Ejemplo n.º 1
0
 /**
  * sanitize() - clean input for known injection vulnerabilities
  *
  * Remove anything that could be dangerous from user input.
  * Our organization names should contain only [a-z][0-9], like the nren
  * names, like the states. So all inputs can be limited to [a-z][0-9]
  *
  * TODO: This function spphould be accessible for all forms taking data
  * TODO: Make sure it accepts all legal characters in the \DN
  */
 static function sanitize($input)
 {
     if (!isset($input) || $input === "") {
         return null;
     }
     if (is_array($input)) {
         foreach ($input as $var => $val) {
             $output[$var] = Input::sanitize($val);
         }
     }
     $output = preg_replace('/[^a-z0-9_.@ ]+/i', '', $input);
     return $output;
 }
Ejemplo n.º 2
0
    $xml->addAttribute("elementCount", $element_count);
    Logger::log_event(LOG_DEBUG, "Returning list with {$element_count} entries.");
    header("content-type: text/xml");
    echo $xml->asXML();
}
/* Safe environment? */
assertEnvironment();
/* Is the certificate a legit cert? */
$admin = createAdminPerson();
if (!isset($admin) || !$admin->isAuth()) {
    echo "Not authenticated! Cannot continue<br />\n";
    exit(0);
}
/* Get list of issued certiticates */
if (isset($_POST['action'])) {
    $action = Input::sanitize($_POST['action']);
} else {
    /* if no action provided, assume the client wants a list of issued certificates. */
    $action = 'cert_list';
}
switch ($action) {
    case 'cert_list':
        Logger::log_event(LOG_NOTICE, "[RI] " . $admin->getEPPN() . " cert-list request.");
        $res = Robot::createCertList($admin);
        printXMLRes($res, 'userList');
        break;
    case 'revoke_list':
        if (!isset($_POST['list'])) {
            echo "No data provided.\n";
            exit(0);
        }
Ejemplo n.º 3
0
<?php

require_once 'confusa_include.php';
require_once 'Config.php';
require_once 'Input.php';
require_once 'confusa_constants.php';
/*
 * Get the custom NREN logo from the filesystem and return it as an image
 */
if (isset($_GET['nren'])) {
    $nren = Input::sanitize($_GET['nren']);
    $position = Input::sanitize($_GET['pos']);
    $suffix = Input::sanitize($_GET['suffix']);
    $logo_path = Config::get_config('custom_logo') . $nren . '/custom_' . $position . '.';
    $logo_path .= $suffix;
} else {
    if (isset($_GET['op'])) {
        $logo_path = Config::get_config('operator_logo');
        $suffix = substr($logo_path, strlen($logo_path) - 3, strlen($logo_path) - 1);
    } else {
        exit(1);
    }
}
/*
 * Search if there is one custom.png, custom.jpg or custom.any_other_
 * allowed_suffix file in the custom-logo folder.
 *
 * If there isn't return null
 */
if (file_exists($logo_path)) {
    $fp = fopen($logo_path, "r");
Ejemplo n.º 4
0
 public function process()
 {
     if (!$this->person->isNRENAdmin()) {
         $errorTag = PW::create();
         Logger::logEvent(LOG_NOTICE, "NRENAdmin", "process()", "User " . stripslashes($this->person->getX509ValidCN()) . " tried to access the NREN-area", __LINE__, $errorTag);
         $this->tpl->assign('reason', "[{$errorTag}] You are not an NREN-admin");
         $this->tpl->assign('content', $this->tpl->fetch('restricted_access.tpl'));
         return;
     }
     $this->tpl->assign('nrenName', $this->person->getNREN());
     $this->tpl->assign('org_states', ConfusaConstants::$ORG_STATES);
     /* Export the NREN UID key */
     $map = $this->person->getNREN()->getMap();
     $this->tpl->assign('nren_eppn_key', $map['eppn']);
     if (isset($_GET['target'])) {
         switch (Input::sanitize($_GET['target'])) {
             case 'list':
                 /* get all info from database and publish to template */
                 $this->tpl->assign('subscriber_list', $this->getSubscribers());
                 $this->tpl->assign('self_subscriber', $this->person->getSubscriber()->getIdPName());
                 $this->tpl->assign('list_subscribers', true);
                 break;
             case 'add':
                 $am = AuthHandler::getAuthManager($this->person);
                 $attributes = $am->getAttributes();
                 $nren = $this->person->getNREN();
                 if (isset($attributes[$map['epodn']])) {
                     $this->tpl->assign('foundUniqueName', $attributes[$map['epodn']][0]);
                     $this->tpl->assign('nrenOrgAttr', $map['epodn']);
                 }
                 if (isset($attributes[$map['eppn']])) {
                     $this->form_data['eppnAttr'] = $map['eppn'];
                 }
                 $this->tpl->assign('form_data', $this->form_data);
                 $this->tpl->assign('add_subscriber', true);
                 break;
             default:
                 break;
         }
     } else {
         /* get all info from database and publish to template */
         $this->tpl->assign('subscriber_list', $this->getSubscribers());
         $subscriber = $this->person->getSubscriber();
         if (isset($subscriber)) {
             $this->tpl->assign('self_subscriber', $subscriber);
         } else {
             $this->tpl->assign('self_subscriber', '');
             Framework::error_output($this->translateTag('l10n_error_illegalattributemap', 'nrenadmin') . '<a href="attributes.php">' . $this->translateTag('item_attributes', 'menu') . '</a>.');
         }
         $this->tpl->assign('list_subscribers', true);
     }
     /* render page */
     $this->tpl->assign('content', $this->tpl->fetch('nren_admin.tpl'));
 }
Ejemplo n.º 5
0
 public function process()
 {
     if (!$this->person->isSubscriberAdmin()) {
         /* not authorized */
         return false;
     }
     /* get menu-flags and assign to the framework */
     $this->tpl->assign('rv_list', false);
     $this->tpl->assign('rv_upload', false);
     $this->tpl->assign('rv_info', false);
     if (isset($_GET['robot_view'])) {
         switch (Input::sanitize($_GET['robot_view'])) {
             case 'list':
                 $this->tpl->assign('rv_list', true);
                 $this->tpl->assign('robotCerts', $this->getRobotCertList());
                 break;
             case 'upload':
                 $this->tpl->assign('rv_upload', true);
                 break;
             case 'info':
                 $this->tpl->assign('rv_info', true);
                 $this->tpl->assign('ri_path', Config::get_config('server_url') . "ri.php");
                 break;
             default:
                 break;
         }
     } else {
         /* We default to listing the certificates */
         $this->tpl->assign('robotCerts', $this->getRobotCertList());
         $this->tpl->assign('rv_list', true);
     }
     $this->tpl->assign('content', $this->tpl->fetch('robot.tpl'));
 }
Ejemplo n.º 6
0
 /**
 * getCertFromDB() take the registred Certificate and find a match in
 * the DB
 *
 * Robot_Certificates are used for authenticating remote
 * clients. Therefore, we will *always* start the object with a
 * certificate.
 *
 * The authN-mechanism lies in whether or not the certicate is also
 * present in the database.
 *
 * @param	Boolean $db_authoriative the values in the database is
 *			     authorative (overwrite local values if
 *			     present).
 * @return	Boolean flag indicating if the certificate was found and
 *			     it matches the current
  @access	private
 */
 private function getCertFromDB($db_authorative = false)
 {
     $fp = $this->getFingerprint();
     if (!$fp) {
         return false;
     }
     try {
         $query = "SELECT * FROM robot_certs WHERE fingerprint=?";
         $res = MDB2Wrapper::execute($query, array('text'), array($fp));
         if (count($res) == 1) {
             if ($res[0]['cert'] == $this->getPEMContent()) {
                 if ($db_authorative) {
                     $this->db_id = Input::sanitize($res[0]['id']);
                     $this->owner = Input::sanitize($res[0]['uploaded_by']);
                     $this->subscriber = Input::sanitize($res[0]['subscriber_id']);
                     $this->lwsent = Input::sanitize($res[0]['last_warning_sent']);
                     $this->uploaded_date = Input::sanitize($res[0]['uploaded_date']);
                 }
                 return true;
             }
         }
         return false;
     } catch (DBStatementException $dbse) {
         Logger::log_event(LOG_NOTICE, "Corrupted statement in query (" . __FILE__ . ":" . __LINE__ . " " . $dbse->getMessage());
     } catch (DBQueryException $dbqe) {
         Logger::log_event(LOG_NOTICE, "Corrupted content in query (" . __FILE__ . ":" . __LINE__ . " " . $dbqe->getMessage());
     }
     return false;
 }
Ejemplo n.º 7
0
 public function pre_process($person)
 {
     parent::pre_process($person);
     /* if $person is not a NREN admin we stop here */
     if (!$this->person->isNRENAdmin()) {
         return false;
     }
     if (isset($_POST['stylist_operation'])) {
         switch (htmlentities($_POST['stylist_operation'])) {
             case 'change_help_text':
                 $new_text = Input::sanitizeText($_POST['help_text']);
                 $this->updateNRENHelpText($this->person->getNREN(), $new_text);
                 break;
             case 'change_about_text':
                 $new_text = Input::sanitizeText($_POST['about_text']);
                 $this->updateNRENAboutText($this->person->getNREN(), $new_text);
                 break;
             case 'change_privnotice_text':
                 $new_text = Input::sanitizeText($_POST['privnotice_text']);
                 $this->updateNRENPrivacyNotice($this->person->getNREN(), $new_text);
                 break;
             case 'change_css':
                 if (isset($_POST['reset'])) {
                     $this->resetNRENCSS($this->person->getNREN());
                 } else {
                     if (isset($_POST['download'])) {
                         $new_css = Input::sanitizeCSS($_POST['css_content']);
                         $this->downloadNRENCSS($new_css);
                     } else {
                         if (isset($_POST['change'])) {
                             /* the CSS will not be inserted into the DB or executed in another way.
                              * Hence do not sanitize it. It will contain 'dangerous' string portions,
                              * such as { : ' anyways, so it would be hard to insert it into the DB properly*/
                             $new_css = Input::sanitizeCSS($_POST['css_content']);
                             $this->updateNRENCSS($this->person->getNREN(), $new_css);
                         }
                     }
                 }
                 break;
             case 'change_mail':
                 if (isset($_POST['reset'])) {
                     $this->resetNRENMailTpl($this->person->getNREN());
                 } else {
                     if (isset($_POST['change'])) {
                         $new_template = strip_tags($_POST['mail_content']);
                         $this->updateNRENMailTpl($this->person->getNREN(), $new_template);
                     } else {
                         if (isset($_POST['test'])) {
                             /* see where mail_content is set in
                              * process() for how the current
                              * template is kept. */
                             $this->sendNRENTestMail($this->person, strip_tags($_POST['mail_content']));
                         }
                     }
                 }
                 break;
             case 'upload_logo':
                 $position = $_POST['position'];
                 if (array_search($position, ConfusaConstants::$ALLOWED_LOGO_POSITIONS) === FALSE) {
                     Framework::error_output("The specified position " . htmlentities($position) . " is not a legal logo position!");
                     return;
                 }
                 if (isset($_FILES['nren_logo']['name'])) {
                     /* only allow image uploads */
                     if (strpos($_FILES['nren_logo']['type'], 'image/') !== false) {
                         $this->uploadLogo('nren_logo', $position, $this->person->getNREN());
                     } else {
                         Framework::error_output($this->translateTag('l10n_error_upload_logo_invalid', 'stylist'));
                     }
                 }
                 break;
             case 'delete_logo':
                 $position = $_POST['position'];
                 if (array_search($position, ConfusaConstants::$ALLOWED_LOGO_POSITIONS) === FALSE) {
                     Framework::error_output($this->translateTag('l10n_error_upload_logo_position', 'stylist'));
                     return;
                 }
                 $this->deleteLogo($position, $this->person->getNREN());
                 break;
             case 'change_title':
                 if (isset($_POST['portalTitle'])) {
                     $titleValue = Input::sanitize($_POST['portalTitle']);
                 } else {
                     $titleValue = "";
                 }
                 if (isset($_POST['changeButton'])) {
                     $showTitle = isset($_POST['showPortalTitle']);
                     $this->updateNRENTitle($this->person->getNREN(), $titleValue, $showTitle);
                 }
                 break;
             default:
                 Framework::error_output("Unknown operation chosen in the stylist!");
                 break;
         }
     }
 }