key, $data, MCRYPT_ENCRYPT); + /* The old code, only works with mcrypt <= 2.2.x */ + $encrypteddata = mcrypt_cbc($this->algo, $this->key, $data, MCRYPT_ENCRYPT); break; - } default: - { // Handle 2.4 and newer API + /* Handle 2.4 and newer API */ mcrypt_generic_init ($this->td, $this->key, $this->iv); $encrypteddata = mcrypt_generic($this->td, $data); break; - } } $encrypteddata = bin2hex($encrypteddata); + if($this->debug) + { + echo '
' . time() . ' crypto->encrypt() crypted data: ---->>>>' . $encrypteddata; + } return $encrypteddata; } else - { // No mcrypt == insecure ! + { + /* No mcrypt == insecure ! */ + if($this->debug) + { + echo '
' . time() . ' crypto->encrypt() crypted data: ---->>>>' . $data; + } return $data; } } function decrypt($encrypteddata) { - // Disable all encryption if the admin didn't set it up + if($this->debug) + { + echo '
' . time() . ' crypto->decrypt() crypted data: ---->>>>' . $encrypteddata; + } + /* Disable all encryption if the admin didn't set it up */ if ($this->enabled) { $data = $this->hex2bin($encrypteddata); switch ($this->mcrypt_version) { - // The old code, only works with mcrypt <= 2.2.x case 'old': - $data = mcrypt_cbc(MCRYPT_TripleDES, $this->key, $data, MCRYPT_DECRYPT); + /* The old code, only works with mcrypt <= 2.2.x */ + $data = mcrypt_cbc($this->algo, $this->key, $data, MCRYPT_DECRYPT); break; - // Handle 2.4 and newer API default: + /* Handle 2.4 and newer API */ mcrypt_generic_init ($this->td, $this->key, $this->iv); $data = mdecrypt_generic($this->td, $data); break; } + + if($this->debug) + { + echo '
' . time() . ' crypto->decrypt() decrypted data: ---->>>>' . $data; + } + $test = unserialize(stripslashes($data)); + if($test) + { + if($this->debug) + { + echo '
' . time() . ' crypto->decrypt() stripping slashes' . "\n"; + } + $data = stripslashes($data); + } + unset($test); + + if($this->debug) + { + echo '
' . time() . ' crypto->decrypt() data: ---->>>>' . $data . "\n"; + } } else { + /* No mcrypt == insecure ! */ $data = $encrypteddata; } - - if(!strpos(' '.$data,'O:8:"stdClass"')) + + $newdata = unserialize($data); + if($newdata) { - return unserialize($data); + if($this->debug) + { + echo '
' . time() . ' crypto->decrypt() found serialized "' . gettype($newdata) . '". Unserializing...' . "\n"; + echo '
' . time() . ' crypto->decrypt() returning: '; _debug_array($newdata); + } + return $newdata; } else { - $data = stripslashes($data); + if($this->debug) + { + echo '
' . time() . ' crypto->decrypt() found UNserialized "' . gettype($data) . '". No unserialization...' . "\n"; + echo '
' . time() . ' crypto->decrypt() returning: ' . $data; + } return $data; } } diff --git a/phpgwapi/inc/class.sessions.inc.php b/phpgwapi/inc/class.sessions.inc.php index fdc81d8d36..714613f7a2 100644 --- a/phpgwapi/inc/class.sessions.inc.php +++ b/phpgwapi/inc/class.sessions.inc.php @@ -718,9 +718,9 @@ /* This allows the user to put '' as the value. */ if ($data == '##NOTHING##') { - $query = "select content from phpgw_app_sessions where" - ." sessionid = '".$this->sessionid."' and loginid = '".$this->account_id."'" - ." and app = '".$appname."' and location = '".$location."'"; + $query = "SELECT content FROM phpgw_app_sessions WHERE" + ." sessionid='".$this->sessionid."' AND loginid='".$this->account_id."'" + ." AND app = '".$appname."' AND location='".$location."'"; $GLOBALS['phpgw']->db->query($query,__LINE__,__FILE__); $GLOBALS['phpgw']->db->next_record(); @@ -731,16 +731,23 @@ // This was not properly decoding structures saved into session data properly // $data = $GLOBALS['phpgw']->common->decrypt($data); // return stripslashes($data); - return $GLOBALS['phpgw']->crypto->decrypt($data); - + // Changed by milosch 2001 Dec 20 + // do not stripslashes here unless this proves to be a problem. + $data = $GLOBALS['phpgw']->common->decrypt($data); + //echo 'appsession returning: '; _debug_array($data); + return $data; } else { - $GLOBALS['phpgw']->db->query("select content from phpgw_app_sessions where " - . "sessionid = '".$this->sessionid."' and loginid = '".$this->account_id."'" - . " and app = '".$appname."' and location = '".$location."'",__LINE__,__FILE__); + $GLOBALS['phpgw']->db->query("SELECT content FROM phpgw_app_sessions WHERE " + . "sessionid = '".$this->sessionid."' AND loginid = '".$this->account_id."'" + . " AND app = '".$appname."' AND location = '".$location."'",__LINE__,__FILE__); $encrypteddata = $GLOBALS['phpgw']->crypto->encrypt($data); + // Added by milosch 2001 Dec 20 + // Use db_addslashes to slash this + $encrypteddata = $GLOBALS['phpgw']->db->db_addslashes($encrypteddata); + if ($GLOBALS['phpgw']->db->num_rows()==0) { $GLOBALS['phpgw']->db->query("INSERT INTO phpgw_app_sessions (sessionid,loginid,app,location,content,session_dla) " @@ -749,10 +756,10 @@ } else { - $GLOBALS['phpgw']->db->query("update phpgw_app_sessions set content = '".$encrypteddata."'" - . "where sessionid = '".$this->sessionid."'" - . "and loginid = '".$this->account_id."' and app = '".$appname."'" - . "and location = '".$location."'",__LINE__,__FILE__); + $GLOBALS['phpgw']->db->query("UPDATE phpgw_app_sessions SET content='".$encrypteddata."'" + . "WHERE sessionid = '".$this->sessionid."'" + . "AND loginid = '".$this->account_id."' AND app = '".$appname."'" + . "AND location = '".$location."'",__LINE__,__FILE__); } return $data; }