/** * Method to check the validity of the two hidden form security * fields which aim to ensure that a post to the controller is being sent from * the same server that is hosting it. * * @return bool * * @since 1.0 */ public function checkSecurityFields() { self::$logger->debug('>>checkSecurityFields()'); $host = $this->request->getHost(); $ip = $this->request->getIP(); // the server hostname + today's date $var1 = rtrim(strtr(base64_encode(SecurityUtils::encrypt($host . date('Ymd'))), '+/', '-_'), '='); // the server's IP plus $var1 $var2 = rtrim(strtr(base64_encode(SecurityUtils::encrypt($ip . $var1)), '+/', '-_'), '='); if ($this->request->getParam('var1') === null || $this->request->getParam('var2') === null) { self::$logger->warn('The required var1/var2 params where not provided on the HTTP request'); self::$logger->debug('<<checkSecurityFields [false]'); return false; } if ($var1 == $this->request->getParam('var1') && $var2 == $this->request->getParam('var2')) { self::$logger->debug('<<checkSecurityFields [true]'); return true; } else { /* * Here we are implementing a "grace period" of one hour if the time is < 1:00AM, we will accept * a match for yesterday's date in the security fields * */ // the server hostname + today's date less 1 hour (i.e. yesterday where time is < 1:00AM) $var1 = rtrim(strtr(base64_encode(SecurityUtils::encrypt($host . date('Ymd', time() - 3600))), '+/', '-_'), '='); // the server's IP plus $var1 $var2 = rtrim(strtr(base64_encode(SecurityUtils::encrypt($ip . $var1)), '+/', '-_'), '='); if ($var1 == $this->request->getParam('var1') && $var2 == $this->request->getParam('var2')) { self::$logger->debug('<<checkSecurityFields [true]'); return true; } else { self::$logger->warn('The var1/var2 params provided are invalid, values: var1=[' . $this->request->getParam('var1') . '] var2=[' . $this->request->getParam('var2') . ']'); self::$logger->debug('<<checkSecurityFields [false]'); return false; } } }
/** * Generates the two security fields to prevent remote form processing. * * @return array An array containing the two fields * * @since 1.0 */ public static function generateSecurityFields() { if (self::$logger == null) { self::$logger = new Logger('Controller'); } self::$logger->debug('>>generateSecurityFields()'); $request = new Request(array('method' => 'GET')); $host = $request->getHost(); $ip = $request->getIP(); // the server hostname + today's date $var1 = rtrim(strtr(base64_encode(SecurityUtils::encrypt($host . date('Ymd'))), '+/', '-_'), '='); // the server's IP plus $var1 $var2 = rtrim(strtr(base64_encode(SecurityUtils::encrypt($ip . $var1)), '+/', '-_'), '='); self::$logger->debug('<<generateSecurityFields [array(' . $var1 . ', ' . $var2 . ')]'); return array($var1, $var2); }
/** * Testing that the HTTP host can be set from overrides or super-globals during object construction. */ public function testSetHTTPHost() { $request = new Request(array('method' => 'GET', 'host' => 'localhost')); $this->assertEquals('localhost', $request->getHost(), 'Testing that the HTTP host can be set from overrides or super-globals during object construction'); $_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['HTTP_HOST'] = 'localhost'; $request = new Request(); $this->assertEquals('localhost', $request->getHost(), 'Testing that the HTTP host can be set from overrides or super-globals during object construction'); }