function osTicketSession($ttl = 0) { $this->ttl = $ttl ?: ini_get('session.gc_maxlifetime') ?: SESSION_TTL; // Set osTicket specific session name. session_name('OSTSESSID'); // Forced cleanup on shutdown register_shutdown_function('session_write_close'); // Set session cleanup time to match TTL ini_set('session.gc_maxlifetime', $ttl); if (OsticketConfig::getDBVersion()) { return session_start(); } # Cookies // Avoid setting a cookie domain without a dot, thanks // http://stackoverflow.com/a/1188145 $domain = null; if (isset($_SERVER['HTTP_HOST']) && strpos($_SERVER['HTTP_HOST'], '.') !== false && !Validator::is_ip($_SERVER['HTTP_HOST'])) { // Remote port specification, as it will make an invalid domain list($domain) = explode(':', $_SERVER['HTTP_HOST']); } session_set_cookie_params($ttl, ROOT_PATH, $domain, osTicket::is_https()); //Set handlers. session_set_save_handler(array(&$this, 'open'), array(&$this, 'close'), array(&$this, 'read'), array(&$this, 'write'), array(&$this, 'destroy'), array(&$this, 'gc')); //Start the session. session_start(); }
function osTicketSession($ttl = 0) { $this->ttl = $ttl ?: ini_get('session.gc_maxlifetime') ?: SESSION_TTL; // Set osTicket specific session name. session_name('OSTSESSID'); // Forced cleanup on shutdown register_shutdown_function('session_write_close'); // Set session cleanup time to match TTL ini_set('session.gc_maxlifetime', $ttl); if (OsticketConfig::getDBVersion()) { return session_start(); } # Cookies // Avoid setting a cookie domain without a dot, thanks // http://stackoverflow.com/a/1188145 $domain = null; if (isset($_SERVER['HTTP_HOST']) && strpos($_SERVER['HTTP_HOST'], '.') !== false && !Validator::is_ip($_SERVER['HTTP_HOST'])) { // Remote port specification, as it will make an invalid domain list($domain) = explode(':', $_SERVER['HTTP_HOST']); } session_set_cookie_params($ttl, ROOT_PATH, $domain, osTicket::is_https()); if (!defined('SESSION_BACKEND')) { define('SESSION_BACKEND', 'db'); } try { $bk = SESSION_BACKEND; if (!class_exists(self::$backends[$bk])) { $bk = 'db'; } $this->backend = new self::$backends[$bk]($this->ttl); } catch (Exception $x) { // Use the database for sessions trigger_error($x->getMessage(), E_USER_WARNING); $this->backend = new self::$backends['db']($this->ttl); } if ($this->backend instanceof SessionBackend) { // Set handlers. session_set_save_handler(array($this->backend, 'open'), array($this->backend, 'close'), array($this->backend, 'read'), array($this->backend, 'write'), array($this->backend, 'destroy'), array($this->backend, 'gc')); } // Start the session. session_start(); }
function add($ip, &$errors) { global $cfg; $passphrase = $cfg->getAPIPassphrase(); if (!$passphrase) { $errors['err'] = 'Senha API faltando.'; } if (!$ip || !Validator::is_ip($ip)) { $errors['ip'] = 'IP válido obrigatório'; } elseif (Api::getKey($ip)) { $errors['ip'] = 'Chave API para o IP já existe'; } $id = 0; if (!$errors) { $sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET created=NOW(), updated=NOW(), isactive=1' . ',ipaddr=' . db_input($ip) . ',apikey=' . db_input(strtoupper(md5($ip . md5($passphrase)))); //Security of the apikey is not as critical at the moment if (db_query($sql)) { $id = db_insert_id(); } } return $id; }
function add($ip, &$errors) { global $cfg; $passphrase = $cfg->getAPIPassphrase(); if (!$passphrase) { $errors['err'] = 'API passphrase missing.'; } if (!$ip || !Validator::is_ip($ip)) { $errors['ip'] = 'Valid IP required'; } elseif (Api::getKey($ip)) { $errors['ip'] = 'API key for the IP already exists'; } $id = 0; if (!$errors) { $sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET created=NOW(), updated=NOW(), isactive=1' . ',ipaddr=' . db_input($ip) . ',apikey=' . db_input(strtoupper(md5($ip . md5($passphrase)))); //Security of the apikey is not as critical at the moment if (db_query($sql)) { $id = db_insert_id(); } } return $id; }
function add($ip, &$errors) { global $cfg; $passphrase = $cfg->getAPIPassphrase(); if (!$passphrase) { $errors['err'] = 'Falta la frase secreta de la API.'; } if (!$ip || !Validator::is_ip($ip)) { $errors['ip'] = 'Se requiere una IP válida'; } elseif (Api::getKey($ip)) { $errors['ip'] = 'Clave API para esta IP ya existe'; } $id = 0; if (!$errors) { $sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET created=NOW(), updated=NOW(), isactive=1' . ',ipaddr=' . db_input($ip) . ',apikey=' . db_input(strtoupper(md5($ip . md5($passphrase)))); //Security of the apikey is not as critical at the moment if (db_query($sql)) { $id = db_insert_id(); } } return $id; }
case EX_NOINPUT: default: Http::response(416, $code, 'text/plain'); } } exit($code); } //Remote hosts need authorization. if ($remotehost) { //Upto 10 consecutive errors allowed...before a 5 minute timeout. //One more error during timeout and timeout starts a new clock if ($_SESSION['api']['errors'] > 10 && time() - $_SESSION['api']['time'] <= 5 * 50) { // timeout! api_exit(EX_NOPERM, 'Host in Timeout'); } //Check IP $ip = $_SERVER['REMOTE_ADDR']; if (!Validator::is_ip($ip) || !$cfg->isKnownHost($ip)) { //unknown IP api_exit(EX_NOPERM, 'Unknown remote host [' . $ip . ']'); } //For added security...check API pass phrase. $key = $_SERVER['HTTP_USER_AGENT']; //pulling all tricks. if (empty($key) || strcasecmp($key, md5($cfg->getAPIKey()))) { api_exit(EX_NOPERM, 'Invalid API Key [' . $key . ']'); } //At this point we know the remote host/IP is allowed. $_SESSION['api']['errors'] = 0; //clear errors for the session. }
break; case EX_NOPERM: Http::response(403, $code, 'text/plain'); break; case EX_DATAERR: case EX_NOINPUT: default: Http::response(416, $code, 'text/plain'); } } exit($code); } //Remote hosts need authorization. if ($remotehost) { $ip = $_SERVER['REMOTE_ADDR']; $key = $_SERVER['HTTP_USER_AGENT']; //pulling all tricks. //Upto 10 consecutive errors allowed...before a 5 minute timeout. //One more error during timeout and timeout starts a new clock if ($_SESSION['api']['errors'] > 10 && time() - $_SESSION['api']['time'] <= 5 * 60) { // timeout! api_exit(EX_NOPERM, "Remote host [{$ip}] in timeout - error #" . $_SESSION['api']['errors']); } //Check API key & ip if (!Validator::is_ip($ip) || !Api::validate($key, $ip)) { api_exit(EX_NOPERM, 'Unknown remote host [' . $ip . '] or invalid API key [' . $key . ']'); } //At this point we know the remote host/IP is allowed. $_SESSION['api']['errors'] = 0; //clear errors for the session. }
function save($id, $vars, &$errors) { if (!$id && (!$vars['ipaddr'] || !Validator::is_ip($vars['ipaddr']))) { $errors['ipaddr'] = 'Valid IP required'; } if ($errors) { return false; } $sql = ' updated=NOW() ' . ',isactive=' . db_input($vars['isactive']) . ',can_create_tickets=' . db_input($vars['can_create_tickets']) . ',can_exec_cron=' . db_input($vars['can_exec_cron']) . ',notes=' . db_input($vars['notes']); if ($id) { $sql = 'UPDATE ' . API_KEY_TABLE . ' SET ' . $sql . ' WHERE id=' . db_input($id); if (db_query($sql)) { return true; } $errors['err'] = 'Unable to update API key. Internal error occurred'; } else { $sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET ' . $sql . ',created=NOW() ' . ',ipaddr=' . db_input($vars['ipaddr']) . ',apikey=' . db_input(strtoupper(md5(time() . $vars['ipaddr'] . md5(Misc::randCode(16))))); if (db_query($sql) && ($id = db_insert_id())) { return $id; } $errors['err'] = 'Unable to add API key. Try again!'; } return false; }
function save($id, $vars, &$errors) { if (!$id && (!$vars['ipaddr'] || !Validator::is_ip($vars['ipaddr']))) { $errors['ipaddr'] = __('Valid IP is required'); } if ($errors) { return false; } $sql = ' updated=NOW() ' . ',isactive=' . db_input($vars['isactive']) . ',can_create_tickets=' . db_input($vars['can_create_tickets']) . ',can_exec_cron=' . db_input($vars['can_exec_cron']) . ',notes=' . db_input(Format::sanitize($vars['notes'])); if ($id) { $sql = 'UPDATE ' . API_KEY_TABLE . ' SET ' . $sql . ' WHERE id=' . db_input($id); if (db_query($sql)) { return true; } $errors['err'] = sprintf(__('Unable to update %s.'), __('this API key')) . ' ' . __('Internal error occurred'); } else { $sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET ' . $sql . ',created=NOW() ' . ',ipaddr=' . db_input($vars['ipaddr']) . ',apikey=' . db_input(strtoupper(md5(time() . $vars['ipaddr'] . md5(Misc::randCode(16))))); if (db_query($sql) && ($id = db_insert_id())) { return $id; } $errors['err'] = sprintf(__('Unable to add %s. Correct error(s) below and try again.'), __('this API key')); } return false; }
function save($id, $vars, &$errors) { if (!$id) { if (!$vars['ipaddr'] || !Validator::is_ip($vars['ipaddr'])) { $errors['ipaddr'] = 'Valid IP required'; } elseif (API::getKeyByIPAddr($vars['ipaddr'])) { $errors['ipaddr'] = 'API key for the IP already exists'; } } if ($errors) { return false; } $sql = ' updated=NOW() ' . ',isactive=' . db_input($vars['isactive']) . ',notes=' . db_input($vars['notes']); if ($id) { $sql = 'UPDATE ' . API_KEY_TABLE . ' SET ' . $sql . ' WHERE id=' . db_input($id); if (db_query($sql)) { return true; } $errors['err'] = 'Unable to update API key. Internal error occurred'; } else { $sql = 'INSERT INTO ' . API_KEY_TABLE . ' SET ' . $sql . ',created=NOW() ' . ',ipaddr=' . db_input($vars['ipaddr']) . ',apikey=' . db_input(strtoupper(md5(time() . $vars['ipaddr'] . md5(Misc::randcode(16))))); if (db_query($sql) && ($id = db_insert_id())) { return $id; } $errors['err'] = 'Unable to add API key. Internal error'; } return false; }