/** * Vérifie les variables $_POST $_COOKIE et $_GET qui ont été regroupée * Chaque variable doit être connue et doit correspondre à un masque définit * dans le fichier config.php * @param type $rediRectToIndex Est ce que je dois rediriger vers l'index */ function doSecurityCheck($rediRectToIndex = TRUE) { global $config; $stopExec = $config['stopOnExec']; foreach ($_GET as $key => $value) { if (isset($config['securite'][$key])) { switch ($config['securite'][$key]) { case 'int': $regexp = '^[0-9]+$'; break; case 'alpha': $regexp = '^[[:alpha:]]+$'; break; case 'ascii': $regexp = '^[[:ascii:]]+$'; break; case 'digit': $regexp = '^[[:digit:]]+$'; break; case 'alphanum': $regexp = '^[[:alnum:]]+$'; break; case 'alphanum-_': $regexp = '^[[:alnum:]-_]+$'; break; case 'mysqlChecked': $regexp = '.*'; break; case 'password_hash': $regexp = '[a-zA-Z0-9$\\/.]'; break; default: stopSession($rediRectToIndex, $stopExec, $extra = 'index.php?redirect=0&champs=' . htmlentities($key)); break; } if (!preg_match("/{$regexp}/", $value)) { stopSession($rediRectToIndex, $stopExec, $extra = 'index.php?redirect=0&champs=' . htmlentities($key)); } } else { stopSession($rediRectToIndex, $stopExec, $extra = 'index.php?redirect=0&champs=' . htmlentities($key)); } } }
* as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ include_once dirname(__FILE__) . '/../../lib/common.php'; $table = $_GET['inputTable']; if (!in_array($table, $config['allowed_modals'])) { stopSession(); } $id = FALSE; eval("\$target = new {$table}();"); $insert = array(); if ($target->canEdit()) { $colonnes = $target->getColumns(); foreach ($colonnes as $col) { if (isset($_GET[$col])) { $insert[$col] = $_GET[$col]; } } if (sizeof($insert) > 0) { //@todo gérer le cas id inserable $id = $target->insert($insert); if ($id !== FALSE && $id !== "0") {
function readAuthCookie() { global $keys, $AUTHERROR, $shibauthed; if (get_magic_quotes_gpc()) { $cookie = stripslashes($_COOKIE["VCLAUTH"]); } else { $cookie = $_COOKIE["VCLAUTH"]; } $cookie = base64_decode($cookie); if (!openssl_public_decrypt($cookie, $tmp, $keys['public'])) { $AUTHERROR["code"] = 3; $AUTHERROR["message"] = "Failed to decrypt auth cookie"; return NULL; } $tmparr = explode('|', $tmp); $loginid = $tmparr[0]; $remoteIP = $tmparr[1]; $ts = $tmparr[2]; if (count($tmparr) > 3) { $shibauthed = $tmparr[3]; # check to see if shibauth entry still exists for $shibauthed $query = "SELECT ts FROM shibauth WHERE id = {$shibauthed}"; $qh = doQuery($query, 101); if ($row = mysql_fetch_assoc($qh)) { $shibstart = $row['ts']; # TODO if $shibstart is too old, expire the login session } else { # user should have been logged out, log them out now setcookie("VCLAUTH", "", time() - 10, "/", COOKIEDOMAIN); stopSession(); dbDisconnect(); header("Location: " . BASEURL); exit; } } if ($ts < time()) { $AUTHERROR["code"] = 4; $AUTHERROR["message"] = "Auth cookie has expired"; return NULL; } if ($_SERVER["REMOTE_ADDR"] != $remoteIP) { //setcookie("ITECSAUTH", "", time() - 10, "/", COOKIEDOMAIN); $AUTHERROR["code"] = 4; $AUTHERROR["message"] = "remote IP in auth cookie doesn't match user's remote IP"; return NULL; } return $loginid; }
function sendHeaders() { global $mode, $user, $authed, $oldmode, $viewmode, $actionFunction, $skin; global $shibauthed; $setwrapreferer = processInputVar('am', ARG_NUMERIC, 0); if (!$authed && $mode == "auth") { header("Location: " . BASEURL . SCRIPT . "?mode=selectauth"); dbDisconnect(); exit; } switch ($mode) { case 'logout': if ($shibauthed) { $shibdata = getShibauthData($shibauthed); if (array_key_exists('Shib-logouturl', $shibdata) && !empty($shibdata['Shib-logouturl'])) { dbDisconnect(); header("Location: {$shibdata['Shib-logouturl']}"); exit; } } case 'shiblogout': setcookie("ITECSAUTH", "", time() - 10, "/", COOKIEDOMAIN); setcookie("VCLAUTH", "", time() - 10, "/", COOKIEDOMAIN); if ($shibauthed) { $msg = ''; $shibdata = getShibauthData($shibauthed); # find and clear shib cookies /*foreach(array_keys($_COOKIE) as $key) { if(preg_match('/^_shibsession[_0-9a-fA-F]+$/', $key)) setcookie($key, "", time() - 10, "/", $_SERVER['SERVER_NAME']); elseif(preg_match('/^_shibstate_/', $key)) setcookie($key, "", time() - 10, "/", $_SERVER['SERVER_NAME']); }*/ doQuery("DELETE FROM shibauth WHERE id = {$shibauthed}", 101); stopSession(); dbDisconnect(); if (array_key_exists('Shib-logouturl', $shibdata) && !empty($shibdata['Shib-logouturl'])) { print "<html>\n"; print " <head>\n"; print " <style type=\"text/css\">\n"; print " .red {\n"; print " color: red;\n"; print " }\n"; print " body{\n"; print " margin:0px; color: red;\n"; print " }\n"; print " </style>\n"; print " </head>\n"; print " <body>\n"; print " <span class=red>Done.</span> <a target=\"_top\" href=\"" . BASEURL . "/\">Return to VCL</a>\n"; print " </body>\n"; print "</html>\n"; } else { print "<html>\n"; print "<head>\n"; print "<META HTTP-EQUIV=REFRESH CONTENT=\"5;url=" . BASEURL . "\">\n"; print "<style type=\"text/css\">\n"; print " .hidden {\n"; print " display: none;\n"; print " }\n"; print "</style>\n"; print "</head>\n"; print "<body>\n"; print "Logging out of VCL..."; print "<iframe src=\"http://{$_SERVER['SERVER_NAME']}/Shibboleth.sso/Logout\" class=hidden>\n"; print "</iframe>\n"; if (array_key_exists('Shib-Identity-Provider', $shibdata) && !empty($shibdata['Shib-Identity-Provider'])) { $tmp = explode('/', $shibdata['Shib-Identity-Provider']); $idp = "{$tmp[0]}//{$tmp[2]}"; print "<iframe src=\"{$idp}/idp/logout.jsp\" class=hidden>\n"; print "</iframe>\n"; } print "</body>\n"; print "</html>\n"; } exit; } header("Location: " . HOMEURL); stopSession(); dbDisconnect(); exit; } if ($mode == "submitviewmode") { $expire = time() + 31536000; //expire in 1 year $newviewmode = processInputVar("viewmode", ARG_NUMERIC); if (!empty($newviewmode) && $newviewmode <= $user['adminlevelid']) { setcookie("VCLVIEWMODE", $newviewmode, $expire, "/", COOKIEDOMAIN); } stopSession(); header("Location: " . BASEURL . SCRIPT); dbDisconnect(); exit; } if ($mode == "statgraphday" || $mode == "statgraphdayconcuruser" || $mode == "statgraphdayconcurblade" || $mode == "statgraphhour") { $actionFunction(); dbDisconnect(); exit; } if ($mode == "viewNodes") { $openNodes = processInputVar("openNodes", ARG_STRING); $activeNode = processInputVar("activeNode", ARG_NUMERIC); if (!empty($openNodes)) { $expire = time() + 31536000; //expire in 1 year setcookie("VCLNODES", $openNodes, $expire, "/", COOKIEDOMAIN); } if (!empty($activeNode)) { $expire = time() + 31536000; //expire in 1 year setcookie("VCLACTIVENODE", $activeNode, $expire, "/", COOKIEDOMAIN); } return; } if ($mode == "submitDeleteNode") { $activeNode = processInputVar("activeNode", ARG_NUMERIC); $nodeinfo = getNodeInfo($activeNode); $expire = time() + 31536000; //expire in 1 year setcookie("VCLACTIVENODE", $nodeinfo["parent"], $expire, "/", COOKIEDOMAIN); } if ($mode == "sendRDPfile") { header("Cache-Control: max-age=5, must-revalidate"); header('Pragma: cache'); } else { header("Cache-Control: no-cache, must-revalidate"); } header("Expires: Sat, 1 Jan 2000 00:00:00 GMT"); }
<?php /* * Copyright (C) 2014 saez0pub * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ include_once dirname(__FILE__) . '/../../lib/common.php'; stopSession(FALSE);