mirror of
https://github.com/EGroupware/egroupware.git
synced 2025-01-22 13:58:40 +01:00
crypto update; remove (un)serialize from common (en/de)crypt; add checks for
data type to crypto (en/de)crypt; add optional debugging to crypto; add call to db_addslashes in appsession; silence file_exists calls in one common class function per skeeter
This commit is contained in:
parent
c8b43c7c76
commit
9f98fbb9a8
@ -771,15 +771,15 @@
|
|||||||
$imagedir_default = '/'.$appname.'/templates/default/images';
|
$imagedir_default = '/'.$appname.'/templates/default/images';
|
||||||
$imagedir_olddefault = '/'.$appname.'/images';
|
$imagedir_olddefault = '/'.$appname.'/images';
|
||||||
|
|
||||||
if(file_exists(PHPGW_SERVER_ROOT.$imagedir.'/'.$image))
|
if(@file_exists(PHPGW_SERVER_ROOT.$imagedir.'/'.$image))
|
||||||
{
|
{
|
||||||
$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir.'/'.$image;
|
$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir.'/'.$image;
|
||||||
}
|
}
|
||||||
elseif(file_exists(PHPGW_SERVER_ROOT.$imagedir_default.'/'.$image))
|
elseif(@file_exists(PHPGW_SERVER_ROOT.$imagedir_default.'/'.$image))
|
||||||
{
|
{
|
||||||
$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_default.'/'.$image;
|
$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_default.'/'.$image;
|
||||||
}
|
}
|
||||||
elseif(file_exists(PHPGW_SERVER_ROOT.$imagedir_olddefault.'/'.$image))
|
elseif(@file_exists(PHPGW_SERVER_ROOT.$imagedir_olddefault.'/'.$image))
|
||||||
{
|
{
|
||||||
$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_olddefault.'/'.$image;
|
$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_olddefault.'/'.$image;
|
||||||
}
|
}
|
||||||
@ -926,7 +926,6 @@
|
|||||||
*/
|
*/
|
||||||
function encrypt($data)
|
function encrypt($data)
|
||||||
{
|
{
|
||||||
$data = serialize($data);
|
|
||||||
return $GLOBALS['phpgw']->crypto->encrypt($data);
|
return $GLOBALS['phpgw']->crypto->encrypt($data);
|
||||||
}
|
}
|
||||||
/*!
|
/*!
|
||||||
@ -936,8 +935,7 @@
|
|||||||
*/
|
*/
|
||||||
function decrypt($data)
|
function decrypt($data)
|
||||||
{
|
{
|
||||||
$data = $GLOBALS['phpgw']->crypto->decrypt($data);
|
return $GLOBALS['phpgw']->crypto->decrypt($data);
|
||||||
return unserialize($data);
|
|
||||||
}
|
}
|
||||||
/*!
|
/*!
|
||||||
@function des_cryptpasswd
|
@function des_cryptpasswd
|
||||||
|
@ -1,42 +1,56 @@
|
|||||||
<?php
|
<?php
|
||||||
/**************************************************************************\
|
/**************************************************************************\
|
||||||
* phpGroupWare API - Crypto *
|
* phpGroupWare API - Crypto *
|
||||||
* This file written by Joseph Engo <jengo@phpgroupware.org> *
|
* This file written by Joseph Engo <jengo@phpgroupware.org> *
|
||||||
* Handles encrypting strings based on various encryption schemes *
|
* Handles encrypting strings based on various encryption schemes *
|
||||||
* Copyright (C) 2000, 2001 Dan Kuykendall *
|
* Copyright (C) 2000, 2001 Dan Kuykendall *
|
||||||
* ------------------------------------------------------------------------- *
|
* -------------------------------------------------------------------------*
|
||||||
* This library is part of the phpGroupWare API *
|
* This library is part of the phpGroupWare API *
|
||||||
* http://www.phpgroupware.org/api *
|
* http://www.phpgroupware.org/api *
|
||||||
* ------------------------------------------------------------------------ *
|
* -------------------------------------------------------------------------*
|
||||||
* This library is free software; you can redistribute it and/or modify it *
|
* This library is free software; you can redistribute it and/or modify it *
|
||||||
* under the terms of the GNU Lesser General Public License as published by *
|
* under the terms of the GNU Lesser General Public License as published by *
|
||||||
* the Free Software Foundation; either version 2.1 of the License, *
|
* the Free Software Foundation; either version 2.1 of the License, *
|
||||||
* or any later version. *
|
* or any later version. *
|
||||||
* This library is distributed in the hope that it will be useful, but *
|
* This library is distributed in the hope that it will be useful, but *
|
||||||
* WITHOUT ANY WARRANTY; without even the implied warranty of *
|
* WITHOUT ANY WARRANTY; without even the implied warranty of *
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
|
||||||
* See the GNU Lesser General Public License for more details. *
|
* See the GNU Lesser General Public License for more details. *
|
||||||
* You should have received a copy of the GNU Lesser General Public License *
|
* You should have received a copy of the GNU Lesser General Public License *
|
||||||
* along with this library; if not, write to the Free Software Foundation, *
|
* along with this library; if not, write to the Free Software Foundation, *
|
||||||
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
|
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
|
||||||
\**************************************************************************/
|
\**************************************************************************/
|
||||||
|
|
||||||
/* $Id$ */
|
/* $Id$ */
|
||||||
|
|
||||||
class crypto
|
class crypto
|
||||||
{
|
{
|
||||||
var $enabled = False;
|
var $enabled = False;
|
||||||
|
var $debug = False;
|
||||||
|
|
||||||
var $mcrypt_version = '';
|
var $mcrypt_version = '';
|
||||||
var $td = False; // Handle for mcrypt
|
var $algo = MCRYPT_TRIPLEDES;
|
||||||
|
var $mode = MCRYPT_MODE_CBC;
|
||||||
|
var $td = False; /* Handle for mcrypt */
|
||||||
var $iv = '';
|
var $iv = '';
|
||||||
var $key = '';
|
var $key = '';
|
||||||
|
|
||||||
function crypto($vars)
|
function crypto($vars)
|
||||||
{
|
{
|
||||||
|
/* _debug_array(mcrypt_list_algorithms()); */
|
||||||
$key = $vars[0];
|
$key = $vars[0];
|
||||||
$iv = $vars[1];
|
$iv = $vars[1];
|
||||||
if ($GLOBALS['phpgw_info']['server']['mcrypt_enabled'] && extension_loaded('mcrypt'))
|
if ($GLOBALS['phpgw_info']['server']['mcrypt_enabled'] && extension_loaded('mcrypt'))
|
||||||
{
|
{
|
||||||
|
if($GLOBALS['phpgw_info']['server']['mcrypt_algo'])
|
||||||
|
{
|
||||||
|
$this->algo = $GLOBALS['phpgw_info']['server']['mcrypt_algo'];
|
||||||
|
}
|
||||||
|
if($GLOBALS['phpgw_info']['server']['mcrypt_mode'])
|
||||||
|
{
|
||||||
|
$this->mode = $GLOBALS['phpgw_info']['server']['mcrypt_mode'];
|
||||||
|
}
|
||||||
|
|
||||||
$this->enabled = True;
|
$this->enabled = True;
|
||||||
$this->mcrypt_version = $GLOBALS['phpgw_info']['server']['versions']['mcrypt'];
|
$this->mcrypt_version = $GLOBALS['phpgw_info']['server']['versions']['mcrypt'];
|
||||||
if ($this->mcrypt_version == 'old')
|
if ($this->mcrypt_version == 'old')
|
||||||
@ -44,8 +58,8 @@
|
|||||||
$this->td = False;
|
$this->td = False;
|
||||||
if (phpversion() > '4.0.2pl1')
|
if (phpversion() > '4.0.2pl1')
|
||||||
{
|
{
|
||||||
$keysize = mcrypt_get_key_size(MCRYPT_TRIPLEDES);
|
$keysize = mcrypt_get_key_size($this->algo);
|
||||||
$ivsize = mcrypt_get_iv_size(MCRYPT_TRIPLEDES,MCRYPT_MODE_CBC);
|
$ivsize = mcrypt_get_iv_size($this->algo,$this->mode);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@ -55,21 +69,21 @@
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
// Start up mcrypt
|
/* Start up mcrypt */
|
||||||
$this->td = mcrypt_module_open (MCRYPT_TRIPLEDES, '', MCRYPT_MODE_CBC, '');
|
$this->td = mcrypt_module_open ($this->algo, '', $this->mode, '');
|
||||||
|
|
||||||
$ivsize = mcrypt_enc_get_iv_size($this->td);
|
$ivsize = mcrypt_enc_get_iv_size($this->td);
|
||||||
$keysize = mcrypt_enc_get_key_size($this->td);
|
$keysize = mcrypt_enc_get_key_size($this->td);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Hack IV to be the correct size
|
/* Hack IV to be the correct size */
|
||||||
$x = strlen($iv);
|
$x = strlen($iv);
|
||||||
for ($i = 0; $i < $ivsize; $i++)
|
for ($i = 0; $i < $ivsize; $i++)
|
||||||
{
|
{
|
||||||
$this->iv .= $iv[$i % $x];
|
$this->iv .= $iv[$i % $x];
|
||||||
}
|
}
|
||||||
|
|
||||||
// Hack Key to be the correct size
|
/* Hack Key to be the correct size */
|
||||||
$x = strlen($key);
|
$x = strlen($key);
|
||||||
|
|
||||||
for ($i = 0; $i < $keysize; $i++)
|
for ($i = 0; $i < $keysize; $i++)
|
||||||
@ -77,7 +91,7 @@
|
|||||||
$this->key .= $key[$i % $x];
|
$this->key .= $key[$i % $x];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// If mcrypt isn't loaded key and iv are not needed
|
/* If mcrypt isn't loaded, key and iv are not needed. */
|
||||||
}
|
}
|
||||||
|
|
||||||
function cleanup()
|
function cleanup()
|
||||||
@ -99,67 +113,141 @@
|
|||||||
|
|
||||||
function encrypt($data)
|
function encrypt($data)
|
||||||
{
|
{
|
||||||
$data = serialize($data);
|
if($this->debug)
|
||||||
$data = addslashes($data);
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->encrypt() unencrypted data: ---->>>>' . $data . "\n";
|
||||||
|
}
|
||||||
|
|
||||||
// Disable all encryption if the admin didn't set it up
|
if(gettype($data) == 'array' || gettype($data) == 'object')
|
||||||
|
{
|
||||||
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->encrypt() found an "' . gettype($data) . '". Serializing...' . "\n";
|
||||||
|
}
|
||||||
|
$data = serialize($data);
|
||||||
|
$_obj = True;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->encrypt() found "' . gettype($data) . '". No serialization...' . "\n";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Disable all encryption if the admin didn't set it up */
|
||||||
if ($this->enabled)
|
if ($this->enabled)
|
||||||
{
|
{
|
||||||
|
if($_obj)
|
||||||
|
{
|
||||||
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->encrypt() adding slashes' . "\n";
|
||||||
|
}
|
||||||
|
$data = addslashes($data);
|
||||||
|
}
|
||||||
|
|
||||||
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->encrypt() data: ---->>>>' . $data;
|
||||||
|
}
|
||||||
|
|
||||||
switch ($this->mcrypt_version)
|
switch ($this->mcrypt_version)
|
||||||
{
|
{
|
||||||
// The old code, only works with mcrypt <= 2.2.x
|
|
||||||
case 'old':
|
case 'old':
|
||||||
{
|
/* The old code, only works with mcrypt <= 2.2.x */
|
||||||
$encrypteddata = mcrypt_cbc(MCRYPT_TripleDES, $this->key, $data, MCRYPT_ENCRYPT);
|
$encrypteddata = mcrypt_cbc($this->algo, $this->key, $data, MCRYPT_ENCRYPT);
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
default:
|
default:
|
||||||
{ // Handle 2.4 and newer API
|
/* Handle 2.4 and newer API */
|
||||||
mcrypt_generic_init ($this->td, $this->key, $this->iv);
|
mcrypt_generic_init ($this->td, $this->key, $this->iv);
|
||||||
$encrypteddata = mcrypt_generic($this->td, $data);
|
$encrypteddata = mcrypt_generic($this->td, $data);
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
$encrypteddata = bin2hex($encrypteddata);
|
$encrypteddata = bin2hex($encrypteddata);
|
||||||
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->encrypt() crypted data: ---->>>>' . $encrypteddata;
|
||||||
|
}
|
||||||
return $encrypteddata;
|
return $encrypteddata;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{ // No mcrypt == insecure !
|
{
|
||||||
|
/* No mcrypt == insecure ! */
|
||||||
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->encrypt() crypted data: ---->>>>' . $data;
|
||||||
|
}
|
||||||
return $data;
|
return $data;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function decrypt($encrypteddata)
|
function decrypt($encrypteddata)
|
||||||
{
|
{
|
||||||
// Disable all encryption if the admin didn't set it up
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->decrypt() crypted data: ---->>>>' . $encrypteddata;
|
||||||
|
}
|
||||||
|
/* Disable all encryption if the admin didn't set it up */
|
||||||
if ($this->enabled)
|
if ($this->enabled)
|
||||||
{
|
{
|
||||||
$data = $this->hex2bin($encrypteddata);
|
$data = $this->hex2bin($encrypteddata);
|
||||||
switch ($this->mcrypt_version)
|
switch ($this->mcrypt_version)
|
||||||
{
|
{
|
||||||
// The old code, only works with mcrypt <= 2.2.x
|
|
||||||
case 'old':
|
case 'old':
|
||||||
$data = mcrypt_cbc(MCRYPT_TripleDES, $this->key, $data, MCRYPT_DECRYPT);
|
/* The old code, only works with mcrypt <= 2.2.x */
|
||||||
|
$data = mcrypt_cbc($this->algo, $this->key, $data, MCRYPT_DECRYPT);
|
||||||
break;
|
break;
|
||||||
// Handle 2.4 and newer API
|
|
||||||
default:
|
default:
|
||||||
|
/* Handle 2.4 and newer API */
|
||||||
mcrypt_generic_init ($this->td, $this->key, $this->iv);
|
mcrypt_generic_init ($this->td, $this->key, $this->iv);
|
||||||
$data = mdecrypt_generic($this->td, $data);
|
$data = mdecrypt_generic($this->td, $data);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->decrypt() decrypted data: ---->>>>' . $data;
|
||||||
|
}
|
||||||
|
$test = unserialize(stripslashes($data));
|
||||||
|
if($test)
|
||||||
|
{
|
||||||
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->decrypt() stripping slashes' . "\n";
|
||||||
|
}
|
||||||
|
$data = stripslashes($data);
|
||||||
|
}
|
||||||
|
unset($test);
|
||||||
|
|
||||||
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->decrypt() data: ---->>>>' . $data . "\n";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
/* No mcrypt == insecure ! */
|
||||||
$data = $encrypteddata;
|
$data = $encrypteddata;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!strpos(' '.$data,'O:8:"stdClass"'))
|
$newdata = unserialize($data);
|
||||||
|
if($newdata)
|
||||||
{
|
{
|
||||||
return unserialize($data);
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->decrypt() found serialized "' . gettype($newdata) . '". Unserializing...' . "\n";
|
||||||
|
echo '<br>' . time() . ' crypto->decrypt() returning: '; _debug_array($newdata);
|
||||||
|
}
|
||||||
|
return $newdata;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$data = stripslashes($data);
|
if($this->debug)
|
||||||
|
{
|
||||||
|
echo '<br>' . time() . ' crypto->decrypt() found UNserialized "' . gettype($data) . '". No unserialization...' . "\n";
|
||||||
|
echo '<br>' . time() . ' crypto->decrypt() returning: ' . $data;
|
||||||
|
}
|
||||||
return $data;
|
return $data;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -718,9 +718,9 @@
|
|||||||
/* This allows the user to put '' as the value. */
|
/* This allows the user to put '' as the value. */
|
||||||
if ($data == '##NOTHING##')
|
if ($data == '##NOTHING##')
|
||||||
{
|
{
|
||||||
$query = "select content from phpgw_app_sessions where"
|
$query = "SELECT content FROM phpgw_app_sessions WHERE"
|
||||||
." sessionid = '".$this->sessionid."' and loginid = '".$this->account_id."'"
|
." sessionid='".$this->sessionid."' AND loginid='".$this->account_id."'"
|
||||||
." and app = '".$appname."' and location = '".$location."'";
|
." AND app = '".$appname."' AND location='".$location."'";
|
||||||
|
|
||||||
$GLOBALS['phpgw']->db->query($query,__LINE__,__FILE__);
|
$GLOBALS['phpgw']->db->query($query,__LINE__,__FILE__);
|
||||||
$GLOBALS['phpgw']->db->next_record();
|
$GLOBALS['phpgw']->db->next_record();
|
||||||
@ -731,16 +731,23 @@
|
|||||||
// This was not properly decoding structures saved into session data properly
|
// This was not properly decoding structures saved into session data properly
|
||||||
// $data = $GLOBALS['phpgw']->common->decrypt($data);
|
// $data = $GLOBALS['phpgw']->common->decrypt($data);
|
||||||
// return stripslashes($data);
|
// return stripslashes($data);
|
||||||
return $GLOBALS['phpgw']->crypto->decrypt($data);
|
// Changed by milosch 2001 Dec 20
|
||||||
|
// do not stripslashes here unless this proves to be a problem.
|
||||||
|
$data = $GLOBALS['phpgw']->common->decrypt($data);
|
||||||
|
//echo 'appsession returning: '; _debug_array($data);
|
||||||
|
return $data;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$GLOBALS['phpgw']->db->query("select content from phpgw_app_sessions where "
|
$GLOBALS['phpgw']->db->query("SELECT content FROM phpgw_app_sessions WHERE "
|
||||||
. "sessionid = '".$this->sessionid."' and loginid = '".$this->account_id."'"
|
. "sessionid = '".$this->sessionid."' AND loginid = '".$this->account_id."'"
|
||||||
. " and app = '".$appname."' and location = '".$location."'",__LINE__,__FILE__);
|
. " AND app = '".$appname."' AND location = '".$location."'",__LINE__,__FILE__);
|
||||||
|
|
||||||
$encrypteddata = $GLOBALS['phpgw']->crypto->encrypt($data);
|
$encrypteddata = $GLOBALS['phpgw']->crypto->encrypt($data);
|
||||||
|
// Added by milosch 2001 Dec 20
|
||||||
|
// Use db_addslashes to slash this
|
||||||
|
$encrypteddata = $GLOBALS['phpgw']->db->db_addslashes($encrypteddata);
|
||||||
|
|
||||||
if ($GLOBALS['phpgw']->db->num_rows()==0)
|
if ($GLOBALS['phpgw']->db->num_rows()==0)
|
||||||
{
|
{
|
||||||
$GLOBALS['phpgw']->db->query("INSERT INTO phpgw_app_sessions (sessionid,loginid,app,location,content,session_dla) "
|
$GLOBALS['phpgw']->db->query("INSERT INTO phpgw_app_sessions (sessionid,loginid,app,location,content,session_dla) "
|
||||||
@ -749,10 +756,10 @@
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$GLOBALS['phpgw']->db->query("update phpgw_app_sessions set content = '".$encrypteddata."'"
|
$GLOBALS['phpgw']->db->query("UPDATE phpgw_app_sessions SET content='".$encrypteddata."'"
|
||||||
. "where sessionid = '".$this->sessionid."'"
|
. "WHERE sessionid = '".$this->sessionid."'"
|
||||||
. "and loginid = '".$this->account_id."' and app = '".$appname."'"
|
. "AND loginid = '".$this->account_id."' AND app = '".$appname."'"
|
||||||
. "and location = '".$location."'",__LINE__,__FILE__);
|
. "AND location = '".$location."'",__LINE__,__FILE__);
|
||||||
}
|
}
|
||||||
return $data;
|
return $data;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user