crypto update; remove (un)serialize from common (en/de)crypt; add checks for

data type to crypto (en/de)crypt; add optional debugging to crypto; add call
to db_addslashes in appsession; silence file_exists calls in one common class
function per skeeter
This commit is contained in:
Miles Lott 2001-12-20 16:19:55 +00:00
parent c8b43c7c76
commit 9f98fbb9a8
3 changed files with 160 additions and 67 deletions

View File

@ -771,15 +771,15 @@
$imagedir_default = '/'.$appname.'/templates/default/images'; $imagedir_default = '/'.$appname.'/templates/default/images';
$imagedir_olddefault = '/'.$appname.'/images'; $imagedir_olddefault = '/'.$appname.'/images';
if(file_exists(PHPGW_SERVER_ROOT.$imagedir.'/'.$image)) if(@file_exists(PHPGW_SERVER_ROOT.$imagedir.'/'.$image))
{ {
$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir.'/'.$image; $imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir.'/'.$image;
} }
elseif(file_exists(PHPGW_SERVER_ROOT.$imagedir_default.'/'.$image)) elseif(@file_exists(PHPGW_SERVER_ROOT.$imagedir_default.'/'.$image))
{ {
$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_default.'/'.$image; $imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_default.'/'.$image;
} }
elseif(file_exists(PHPGW_SERVER_ROOT.$imagedir_olddefault.'/'.$image)) elseif(@file_exists(PHPGW_SERVER_ROOT.$imagedir_olddefault.'/'.$image))
{ {
$imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_olddefault.'/'.$image; $imgfile = $GLOBALS['phpgw_info']['server']['webserver_url'].$imagedir_olddefault.'/'.$image;
} }
@ -926,7 +926,6 @@
*/ */
function encrypt($data) function encrypt($data)
{ {
$data = serialize($data);
return $GLOBALS['phpgw']->crypto->encrypt($data); return $GLOBALS['phpgw']->crypto->encrypt($data);
} }
/*! /*!
@ -936,8 +935,7 @@
*/ */
function decrypt($data) function decrypt($data)
{ {
$data = $GLOBALS['phpgw']->crypto->decrypt($data); return $GLOBALS['phpgw']->crypto->decrypt($data);
return unserialize($data);
} }
/*! /*!
@function des_cryptpasswd @function des_cryptpasswd

View File

@ -1,42 +1,56 @@
<?php <?php
/**************************************************************************\ /**************************************************************************\
* phpGroupWare API - Crypto * * phpGroupWare API - Crypto *
* This file written by Joseph Engo <jengo@phpgroupware.org> * * This file written by Joseph Engo <jengo@phpgroupware.org> *
* Handles encrypting strings based on various encryption schemes * * Handles encrypting strings based on various encryption schemes *
* Copyright (C) 2000, 2001 Dan Kuykendall * * Copyright (C) 2000, 2001 Dan Kuykendall *
* ------------------------------------------------------------------------- * * -------------------------------------------------------------------------*
* This library is part of the phpGroupWare API * * This library is part of the phpGroupWare API *
* http://www.phpgroupware.org/api * * http://www.phpgroupware.org/api *
* ------------------------------------------------------------------------ * * -------------------------------------------------------------------------*
* This library is free software; you can redistribute it and/or modify it * * This library is free software; you can redistribute it and/or modify it *
* under the terms of the GNU Lesser General Public License as published by * * under the terms of the GNU Lesser General Public License as published by *
* the Free Software Foundation; either version 2.1 of the License, * * the Free Software Foundation; either version 2.1 of the License, *
* or any later version. * * or any later version. *
* This library is distributed in the hope that it will be useful, but * * This library is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of * * WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
* See the GNU Lesser General Public License for more details. * * See the GNU Lesser General Public License for more details. *
* You should have received a copy of the GNU Lesser General Public License * * You should have received a copy of the GNU Lesser General Public License *
* along with this library; if not, write to the Free Software Foundation, * * along with this library; if not, write to the Free Software Foundation, *
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
\**************************************************************************/ \**************************************************************************/
/* $Id$ */ /* $Id$ */
class crypto class crypto
{ {
var $enabled = False; var $enabled = False;
var $debug = False;
var $mcrypt_version = ''; var $mcrypt_version = '';
var $td = False; // Handle for mcrypt var $algo = MCRYPT_TRIPLEDES;
var $mode = MCRYPT_MODE_CBC;
var $td = False; /* Handle for mcrypt */
var $iv = ''; var $iv = '';
var $key = ''; var $key = '';
function crypto($vars) function crypto($vars)
{ {
/* _debug_array(mcrypt_list_algorithms()); */
$key = $vars[0]; $key = $vars[0];
$iv = $vars[1]; $iv = $vars[1];
if ($GLOBALS['phpgw_info']['server']['mcrypt_enabled'] && extension_loaded('mcrypt')) if ($GLOBALS['phpgw_info']['server']['mcrypt_enabled'] && extension_loaded('mcrypt'))
{ {
if($GLOBALS['phpgw_info']['server']['mcrypt_algo'])
{
$this->algo = $GLOBALS['phpgw_info']['server']['mcrypt_algo'];
}
if($GLOBALS['phpgw_info']['server']['mcrypt_mode'])
{
$this->mode = $GLOBALS['phpgw_info']['server']['mcrypt_mode'];
}
$this->enabled = True; $this->enabled = True;
$this->mcrypt_version = $GLOBALS['phpgw_info']['server']['versions']['mcrypt']; $this->mcrypt_version = $GLOBALS['phpgw_info']['server']['versions']['mcrypt'];
if ($this->mcrypt_version == 'old') if ($this->mcrypt_version == 'old')
@ -44,8 +58,8 @@
$this->td = False; $this->td = False;
if (phpversion() > '4.0.2pl1') if (phpversion() > '4.0.2pl1')
{ {
$keysize = mcrypt_get_key_size(MCRYPT_TRIPLEDES); $keysize = mcrypt_get_key_size($this->algo);
$ivsize = mcrypt_get_iv_size(MCRYPT_TRIPLEDES,MCRYPT_MODE_CBC); $ivsize = mcrypt_get_iv_size($this->algo,$this->mode);
} }
else else
{ {
@ -55,21 +69,21 @@
} }
else else
{ {
// Start up mcrypt /* Start up mcrypt */
$this->td = mcrypt_module_open (MCRYPT_TRIPLEDES, '', MCRYPT_MODE_CBC, ''); $this->td = mcrypt_module_open ($this->algo, '', $this->mode, '');
$ivsize = mcrypt_enc_get_iv_size($this->td); $ivsize = mcrypt_enc_get_iv_size($this->td);
$keysize = mcrypt_enc_get_key_size($this->td); $keysize = mcrypt_enc_get_key_size($this->td);
} }
// Hack IV to be the correct size /* Hack IV to be the correct size */
$x = strlen($iv); $x = strlen($iv);
for ($i = 0; $i < $ivsize; $i++) for ($i = 0; $i < $ivsize; $i++)
{ {
$this->iv .= $iv[$i % $x]; $this->iv .= $iv[$i % $x];
} }
// Hack Key to be the correct size /* Hack Key to be the correct size */
$x = strlen($key); $x = strlen($key);
for ($i = 0; $i < $keysize; $i++) for ($i = 0; $i < $keysize; $i++)
@ -77,7 +91,7 @@
$this->key .= $key[$i % $x]; $this->key .= $key[$i % $x];
} }
} }
// If mcrypt isn't loaded key and iv are not needed /* If mcrypt isn't loaded, key and iv are not needed. */
} }
function cleanup() function cleanup()
@ -99,67 +113,141 @@
function encrypt($data) function encrypt($data)
{ {
$data = serialize($data); if($this->debug)
$data = addslashes($data); {
echo '<br>' . time() . ' crypto->encrypt() unencrypted data: ---->>>>' . $data . "\n";
}
// Disable all encryption if the admin didn't set it up if(gettype($data) == 'array' || gettype($data) == 'object')
{
if($this->debug)
{
echo '<br>' . time() . ' crypto->encrypt() found an "' . gettype($data) . '". Serializing...' . "\n";
}
$data = serialize($data);
$_obj = True;
}
else
{
if($this->debug)
{
echo '<br>' . time() . ' crypto->encrypt() found "' . gettype($data) . '". No serialization...' . "\n";
}
}
/* Disable all encryption if the admin didn't set it up */
if ($this->enabled) if ($this->enabled)
{ {
if($_obj)
{
if($this->debug)
{
echo '<br>' . time() . ' crypto->encrypt() adding slashes' . "\n";
}
$data = addslashes($data);
}
if($this->debug)
{
echo '<br>' . time() . ' crypto->encrypt() data: ---->>>>' . $data;
}
switch ($this->mcrypt_version) switch ($this->mcrypt_version)
{ {
// The old code, only works with mcrypt <= 2.2.x
case 'old': case 'old':
{ /* The old code, only works with mcrypt <= 2.2.x */
$encrypteddata = mcrypt_cbc(MCRYPT_TripleDES, $this->key, $data, MCRYPT_ENCRYPT); $encrypteddata = mcrypt_cbc($this->algo, $this->key, $data, MCRYPT_ENCRYPT);
break; break;
}
default: default:
{ // Handle 2.4 and newer API /* Handle 2.4 and newer API */
mcrypt_generic_init ($this->td, $this->key, $this->iv); mcrypt_generic_init ($this->td, $this->key, $this->iv);
$encrypteddata = mcrypt_generic($this->td, $data); $encrypteddata = mcrypt_generic($this->td, $data);
break; break;
}
} }
$encrypteddata = bin2hex($encrypteddata); $encrypteddata = bin2hex($encrypteddata);
if($this->debug)
{
echo '<br>' . time() . ' crypto->encrypt() crypted data: ---->>>>' . $encrypteddata;
}
return $encrypteddata; return $encrypteddata;
} }
else else
{ // No mcrypt == insecure ! {
/* No mcrypt == insecure ! */
if($this->debug)
{
echo '<br>' . time() . ' crypto->encrypt() crypted data: ---->>>>' . $data;
}
return $data; return $data;
} }
} }
function decrypt($encrypteddata) function decrypt($encrypteddata)
{ {
// Disable all encryption if the admin didn't set it up if($this->debug)
{
echo '<br>' . time() . ' crypto->decrypt() crypted data: ---->>>>' . $encrypteddata;
}
/* Disable all encryption if the admin didn't set it up */
if ($this->enabled) if ($this->enabled)
{ {
$data = $this->hex2bin($encrypteddata); $data = $this->hex2bin($encrypteddata);
switch ($this->mcrypt_version) switch ($this->mcrypt_version)
{ {
// The old code, only works with mcrypt <= 2.2.x
case 'old': case 'old':
$data = mcrypt_cbc(MCRYPT_TripleDES, $this->key, $data, MCRYPT_DECRYPT); /* The old code, only works with mcrypt <= 2.2.x */
$data = mcrypt_cbc($this->algo, $this->key, $data, MCRYPT_DECRYPT);
break; break;
// Handle 2.4 and newer API
default: default:
/* Handle 2.4 and newer API */
mcrypt_generic_init ($this->td, $this->key, $this->iv); mcrypt_generic_init ($this->td, $this->key, $this->iv);
$data = mdecrypt_generic($this->td, $data); $data = mdecrypt_generic($this->td, $data);
break; break;
} }
if($this->debug)
{
echo '<br>' . time() . ' crypto->decrypt() decrypted data: ---->>>>' . $data;
}
$test = unserialize(stripslashes($data));
if($test)
{
if($this->debug)
{
echo '<br>' . time() . ' crypto->decrypt() stripping slashes' . "\n";
}
$data = stripslashes($data);
}
unset($test);
if($this->debug)
{
echo '<br>' . time() . ' crypto->decrypt() data: ---->>>>' . $data . "\n";
}
} }
else else
{ {
/* No mcrypt == insecure ! */
$data = $encrypteddata; $data = $encrypteddata;
} }
if(!strpos(' '.$data,'O:8:"stdClass"')) $newdata = unserialize($data);
if($newdata)
{ {
return unserialize($data); if($this->debug)
{
echo '<br>' . time() . ' crypto->decrypt() found serialized "' . gettype($newdata) . '". Unserializing...' . "\n";
echo '<br>' . time() . ' crypto->decrypt() returning: '; _debug_array($newdata);
}
return $newdata;
} }
else else
{ {
$data = stripslashes($data); if($this->debug)
{
echo '<br>' . time() . ' crypto->decrypt() found UNserialized "' . gettype($data) . '". No unserialization...' . "\n";
echo '<br>' . time() . ' crypto->decrypt() returning: ' . $data;
}
return $data; return $data;
} }
} }

View File

@ -718,9 +718,9 @@
/* This allows the user to put '' as the value. */ /* This allows the user to put '' as the value. */
if ($data == '##NOTHING##') if ($data == '##NOTHING##')
{ {
$query = "select content from phpgw_app_sessions where" $query = "SELECT content FROM phpgw_app_sessions WHERE"
." sessionid = '".$this->sessionid."' and loginid = '".$this->account_id."'" ." sessionid='".$this->sessionid."' AND loginid='".$this->account_id."'"
." and app = '".$appname."' and location = '".$location."'"; ." AND app = '".$appname."' AND location='".$location."'";
$GLOBALS['phpgw']->db->query($query,__LINE__,__FILE__); $GLOBALS['phpgw']->db->query($query,__LINE__,__FILE__);
$GLOBALS['phpgw']->db->next_record(); $GLOBALS['phpgw']->db->next_record();
@ -731,16 +731,23 @@
// This was not properly decoding structures saved into session data properly // This was not properly decoding structures saved into session data properly
// $data = $GLOBALS['phpgw']->common->decrypt($data); // $data = $GLOBALS['phpgw']->common->decrypt($data);
// return stripslashes($data); // return stripslashes($data);
return $GLOBALS['phpgw']->crypto->decrypt($data); // Changed by milosch 2001 Dec 20
// do not stripslashes here unless this proves to be a problem.
$data = $GLOBALS['phpgw']->common->decrypt($data);
//echo 'appsession returning: '; _debug_array($data);
return $data;
} }
else else
{ {
$GLOBALS['phpgw']->db->query("select content from phpgw_app_sessions where " $GLOBALS['phpgw']->db->query("SELECT content FROM phpgw_app_sessions WHERE "
. "sessionid = '".$this->sessionid."' and loginid = '".$this->account_id."'" . "sessionid = '".$this->sessionid."' AND loginid = '".$this->account_id."'"
. " and app = '".$appname."' and location = '".$location."'",__LINE__,__FILE__); . " AND app = '".$appname."' AND location = '".$location."'",__LINE__,__FILE__);
$encrypteddata = $GLOBALS['phpgw']->crypto->encrypt($data); $encrypteddata = $GLOBALS['phpgw']->crypto->encrypt($data);
// Added by milosch 2001 Dec 20
// Use db_addslashes to slash this
$encrypteddata = $GLOBALS['phpgw']->db->db_addslashes($encrypteddata);
if ($GLOBALS['phpgw']->db->num_rows()==0) if ($GLOBALS['phpgw']->db->num_rows()==0)
{ {
$GLOBALS['phpgw']->db->query("INSERT INTO phpgw_app_sessions (sessionid,loginid,app,location,content,session_dla) " $GLOBALS['phpgw']->db->query("INSERT INTO phpgw_app_sessions (sessionid,loginid,app,location,content,session_dla) "
@ -749,10 +756,10 @@
} }
else else
{ {
$GLOBALS['phpgw']->db->query("update phpgw_app_sessions set content = '".$encrypteddata."'" $GLOBALS['phpgw']->db->query("UPDATE phpgw_app_sessions SET content='".$encrypteddata."'"
. "where sessionid = '".$this->sessionid."'" . "WHERE sessionid = '".$this->sessionid."'"
. "and loginid = '".$this->account_id."' and app = '".$appname."'" . "AND loginid = '".$this->account_id."' AND app = '".$appname."'"
. "and location = '".$location."'",__LINE__,__FILE__); . "AND location = '".$location."'",__LINE__,__FILE__);
} }
return $data; return $data;
} }