crypto update; remove (un)serialize from common (en/de)crypt; add checks for

data type to crypto (en/de)crypt; add optional debugging to crypto; add call to db_addslashes in appsession; silence file_exists calls in one common class function per skeeter
2024-12-26 00:29:38 +01:00 · 2001-12-20 16:19:55 +00:00 · 2001-12-20 16:19:55 +00:00 · 9f98fbb9a8
commit 9f98fbb9a8
parent c8b43c7c76
3 changed files with 160 additions and 67 deletions
--- a/phpgwapi/inc/class.common.inc.php
+++ b/phpgwapi/inc/class.common.inc.php
@ -771,15 +771,15 @@
 			$imagedir_default    = '/'.$appname.'/templates/default/images';
 			$imagedir_olddefault = '/'.$appname.'/images';
-			if(file_exists(PHPGW_SERVER_ROOT.$imagedir.'/'.$image))
+			if(@file_exists(PHPGW_SERVER_ROOT.$imagedir.'/'.$image))
 			{
 				$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir.'/'.$image;
 			}
-			elseif(file_exists(PHPGW_SERVER_ROOT.$imagedir_default.'/'.$image))
+			elseif(@file_exists(PHPGW_SERVER_ROOT.$imagedir_default.'/'.$image))
 			{
 				$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_default.'/'.$image;
 			}
-			elseif(file_exists(PHPGW_SERVER_ROOT.$imagedir_olddefault.'/'.$image))
+			elseif(@file_exists(PHPGW_SERVER_ROOT.$imagedir_olddefault.'/'.$image))
 			{
 				$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_olddefault.'/'.$image;
 			}
@ -926,7 +926,6 @@
 		*/
 		function encrypt($data)
 		{
 			$data = serialize($data);
 			return $GLOBALS['phpgw']->crypto->encrypt($data);
 		}
 		/*!
@ -936,8 +935,7 @@
 		*/
 		function decrypt($data)
 		{
-			$data = $GLOBALS['phpgw']->crypto->decrypt($data);
+			return $GLOBALS['phpgw']->crypto->decrypt($data);
 			return unserialize($data);
 		}
 		/*!
 		@function des_cryptpasswd
--- a/phpgwapi/inc/class.crypto.inc.php
+++ b/phpgwapi/inc/class.crypto.inc.php
@ -1,42 +1,56 @@
 <?php
-	/**************************************************************************\
+  /**************************************************************************\
-	* phpGroupWare API - Crypto							*
+  * phpGroupWare API - Crypto                                                *
-	* This file written by Joseph Engo <jengo@phpgroupware.org>			*
+  * This file written by Joseph Engo <jengo@phpgroupware.org>                *
-	* Handles encrypting strings based on various encryption schemes		*
+  * Handles encrypting strings based on various encryption schemes           *
-	* Copyright (C) 2000, 2001 Dan Kuykendall					*
+  * Copyright (C) 2000, 2001 Dan Kuykendall                                  *
-	* -------------------------------------------------------------------------			*
+  * -------------------------------------------------------------------------*
-	* This library is part of the phpGroupWare API					*
+  * This library is part of the phpGroupWare API                             *
-	* http://www.phpgroupware.org/api							* 
+  * http://www.phpgroupware.org/api                                          *
-	* ------------------------------------------------------------------------ 			*
+  * -------------------------------------------------------------------------*
-	* This library is free software; you can redistribute it and/or modify it  		*
+  * This library is free software; you can redistribute it and/or modify it  *
-	* under the terms of the GNU Lesser General Public License as published by 	*
+  * under the terms of the GNU Lesser General Public License as published by *
-	* the Free Software Foundation; either version 2.1 of the License,			*
+  * the Free Software Foundation; either version 2.1 of the License,         *
-	* or any later version.								*
+  * or any later version.                                                    *
-	* This library is distributed in the hope that it will be useful, but			*
+  * This library is distributed in the hope that it will be useful, but      *
-	* WITHOUT ANY WARRANTY; without even the implied warranty of		*
+  * WITHOUT ANY WARRANTY; without even the implied warranty of               *
-	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	*
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.                     *
-	* See the GNU Lesser General Public License for more details.			*
+  * See the GNU Lesser General Public License for more details.              *
-	* You should have received a copy of the GNU Lesser General Public License 	*
+  * You should have received a copy of the GNU Lesser General Public License *
-	* along with this library; if not, write to the Free Software Foundation,  		*
+  * along with this library; if not, write to the Free Software Foundation,  *
-	* Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA			*
+  * Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA            *
-	\**************************************************************************/
+  \**************************************************************************/
 	/* $Id$ */
-	
+
 	class crypto
 	{
 		var $enabled = False;
 		var $debug = False;
 		var $mcrypt_version = '';
-		var $td = False; // Handle for mcrypt
+		var $algo = MCRYPT_TRIPLEDES;
 		var $mode = MCRYPT_MODE_CBC;
 		var $td = False; /* Handle for mcrypt */
 		var $iv = '';
 		var $key = '';
 		function crypto($vars)
 		{
 			/* _debug_array(mcrypt_list_algorithms()); */
 			$key = $vars[0];
 			$iv  = $vars[1];
 			if ($GLOBALS['phpgw_info']['server']['mcrypt_enabled'] && extension_loaded('mcrypt'))
 			{
 				if($GLOBALS['phpgw_info']['server']['mcrypt_algo'])
 				{
 					$this->algo = $GLOBALS['phpgw_info']['server']['mcrypt_algo'];
 				}
 				if($GLOBALS['phpgw_info']['server']['mcrypt_mode'])
 				{
 					$this->mode = $GLOBALS['phpgw_info']['server']['mcrypt_mode'];
 				}
 				$this->enabled = True;
 				$this->mcrypt_version = $GLOBALS['phpgw_info']['server']['versions']['mcrypt'];
 				if ($this->mcrypt_version == 'old')
@ -44,8 +58,8 @@
 					$this->td = False;
 					if (phpversion() > '4.0.2pl1')
 					{
-						$keysize = mcrypt_get_key_size(MCRYPT_TRIPLEDES);
+						$keysize = mcrypt_get_key_size($this->algo);
-						$ivsize  = mcrypt_get_iv_size(MCRYPT_TRIPLEDES,MCRYPT_MODE_CBC);
+						$ivsize  = mcrypt_get_iv_size($this->algo,$this->mode);
 					}
 					else
 					{
@ -55,21 +69,21 @@
 				}
 				else
 				{
-					// Start up mcrypt
+					/* Start up mcrypt */
-					$this->td = mcrypt_module_open (MCRYPT_TRIPLEDES, '', MCRYPT_MODE_CBC, '');
+					$this->td = mcrypt_module_open ($this->algo, '', $this->mode, '');
 					$ivsize  = mcrypt_enc_get_iv_size($this->td);
 					$keysize = mcrypt_enc_get_key_size($this->td);
 				}
-				// Hack IV to be the correct size
+				/* Hack IV to be the correct size */
 				$x = strlen($iv);
 				for ($i = 0; $i < $ivsize; $i++)
 				{
 					$this->iv .= $iv[$i % $x];
 				}
-				// Hack Key to be the correct size
+				/* Hack Key to be the correct size */
 				$x = strlen($key);
 				for ($i = 0; $i < $keysize; $i++)
@ -77,7 +91,7 @@
 					$this->key .= $key[$i % $x];
 				}
 			}
-			// If mcrypt isn't loaded key and iv are not needed
+			/* If mcrypt isn't loaded, key and iv are not needed. */
 		}
 		function cleanup()
@ -99,67 +113,141 @@
 		function encrypt($data)
 		{
-			$data = serialize($data);
+			if($this->debug)
-			$data = addslashes($data);
+			{
-			
+				echo '<br>' . time() . ' crypto->encrypt() unencrypted data: ---->>>>' . $data . "\n";
-			// Disable all encryption if the admin didn't set it up
+			}
 			if(gettype($data) == 'array' || gettype($data) == 'object')
 			{
 				if($this->debug)
 				{
 					echo '<br>' . time() . ' crypto->encrypt() found an "' . gettype($data) . '".  Serializing...' . "\n";
 				}
 				$data = serialize($data);
 				$_obj = True;
 			}
 			else
 			{
 				if($this->debug)
 				{
 					echo '<br>' . time() . ' crypto->encrypt() found "' . gettype($data) . '". No serialization...' . "\n";
 				}
 			}
 			/* Disable all encryption if the admin didn't set it up */
 			if ($this->enabled)
 			{
 				if($_obj)
 				{
 					if($this->debug)
 					{
 						echo '<br>' . time() . ' crypto->encrypt() adding slashes' . "\n";
 					}
 					$data = addslashes($data);
 				}
 				if($this->debug)
 				{
 					echo '<br>' . time() . ' crypto->encrypt() data: ---->>>>' . $data;
 				}
 				switch ($this->mcrypt_version)
 				{
 					// The old code, only works with mcrypt <= 2.2.x
 					case 'old':
-					{
+						/* The old code, only works with mcrypt <= 2.2.x */
-						$encrypteddata = mcrypt_cbc(MCRYPT_TripleDES, $this->key, $data, MCRYPT_ENCRYPT);
+						$encrypteddata = mcrypt_cbc($this->algo, $this->key, $data, MCRYPT_ENCRYPT);
 						break;
 					}
 					default:
-					{ // Handle 2.4 and newer API
+						/* Handle 2.4 and newer API */
 						mcrypt_generic_init ($this->td, $this->key, $this->iv);
 						$encrypteddata = mcrypt_generic($this->td, $data);
 						break;
 					}
 				}
 				$encrypteddata = bin2hex($encrypteddata);
 				if($this->debug)
 				{
 					echo '<br>' . time() . ' crypto->encrypt() crypted data: ---->>>>' . $encrypteddata;
 				}
 				return $encrypteddata;
 			}
 			else
-			{ // No mcrypt == insecure !
+			{
 				/* No mcrypt == insecure ! */
 				if($this->debug)
 				{
 					echo '<br>' . time() . ' crypto->encrypt() crypted data: ---->>>>' . $data;
 				}
 				return $data;
 			}
 		}
 		function decrypt($encrypteddata)
 		{
-			// Disable all encryption if the admin didn't set it up
+			if($this->debug)
 			{
 				echo '<br>' . time() . ' crypto->decrypt() crypted data: ---->>>>' . $encrypteddata;
 			}
 			/* Disable all encryption if the admin didn't set it up */
 			if ($this->enabled)
 			{
 				$data = $this->hex2bin($encrypteddata);
 				switch ($this->mcrypt_version)
 				{
 					// The old code, only works with mcrypt <= 2.2.x
 					case 'old':
-						$data = mcrypt_cbc(MCRYPT_TripleDES, $this->key, $data, MCRYPT_DECRYPT);
+						/* The old code, only works with mcrypt <= 2.2.x */
 						$data = mcrypt_cbc($this->algo, $this->key, $data, MCRYPT_DECRYPT);
 						break;
 					// Handle 2.4 and newer API
 					default:
 						/* Handle 2.4 and newer API */
 						mcrypt_generic_init ($this->td, $this->key, $this->iv);
 						$data = mdecrypt_generic($this->td, $data);
 						break;
 				}
 				if($this->debug)
 				{
 					echo '<br>' . time() . ' crypto->decrypt() decrypted data: ---->>>>' . $data;
 				}
 				$test = unserialize(stripslashes($data));
 				if($test)
 				{
 					if($this->debug)
 					{
 						echo '<br>' . time() . ' crypto->decrypt() stripping slashes' . "\n";
 					}
 					$data = stripslashes($data);
 				}
 				unset($test);
 				if($this->debug)
 				{
 					echo '<br>' . time() . ' crypto->decrypt() data: ---->>>>' . $data . "\n";
 				}
 			}
 			else
 			{
 				/* No mcrypt == insecure ! */
 				$data = $encrypteddata;
 			}
-			
+
-			if(!strpos(' '.$data,'O:8:"stdClass"'))
+			$newdata = unserialize($data);
 			if($newdata)
 			{
-				return unserialize($data);
+				if($this->debug)
 				{
 					echo '<br>' . time() . ' crypto->decrypt() found serialized "' . gettype($newdata) . '".  Unserializing...' . "\n";
 					echo '<br>' . time() . ' crypto->decrypt() returning: '; _debug_array($newdata);
 				}
 				return $newdata;
 			}
 			else
 			{
-				$data = stripslashes($data);
+				if($this->debug)
 				{
 					echo '<br>' . time() . ' crypto->decrypt() found UNserialized "' . gettype($data) . '".  No unserialization...' . "\n";
 					echo '<br>' . time() . ' crypto->decrypt() returning: ' . $data;
 				}
 				return $data;
 			}
 		}
--- a/phpgwapi/inc/class.sessions.inc.php
+++ b/phpgwapi/inc/class.sessions.inc.php
@ -718,9 +718,9 @@
 			/* This allows the user to put '' as the value. */
 			if ($data == '##NOTHING##')
 			{
-				$query = "select content from phpgw_app_sessions where"
+				$query = "SELECT content FROM phpgw_app_sessions WHERE"
-					." sessionid = '".$this->sessionid."' and loginid = '".$this->account_id."'"
+					." sessionid='".$this->sessionid."' AND loginid='".$this->account_id."'"
-					." and app = '".$appname."' and location = '".$location."'";
+					." AND app = '".$appname."' AND location='".$location."'";
 				$GLOBALS['phpgw']->db->query($query,__LINE__,__FILE__);
 				$GLOBALS['phpgw']->db->next_record();
@ -731,16 +731,23 @@
 				// This was not properly decoding structures saved into session data properly
 //				$data = $GLOBALS['phpgw']->common->decrypt($data);
 //				return stripslashes($data);
-				return $GLOBALS['phpgw']->crypto->decrypt($data);
+				// Changed by milosch 2001 Dec 20
-
+				// do not stripslashes here unless this proves to be a problem.
 				$data = $GLOBALS['phpgw']->common->decrypt($data);
 				//echo 'appsession returning: '; _debug_array($data);
 				return $data;
 			}
 			else
 			{
-				$GLOBALS['phpgw']->db->query("select content from phpgw_app_sessions where "
+				$GLOBALS['phpgw']->db->query("SELECT content FROM phpgw_app_sessions WHERE "
-					. "sessionid = '".$this->sessionid."' and loginid = '".$this->account_id."'"
+					. "sessionid = '".$this->sessionid."' AND loginid = '".$this->account_id."'"
-					. " and app = '".$appname."' and location = '".$location."'",__LINE__,__FILE__);
+					. " AND app = '".$appname."' AND location = '".$location."'",__LINE__,__FILE__);
 				$encrypteddata = $GLOBALS['phpgw']->crypto->encrypt($data);
 				// Added by milosch 2001 Dec 20
 				// Use db_addslashes to slash this
 				$encrypteddata = $GLOBALS['phpgw']->db->db_addslashes($encrypteddata);
 				if ($GLOBALS['phpgw']->db->num_rows()==0)
 				{
 					$GLOBALS['phpgw']->db->query("INSERT INTO phpgw_app_sessions (sessionid,loginid,app,location,content,session_dla) "
@ -749,10 +756,10 @@
 				}
 				else
 				{
-					$GLOBALS['phpgw']->db->query("update phpgw_app_sessions set content = '".$encrypteddata."'"
+					$GLOBALS['phpgw']->db->query("UPDATE phpgw_app_sessions SET content='".$encrypteddata."'"
-						. "where sessionid = '".$this->sessionid."'"
+						. "WHERE sessionid = '".$this->sessionid."'"
-						. "and loginid = '".$this->account_id."' and app = '".$appname."'"
+						. "AND loginid = '".$this->account_id."' AND app = '".$appname."'"
-						. "and location = '".$location."'",__LINE__,__FILE__);
+						. "AND location = '".$location."'",__LINE__,__FILE__);
 				}
 				return $data;
 			}