function InstallDB($arParams = array()) { global $DB, $DBType, $APPLICATION; $this->errors = false; // Database tables creation if (!$DB->Query("SELECT 'x' FROM b_sec_iprule WHERE 1=0", true)) { $this->errors = $DB->RunSQLBatch($_SERVER["DOCUMENT_ROOT"] . "/bitrix/modules/security/install/db/" . strtolower($DB->type) . "/install.sql"); } if ($this->errors !== false) { $APPLICATION->ThrowException(implode("<br>", $this->errors)); return false; } else { $this->InstallTasks(); RegisterModule("security"); RegisterModuleDependences("main", "OnUserDelete", "security", "CSecurityUser", "OnUserDelete"); RegisterModuleDependences("main", "OnEventLogGetAuditTypes", "security", "CSecurityFilter", "GetAuditTypes"); RegisterModuleDependences("main", "OnEventLogGetAuditTypes", "security", "CSecurityAntiVirus", "GetAuditTypes"); RegisterModuleDependences("main", "OnAdminInformerInsertItems", "security", "CSecurityFilter", "OnAdminInformerInsertItems"); RegisterModuleDependences("main", "OnAdminInformerInsertItems", "security", "CSecuritySiteChecker", "OnAdminInformerInsertItems"); CModule::IncludeModule("security"); //agents CAgent::RemoveAgent("CSecuritySession::CleanUpAgent();", "security"); CAgent::Add(array("NAME" => "CSecuritySession::CleanUpAgent();", "MODULE_ID" => "security", "ACTIVE" => "Y", "AGENT_INTERVAL" => 1800, "IS_PERIOD" => "N")); CAgent::RemoveAgent("CSecurityIPRule::CleanUpAgent();", "security"); CAgent::Add(array("NAME" => "CSecurityIPRule::CleanUpAgent();", "MODULE_ID" => "security", "ACTIVE" => "Y", "AGENT_INTERVAL" => 3600, "IS_PERIOD" => "N")); if (!COption::GetOptionString("security", "ipcheck_disable_file")) { COption::SetOptionString("security", "ipcheck_disable_file", "/bitrix/modules/ipcheck_disable_" . md5(mt_rand())); } CAgent::RemoveAgent("CSecurityFilter::ClearTmpFiles();", "security"); CSecurityFilter::SetActive(true); CSecurityAntiVirus::SetActive(true); return true; } }
protected function checkSecurityLevel() { if (!CSecurityFilter::IsActive()) { $this->addUnformattedDetailError("SECURITY_SITE_CHECKER_WAF_OFF", CSecurityCriticalLevel::HIGHT); } if (self::AdminPolicyLevel() != "high") { $this->addUnformattedDetailError("SECURITY_SITE_CHECKER_ADMIN_SECURITY_LEVEL", CSecurityCriticalLevel::HIGHT); } }
/** * @param bool $bActive */ public static function SetActive($bActive = false) { if ($bActive) { if (!CSecurityFilter::IsActive()) { registerModuleDependences("main", "OnBeforeProlog", "security", "CSecurityFilter", "OnBeforeProlog", "5"); registerModuleDependences("main", "OnEndBufferContent", "security", "CSecurityXSSDetect", "OnEndBufferContent", 9999); } } else { if (CSecurityFilter::IsActive()) { unregisterModuleDependences("main", "OnBeforeProlog", "security", "CSecurityFilter", "OnBeforeProlog"); unregisterModuleDependences("main", "OnEndBufferContent", "security", "CSecurityXSSDetect", "OnEndBufferContent"); } } }
protected function checkSecurityLevel() { /** @global CDataBase $DB */ global $DB; if (!CSecurityFilter::IsActive()) { $this->addUnformattedDetailError("SECURITY_SITE_CHECKER_WAF_OFF", CSecurityCriticalLevel::HIGHT); } if (self::AdminPolicyLevel() != "high") { $this->addUnformattedDetailError("SECURITY_SITE_CHECKER_ADMIN_SECURITY_LEVEL", CSecurityCriticalLevel::HIGHT); } $validErrorReporting = E_COMPILE_ERROR | E_ERROR | E_CORE_ERROR | E_PARSE; if (COption::GetOptionInt("main", "error_reporting", $validErrorReporting) != $validErrorReporting && COption::GetOptionString("main", "error_reporting", "") != "") { $this->addUnformattedDetailError("SECURITY_SITE_CHECKER_ERROR_REPORTING", CSecurityCriticalLevel::MIDDLE); } if ($DB->debug) { $this->addUnformattedDetailError("SECURITY_SITE_CHECKER_DB_DEBUG", CSecurityCriticalLevel::HIGHT); } }
protected function checkSecurityLevel() { $isFailed = false; if (!CSecurityFilter::IsActive()) { $this->addUnformattedDetailError("SECURITY_SITE_CHECKER_WAF_OFF", CSecurityCriticalLevel::HIGHT); $isFailed = true; } if (!CSecurityRedirect::IsActive()) { $this->addUnformattedDetailError("SECURITY_SITE_CHECKER_REDIRECT_OFF", CSecurityCriticalLevel::MIDDLE); $isFailed = true; } if (self::AdminPolicyLevel() != "high") { $this->addUnformattedDetailError("SECURITY_SITE_CHECKER_ADMIN_SECURITY_LEVEL", CSecurityCriticalLevel::HIGHT); $isFailed = true; } if ($isFailed) { return self::STATUS_FAILED; } else { return self::STATUS_PASSED; } }
" enctype="multipart/form-data" name="editform"> <?php echo bitrix_sessid_post(); ?> <input type="hidden" name="lang" value="<?php echo LANG; ?> "> <?php $tabControl->Begin(); $tabControl->BeginNextTab(); ?> <tr> <td colspan="2" align="left"> <?php if (CSecurityFilter::IsActive()) { ?> <input type="hidden" name="filter_active" value="N"> <input type="submit" name="filter_siteb" value="<?php echo GetMessage("SEC_FILTER_BUTTON_OFF"); ?> "<?php if (!$canWrite) { echo " disabled"; } ?> > <?php } else { ?> <input type="hidden" name="filter_active" value="Y">
$criticalResultsCount = CSecuritySiteChecker::calculateCriticalResults($lastResults); } else { $criticalResultsCount = 0; } if (isset($lastTestingInfo["test_date"])) { $lastDate = $lastTestingInfo["test_date"]; } else { $lastDate = GetMessage("SEC_PANEL_SCANNER_NEVER_START"); } $data['scanner']['ITEMS'][] = array("KPI_NAME" => GetMessage("SEC_PANEL_SCANNER_LAST_SCAN"), "KPI_VALUE" => $lastDate, "KPI_RECOMMENDATION" => !CSecuritySiteChecker::isNewTestNeeded() ? ' ' : ($USER->isAdmin() ? '<a href="security_scanner.php?lang=' . LANGUAGE_ID . '&return_url=' . urlencode('security_panel.php?lang=' . LANGUAGE_ID) . '">' . GetMessage("SEC_PANEL_SCANNER_RUN") . '</a>' : GetMessage("SEC_PANEL_SCANNER_RUN"))); $data['scanner']['ITEMS'][] = array("KPI_NAME" => GetMessage("SEC_PANEL_SCANNER_PROBLEM_COUNT"), "KPI_VALUE" => count($lastResults), "KPI_RECOMMENDATION" => count($lastResults) <= 0 ? ' ' : ($USER->isAdmin() ? '<a href="security_scanner.php?lang=' . LANGUAGE_ID . '&return_url=' . urlencode('security_panel.php?lang=' . LANGUAGE_ID) . '">' . GetMessage("SEC_PANEL_SCANNER_FIX_IT") . '</a>' : GetMessage("SEC_PANEL_SCANNER_FIX_IT"))); $data['scanner']['ITEMS'][] = array("KPI_NAME" => GetMessage("SEC_PANEL_SCANNER_CRITICAL_PROBLEM_COUNT"), "KPI_VALUE" => $criticalResultsCount, "KPI_RECOMMENDATION" => $criticalResultsCount <= 0 ? ' ' : ($USER->isAdmin() ? '<a href="security_scanner.php?lang=' . LANGUAGE_ID . '&return_url=' . urlencode('security_panel.php?lang=' . LANGUAGE_ID) . '">' . GetMessage("SEC_PANEL_SCANNER_FIX_IT") . '</a>' : GetMessage("SEC_PANEL_SCANNER_FIX_IT"))); unset($lastTestingInfo); unset($lastResults); unset($criticalResultsCount); $bSecurityFilter = CSecurityFilter::IsActive(); $data['std']['ITEMS'][] = array("IS_OK" => $bSecurityFilter, "KPI_NAME" => GetMessage("SEC_PANEL_FILTER_NAME"), "KPI_VALUE" => $bSecurityFilter ? GetMessage("SEC_PANEL_FILTER_VALUE_ON") : GetMessage("SEC_PANEL_FILTER_VALUE_OFF"), "KPI_RECOMMENDATION" => $bSecurityFilter ? ' ' : ($USER->CanDoOperation('security_filter_settings_write') ? '<a href="security_filter.php?lang=' . LANGUAGE_ID . '&return_url=' . urlencode('security_panel.php?lang=' . LANGUAGE_ID) . '">' . GetMessage("SEC_PANEL_FILTER_RECOMMENDATION") . '</a>' : GetMessage("SEC_PANEL_FILTER_RECOMMENDATION"))); $rsSecurityFilterExclMask = CSecurityFilterMask::GetList(); if ($rsSecurityFilterExclMask->Fetch()) { $bSecurityFilterExcl = true; } else { $bSecurityFilterExcl = false; } $data['std']['ITEMS'][] = array("IS_OK" => !$bSecurityFilterExcl, "KPI_NAME" => GetMessage("SEC_PANEL_FILTER_EXCL_NAME"), "KPI_VALUE" => $bSecurityFilterExcl ? GetMessage("SEC_PANEL_FILTER_EXCL_VALUE_ON") : GetMessage("SEC_PANEL_FILTER_EXCL_VALUE_OFF"), "KPI_RECOMMENDATION" => !$bSecurityFilterExcl ? ' ' : ($USER->CanDoOperation('security_filter_settings_write') ? '<a href="security_filter.php?lang=' . LANGUAGE_ID . '&return_url=' . urlencode('security_panel.php?lang=' . LANGUAGE_ID) . '&tabControl_active_tab=exceptions">' . GetMessage("SEC_PANEL_FILTER_EXCL_RECOMMENDATION") . '</a>' : GetMessage("SEC_PANEL_FILTER_EXCL_RECOMMENDATION"))); $days = COption::GetOptionInt("main", "event_log_cleanup_days", 7); if ($days > 7) { $days = 7; } $cntLog = 0; $rsLog = CEventLog::GetList(array(), array("TIMESTAMP_X_1" => ConvertTimeStamp(time() - $days * 24 * 3600 + CTimeZone::GetOffset(), "FULL"), "AUDIT_TYPE_ID" => "SECURITY_FILTER_SQL|SECURITY_FILTER_XSS|SECURITY_FILTER_XSS2|SECURITY_FILTER_PHP|SECURITY_REDIRECT")); while ($rsLog->Fetch()) {
function SaveEvent($arParams) { global $DB; $iblockId = $arParams['iblockId']; $ownerType = $arParams['ownerType']; $ownerId = $arParams['ownerId']; $bCheckPermissions = $arParams["bCheckPermissions"] !== false; $calendarId = intVal($arParams['calendarId']); $sectionId = $arParams['sectionId']; $fullUrl = $arParams['fullUrl']; $userId = $arParams['userId']; $bIsInvitingEvent = $arParams['isMeeting'] && intval($arParams['prop']['PARENT']) > 0; $bExchange = CEventCalendar::IsExchangeEnabled() && $ownerType == 'USER'; $bCalDav = CEventCalendar::IsCalDAVEnabled() && $ownerType == 'USER'; if (!$bIsInvitingEvent) { // *** ADD MEETING ROOM *** $loc_old = CEventCalendar::ParseLocation($arParams['location']['old']); $loc_new = CEventCalendar::ParseLocation($arParams['location']['new']); if ($loc_old['mrid'] !== false && $loc_old['mrevid'] !== false && ($loc_old['mrid'] !== $loc_new['mrid'] || $arParams['location'])) { if ($loc_old['mrid'] == $arParams['VMiblockId']) { CEventCalendar::ReleaseVR(array('mrevid' => $loc_old['mrevid'], 'mrid' => $loc_old['mrid'], 'VMiblockId' => $arParams['VMiblockId'], 'allowVideoMeeting' => $arParams['allowVideoMeeting'])); } else { CEventCalendar::ReleaseMR(array('mrevid' => $loc_old['mrevid'], 'mrid' => $loc_old['mrid'], 'RMiblockId' => $arParams['RMiblockId'], 'allowResMeeting' => $arParams['allowResMeeting'])); } } if ($loc_new['mrid'] !== false) { if ($loc_new['mrid'] == $arParams['VMiblockId']) { $mrevid = CEventCalendar::ReserveVR(array('mrid' => $loc_new['mrid'], 'dateFrom' => $arParams['dateFrom'], 'dateTo' => $arParams['dateTo'], 'name' => $arParams['name'], 'description' => GetMessage('EC_RESERVE_FOR_EVENT') . ': ' . $arParams['name'], 'persons' => count($arParams['guests']), 'members' => $arParams['guests'], 'regularity' => $arParams['prop']['PERIOD_TYPE'], 'regularity_count' => $arParams['prop']['PERIOD_COUNT'], 'regularity_length' => $arParams['prop']['EVENT_LENGTH'], 'regularity_additional' => $arParams['prop']['PERIOD_ADDITIONAL'], 'VMiblockId' => $arParams['VMiblockId'], 'allowVideoMeeting' => $arParams['allowVideoMeeting'])); } else { $mrevid = CEventCalendar::ReserveMR(array('mrid' => $loc_new['mrid'], 'dateFrom' => $arParams['dateFrom'], 'dateTo' => $arParams['dateTo'], 'name' => $arParams['name'], 'description' => GetMessage('EC_RESERVE_FOR_EVENT') . ': ' . $arParams['name'], 'persons' => $arParams['isMeeting'] && count($arParams['guests']) > 0 ? count($arParams['guests']) : 1, 'regularity' => $arParams['prop']['PERIOD_TYPE'], 'regularity_count' => $arParams['prop']['PERIOD_COUNT'], 'regularity_length' => $arParams['prop']['EVENT_LENGTH'], 'regularity_additional' => $arParams['prop']['PERIOD_ADDITIONAL'], 'RMiblockId' => $arParams['RMiblockId'], 'allowResMeeting' => $arParams['allowResMeeting'])); } if ($mrevid && $mrevid != 'reserved' && $mrevid != 'expire' && $mrevid > 0) { $loc_new = 'ECMR_' . $loc_new['mrid'] . '_' . $mrevid; $arParams["prop"]['LOCATION'] = $loc_new; } else { $arParams["prop"]['LOCATION'] = ''; if ($mrevid == 'reserved') { $loc_new = 'bxec_error_reserved'; } elseif ($mrevid == 'expire') { $loc_new = 'bxec_error_expire'; } else { $loc_new = 'bxec_error'; } } } else { $loc_new = $loc_new['str']; $arParams["prop"]['LOCATION'] = $loc_new; } } //$bSocNetLog = (!isset($arParams['bSocNetLog']) || $arParams['bSocNetLog'] != false) && !$arParams["prop"]["PRIVATE"]; //if(cmodule::includemodule('security')) if (CModule::IncludeModule("security")) { $filter = new CSecurityFilter(); $arParams['desc'] = $filter->TestXSS($arParams['desc'], 'replace'); } else { $arParams['desc'] = htmlspecialcharsex($arParams['desc']); } if ($calendarId > 0) { //cheking permissions and correct nesting //if (!CEventCalendar::CheckCalendar(array('iblockId' => $iblockId, 'ownerId' => $ownerId, 'ownerType' => $ownerType, 'calendarId' => $calendarId, 'sectionId' => $sectionId))) // return CEventCalendar::ThrowError(GetMessage('EC_CALENDAR_CREATE_ERROR').' '.GetMessage('EC_CAL_INCORRECT_ERROR')); } else { // Creating default calendar section for owner $bDisplayCalendar = !$arParams["notDisplayCalendar"]; // Output js with calendar description $newSectionId = 'none'; // by reference $calendarId = CECCalendar::CreateDefault(array('ownerType' => $ownerType, 'ownerId' => $ownerId, 'iblockId' => $iblockId, 'sectionId' => $sectionId), $bDisplayCalendar, $newSectionId); if (!$calendarId) { return CEventCalendar::ThrowError('2' . GetMessage('EC_CALENDAR_CREATE_ERROR')); } if ($newSectionId != 'none') { $arParams['sectionId'] = $newSectionId; } } $arParams['calendarId'] = $calendarId; if ($bIsInvitingEvent && !isset($arParams["CONFIRMED"]) && isset($arParams["status"])) { $arParams["prop"]["CONFIRMED"] = CEventCalendar::GetConfirmedID($iblockId, $arParams["status"]); } else { if ($arParams["CONFIRMED"] == "Q") { $arParams["prop"]["CONFIRMED"] = CEventCalendar::GetConfirmedID($iblockId, "Q"); } elseif ($arParams["CONFIRMED"] == "Y") { $arParams["prop"]["CONFIRMED"] = CEventCalendar::GetConfirmedID($iblockId, "Y"); } else { unset($arParams["prop"]["CONFIRMED"]); } } if (isset($arParams["remind"])) { if ($arParams["remind"] !== false) { $arParams["prop"]["REMIND_SETTINGS"] = $arParams["remind"]['count'] . '_' . $arParams["remind"]['type']; } else { if (!$arParams['bNew']) { $arParams["prop"]["REMIND_SETTINGS"] = ''; } } } if (!isset($arParams['prop']['VERSION'])) { if (!$arParams['bNew']) { $dbProp = CIBlockElement::GetProperty($iblockId, $arParams['id'], 'sort', 'asc', array('CODE' => 'VERSION')); if ($arProp = $dbProp->Fetch()) { $arParams['prop']['VERSION'] = intval($arProp['VALUE']); } } if ($arParams['prop']['VERSION'] <= 0) { $arParams['prop']['VERSION'] = 1; } $arParams['prop']['VERSION']++; } if ($arParams['isMeeting']) { $arParams['prop']['IS_MEETING'] = 'Y'; } if (!$bIsInvitingEvent) { $arParams['prop']['HOST_IS_ABSENT'] = $arParams['isMeeting'] && !in_array($userId, $arParams['guests']) ? 'Y' : 'N'; if ($arParams['isMeeting'] && strlen($arParams['meetingText'])) { $arParams['prop']['MEETING_TEXT'] = array('VALUE' => array("TYPE" => 'text', "TEXT" => $arParams['meetingText'])); } } $arFields = array("ACTIVE" => "Y", "IBLOCK_SECTION" => $calendarId, "IBLOCK_ID" => $iblockId, "NAME" => $arParams['name'], "ACTIVE_FROM" => $arParams['dateFrom'], "ACTIVE_TO" => $arParams['dateTo'], "DETAIL_TEXT" => $arParams['desc'], "DETAIL_TEXT_TYPE" => 'html', "MODIFIED_BY" => $GLOBALS['USER']->GetID(), "PROPERTY_VALUES" => $arParams['prop']); if ($ownerType == 'GROUP' && $ownerId > 0) { $arFields['SOCNET_GROUP_ID'] = $ownerId; } if ($bExchange || $bCalDav) { foreach ($arFields["PROPERTY_VALUES"] as $prKey => $prVal) { $arFields["PROPERTY_" . $prKey] = $prVal; } } // If it's EXCHANGE - we try to save event to exchange if ($bExchange) { $calendarXmlId = CECCalendar::GetExchangeXmlId($iblockId, $calendarId); if (strlen($calendarXmlId) > 0 && $calendarXmlId !== 0) { if ($arParams['bNew']) { $exchRes = CDavExchangeCalendar::DoAddItem($ownerId, $calendarXmlId, $arFields); } else { $eventModLabel = CECEvent::GetExchModLabel($iblockId, $arParams['id']); $eventXmlId = CECEvent::GetExchangeXmlId($iblockId, $arParams['id']); $exchRes = CDavExchangeCalendar::DoUpdateItem($ownerId, $eventXmlId, $eventModLabel, $arFields); } if (!is_array($exchRes) || !array_key_exists("XML_ID", $exchRes)) { return CEventCalendar::ThrowError(CEventCalendar::CollectExchangeErros($exchRes)); } // It's ok, we successfuly save event to exchange calendar - and save it to DB $arFields['XML_ID'] = $exchRes['XML_ID']; $arFields['PROPERTY_VALUES']['BXDAVEX_LABEL'] = $exchRes['MODIFICATION_LABEL']; } } if ($bCalDav) { $connectionId = CECCalendar::GetCalDAVConnectionId($iblockId, $calendarId); if ($connectionId > 0) { $calendarCalDAVXmlId = CECCalendar::GetCalDAVXmlId($iblockId, $calendarId); if ($arParams['bNew']) { $DAVRes = CDavGroupdavClientCalendar::DoAddItem($connectionId, $calendarCalDAVXmlId, $arFields); } else { $eventCalDAVModLabel = CECEvent::GetCalDAVModLabel($iblockId, $arParams['id']); $eventXmlId = CECEvent::GetExchangeXmlId($iblockId, $arParams['id']); $DAVRes = CDavGroupdavClientCalendar::DoUpdateItem($connectionId, $calendarCalDAVXmlId, $eventXmlId, $eventCalDAVModLabel, $arFields); } if (!is_array($DAVRes) || !array_key_exists("XML_ID", $DAVRes)) { return CEventCalendar::ThrowError(CEventCalendar::CollectCalDAVErros($DAVRes)); } // // It's ok, we successfuly save event to caldav calendar - and save it to DB $arFields['XML_ID'] = $DAVRes['XML_ID']; $arFields['PROPERTY_VALUES']['BXDAVCD_LABEL'] = $DAVRes['MODIFICATION_LABEL']; } } $bs = new CIBlockElement(); $res = false; if (!$arParams['bNew']) { $ID = $arParams['id']; if ($ID > 0) { $res = $bs->Update($ID, $arFields, false); } } else { //This sets appropriate owner if event created by owner of the meeting and this calendar belongs to guest which is not current user if ($ownerType == 'USER' && $ownerId > 0 && $userId != $ownerId) { $arFields['CREATED_BY'] = $ownerId; } $ID = $bs->Add($arFields, false); $res = $ID > 0; } if ($arParams['isMeeting'] && !$bIsInvitingEvent) { $this->CheckParentProperty($arParams['userIblockId'], $iblockId); $arGuestConfirm = $this->InviteGuests($ID, $arFields, $arParams['guests'], $arParams); } if (!$res) { return CEventCalendar::ThrowError('4' . $bs->LAST_ERROR); } else { CIBlockElement::RecalcSections($ID); } if (!$bPeriodic && !$arParams["notDisplayCalendar"]) { if ($arParams['bNew']) { ?> <script>window._bx_new_event = {ID: <?php echo $ID; ?> , IBLOCK_ID: '<?php echo $iblockId; ?> ', LOC: '<?php echo CUtil::JSEscape($loc_new); ?> ', arGuestConfirm: <?php echo CUtil::PhpToJSObject($arGuestConfirm); ?> };</script><?php } else { ?> <script>window._bx_existent_event = {ID: <?php echo intVal($ID); ?> , NAME : '<?php echo CUtil::JSEscape($arParams['name']); ?> ', DETAIL_TEXT: '<?php echo CUtil::JSEscape($arParams['desc']); ?> ', DATE_FROM : '<?php echo $arParams['dateFrom']; ?> ', DATE_TO : '<?php echo $arParams['dateTo']; ?> ', LOC: '<?php echo CUtil::JSEscape($loc_new); ?> ', arGuestConfirm: <?php echo CUtil::PhpToJSObject($arGuestConfirm); ?> };</script> <?php } } $this->ClearCache($this->cachePath . 'events/' . $iblockId . '/'); if ($bSocNetLog && $ownerType) { CEventCalendar::SocNetLog(array('iblockId' => $iblockId, 'ownerType' => $ownerType, 'ownerId' => $ownerId, 'target' => $arParams['bNew'] ? 'add_event' : 'edit_event', 'id' => $ID, 'name' => $arParams['name'], 'desc' => $arParams['desc'], 'from' => $arParams['dateFrom'], 'to' => $arParams['dateTo'], 'calendarId' => $calendarId, 'accessibility' => $arParams["prop"]["ACCESSIBILITY"], 'importance' => $arParams["prop"]["IMPORTANCE"], 'pathToGroupCalendar' => $arParams["pathToGroupCalendar"], 'pathToUserCalendar' => $arParams["pathToUserCalendar"])); } if (array_key_exists("remind", $arParams)) { CECEvent::AddReminder(array('iblockId' => $iblockId, 'ownerType' => $ownerType, 'ownerId' => $ownerId, 'userId' => $userId, 'fullUrl' => $fullUrl, 'id' => $ID, 'dateFrom' => $arParams['dateFrom'], 'remind' => $arParams["remind"], 'bNew' => $arParams['bNew'])); } return $ID; }
global $APPLICATION; /** @global CUser $USER */ global $USER; $APPLICATION->SetAdditionalCSS('/bitrix/gadgets/bitrix/admin_security/styles.css'); $aGlobalOpt = CUserOptions::GetOption("global", "settings", array()); $bShowSecurity = file_exists($_SERVER["DOCUMENT_ROOT"] . "/bitrix/modules/security/install/index.php") && $aGlobalOpt['messages']['security'] != 'N'; if (!$bShowSecurity) { return false; } $bSecModuleInstalled = CModule::IncludeModule("security"); if ($bSecModuleInstalled) { $bSecurityFilter = CSecurityFilter::IsActive(); if ($bSecurityFilter) { $lamp_class = " bx-gadgets-info"; $text2_class = "green"; $securityEventsCount = CSecurityFilter::GetEventsCount(); if ($securityEventsCount > 0) { $text2 = GetMessage("GD_SECURITY_EVENT_COUNT"); } else { $text2 = GetMessage("GD_SECURITY_EVENT_COUNT_EMPTY"); } if ($securityEventsCount > 999) { $securityEventsCount = round($securityEventsCount / 1000, 1) . 'K'; } } else { $lamp_class = " bx-gadgets-note"; $text2_class = "red"; $text2 = GetMessage("GD_SECURITY_FILTER_OFF_DESC"); $securityEventsCount = 0; } $minSecurityVersionForScan = "12.5.0";
function CheckSecurity($arParams) { global $DB; $err = 1; $arResult['STATUS'] = false; switch ($arParams["ACTION"]) { case "SECURITY_LEVEL": if (IsModuleInstalled("security")) { if ($arMask = CSecurityFilterMask::GetList()->Fetch()) $arMessage.= $err++.". ".GetMessage("CL_FILTER_EXEPTION_FOUND")."\n"; if(!CSecurityFilter::IsActive()) $arMessage.=$err++.". ".GetMessage("CL_FILTER_NON_ACTIVE")."\n"; if(COption::GetOptionString("main", "captcha_registration", "N") == "N") $arMessage.=$err++.". ".GetMessage("CL_CAPTCHA_NOT_USE")."\n"; if (CCheckListTools::AdminPolicyLevel() != "high") $arMessage.=$err++.". ".GetMessage("CL_ADMIN_SECURITY_LEVEL")."\n"; if (COption::GetOptionInt("main", "error_reporting", E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR|E_PARSE) != (E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR|E_PARSE) && COption::GetOptionString("main","error_reporting","") != 0) $arMessage.=$err++.". ".GetMessage("CL_ERROR_REPORTING_LEVEL")."\n"; if($DB->debug) $arMessage.=$err++.". ".GetMessage("CL_DBDEBUG_TURN_ON")."\n"; if ($arMessage) { $arResult["STATUS"] = false; $arResult["MESSAGE"]=Array( "PREVIEW"=>GetMessage("CL_MIN_LEVEL_SECURITY"), "DETAIL"=>GetMessage("CL_ERROR_FOUND")."\n".$arMessage ); } else { $arResult["STATUS"] = true; $arResult["MESSAGE"]=Array( "PREVIEW"=>GetMessage("CL_LEVEL_SECURITY")."\n" ); } } else $arResult = Array( "STATUS" => false, "MESSAGE"=>Array( "PREVIEW"=>GetMessage("CL_SECURITY_MODULE_NOT_INSTALLED")."\n" ) ); break; case "ADMIN_POLICY": if (CCheckListTools::AdminPolicyLevel() != "high") $arResult["MESSAGE"]["PREVIEW"] = GetMessage("CL_ADMIN_SECURITY_LEVEL")."\n"; else $arResult = Array( "STATUS" => true, "MESSAGE"=>Array( "PREVIEW"=>GetMessage("CL_ADMIN_SECURITY_LEVEL_IS_HIGH")."\n" ) ); break; } return $arResult; }
function GetTasksList($iblockId, $arOrder = array("SORT" => "ASC"), $arFilter = array(), $arGroupBy = false, $arNavStartParams = false, $arSelectFields = array()) { global $USER; $iblockId = IntVal($iblockId); $arFilter["IBLOCK_ID"] = $iblockId; $arFilter["SHOW_NEW"] = "Y"; if (count($arSelectFields) > 0) { if (!in_array("IBLOCK_SECTION_ID", $arSelectFields)) { $arSelectFields[] = "IBLOCK_SECTION_ID"; } if (!in_array("ID", $arSelectFields)) { $arSelectFields[] = "ID"; } if (!in_array("IBLOCK_ID", $arSelectFields)) { $arSelectFields[] = "IBLOCK_ID"; } if (!in_array("CREATED_BY", $arSelectFields)) { $arSelectFields[] = "CREATED_BY"; } } $arResultList = array(); $arCache = array(); $isInSecurity = CModule::IncludeModule("security"); $dbTasksList = CIBlockElement::GetList($arOrder, $arFilter, $arGroupBy, $arNavStartParams, $arSelectFields); while ($obTask = $dbTasksList->GetNextElement()) { $arResult = array(); $arFields = $obTask->GetFields(); foreach ($arFields as $fieldKey => $fieldValue) { if (substr($fieldKey, 0, 1) == "~") { continue; } $arResult[$fieldKey] = $fieldValue; if (in_array($fieldKey, array("MODIFIED_BY", "CREATED_BY"))) { $arResult[$fieldKey . "_PRINTABLE"] = CIntranetTasks::PrepareUserForPrint($fieldValue); } elseif ($fieldKey == "DETAIL_TEXT") { if ($isInSecurity) { $filter = new CSecurityFilter(); $arResult["DETAIL_TEXT_PRINTABLE"] = $filter->TestXSS($arFields["~DETAIL_TEXT"]); $arResult["DETAIL_TEXT"] = $arResult["DETAIL_TEXT_PRINTABLE"]; } else { $arResult["DETAIL_TEXT_PRINTABLE"] = nl2br($arFields["DETAIL_TEXT"]); $arResult["DETAIL_TEXT"] = $arFields["DETAIL_TEXT"]; } } else { $arResult[$fieldKey . "_PRINTABLE"] = $fieldValue; } } $arProperties = $obTask->GetProperties(); foreach ($arProperties as $propertyKey => $propertyValue) { $arResult["PROPERTY_" . $propertyKey] = $propertyValue["VALUE"]; if (strtoupper($propertyKey) == "TASKCOMPLETE") { $ps = intval($propertyValue["VALUE"]); if ($ps > 100) { $ps = 100; } elseif ($ps < 0) { $ps = 0; } $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = '<div class="task-complete-bar-out" title="' . GetMessage("INTASK_L_TASKCOMPLETE", array("#PRC#" => IntVal($propertyValue["VALUE"]))) . '">'; if ($ps > 0) { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] .= '<div class="task-complete-bar-in" style="width:' . $ps . '%;"><div class="empty"></div></div>'; } $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] .= '</div>'; } elseif (strlen($propertyValue["USER_TYPE"]) > 0) { if ($propertyValue["USER_TYPE"] == "UserID") { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = CIntranetTasks::PrepareUserForPrint($propertyValue["VALUE"]); } else { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = $propertyValue["VALUE"]; } } elseif ($propertyValue["PROPERTY_TYPE"] == "G") { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = array(); $vx = CIntranetTasks::PrepareSectionForPrint($propertyValue["VALUE"], $propertyValue["LINK_IBLOCK_ID"]); foreach ($vx as $vx1 => $vx2) { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"][$vx1] = $vx2["NAME"]; } } elseif ($propertyValue["PROPERTY_TYPE"] == "L") { $arResult["PROPERTY_" . $propertyKey] = array(); $arPropertyValue = $propertyValue["VALUE"]; $arPropertyKey = $propertyValue["VALUE_ENUM_ID"]; if (!is_array($arPropertyValue)) { $arPropertyValue = array($arPropertyValue); $arPropertyKey = array($arPropertyKey); } for ($i = 0, $cnt = count($arPropertyValue); $i < $cnt; $i++) { $arResult["PROPERTY_" . $propertyKey][$arPropertyKey[$i]] = $arPropertyValue[$i]; } $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = $arResult["PROPERTY_" . $propertyKey]; } elseif ($propertyValue["PROPERTY_TYPE"] == "S" && $propertyValue["ROW_COUNT"] > 1) { if (is_array($propertyValue["VALUE"])) { $arResult["PROPERTY_" . $propertyKey] = array(); $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = array(); if ($isInSecurity) { foreach ($propertyValue["~VALUE"] as $k => $v) { $filter = new CSecurityFilter(); $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"][$k] = $filter->TestXSS($v); $arResult["PROPERTY_" . $propertyKey][$k] = $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"][$k]; } } else { foreach ($propertyValue["VALUE"] as $k => $v) { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"][$k] = nl2br($v); $arResult["PROPERTY_" . $propertyKey][$k] = $v; } } } else { if ($isInSecurity) { $filter = new CSecurityFilter(); $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = $filter->TestXSS($propertyValue["~VALUE"]); $arResult["PROPERTY_" . $propertyKey] = $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"]; } else { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = nl2br($propertyValue["VALUE"]); $arResult["PROPERTY_" . $propertyKey] = $propertyValue["VALUE"]; } } } } $arResult["ROOT_SECTION_ID"] = 0; $arResult["IBLOCK_SECTION_ID_PRINTABLE"] = array(); $v = CIntranetTasks::PrepareSectionForPrint($arResult["IBLOCK_SECTION_ID"], $iblockId); if (is_array($v)) { foreach ($v as $k1 => $v1) { if ($arResult["ROOT_SECTION_ID"] == 0) { $arResult["ROOT_SECTION_ID"] = $k1; $taskType = $v1["XML_ID"] == "users_tasks" ? "user" : "group"; $ownerId = $taskType == "user" ? $arResult["PROPERTY_TaskAssignedTo"] : $v1["XML_ID"]; } else { $arResult["IBLOCK_SECTION_ID_PRINTABLE"][$k1] = $v1["NAME"]; } } } if (!array_key_exists($taskType . "_" . $ownerId, $arCache)) { $arCurrentUserGroups = array(); if ($taskType == "group") { $arCurrentUserGroups[] = SONET_ROLES_ALL; if ($GLOBALS["USER"]->IsAuthorized()) { $arCurrentUserGroups[] = SONET_ROLES_AUTHORIZED; } $r = CSocNetUserToGroup::GetUserRole($USER->GetID(), $ownerId); if (strlen($r) > 0) { $arCurrentUserGroups[] = $r; } } else { $arCurrentUserGroups[] = SONET_RELATIONS_TYPE_ALL; if ($GLOBALS["USER"]->IsAuthorized()) { $arCurrentUserGroups[] = SONET_RELATIONS_TYPE_AUTHORIZED; } if (CSocNetUserRelations::IsFriends($USER->GetID(), $ownerId)) { $arCurrentUserGroups[] = SONET_RELATIONS_TYPE_FRIENDS; } } $arCache[$taskType . "_" . $ownerId] = $arCurrentUserGroups; } $arCurrentUserGroups = $arCache[$taskType . "_" . $ownerId]; if ($USER->GetID() == $arResult["CREATED_BY"]) { $arCurrentUserGroups[] = "author"; } if ($USER->GetID() == $arResult["PROPERTY_TaskAssignedTo"]) { $arCurrentUserGroups[] = "responsible"; } if (is_array($arResult["PROPERTY_TaskTrackers"]) && in_array($USER->GetID(), $arResult["PROPERTY_TaskTrackers"])) { $arCurrentUserGroups[] = "trackers"; } $arResult["DocumentState"] = array(); $arDocumentStates = CBPDocument::GetDocumentStates(array("intranet", "CIntranetTasksDocument", "x" . $iblockId), array("intranet", "CIntranetTasksDocument", $arResult["ID"])); $kk = array_keys($arDocumentStates); foreach ($kk as $k) { $arResult["DocumentState"] = $arDocumentStates[$k]; $arResult["DocumentState"]["AllowableEvents"] = CBPDocument::GetAllowableEvents($GLOBALS["USER"]->GetID(), $arCurrentUserGroups, $arDocumentStates[$k]); } $arResult["TaskType"] = $taskType; $arResult["OwnerId"] = $ownerId; $arResult["CurrentUserCanViewTask"] = CIntranetTasksDocument::CanUserOperateDocument(INTASK_DOCUMENT_OPERATION_READ_DOCUMENT, $GLOBALS["USER"]->GetID(), $arResult["ID"], array("TaskType" => $taskType, "OwnerId" => $ownerId, "AllUserGroups" => $arCurrentUserGroups, "DocumentStates" => $arDocumentStates)); $arResult["CurrentUserCanCommentTask"] = CIntranetTasksDocument::CanUserOperateDocument(INTASK_DOCUMENT_OPERATION_COMMENT_DOCUMENT, $GLOBALS["USER"]->GetID(), $arResult["ID"], array("TaskType" => $taskType, "OwnerId" => $ownerId, "AllUserGroups" => $arCurrentUserGroups, "DocumentStates" => $arDocumentStates)); $arResult["CurrentUserCanDeleteTask"] = CIntranetTasksDocument::CanUserOperateDocument(INTASK_DOCUMENT_OPERATION_DELETE_DOCUMENT, $GLOBALS["USER"]->GetID(), $arResult["ID"], array("TaskType" => $taskType, "OwnerId" => $ownerId, "AllUserGroups" => $arCurrentUserGroups, "DocumentStates" => $arDocumentStates)); $arResult["CurrentUserCanWriteTask"] = CIntranetTasksDocument::CanUserOperateDocument(INTASK_DOCUMENT_OPERATION_WRITE_DOCUMENT, $GLOBALS["USER"]->GetID(), $arResult["ID"], array("TaskType" => $taskType, "OwnerId" => $ownerId, "AllUserGroups" => $arCurrentUserGroups, "DocumentStates" => $arDocumentStates)); $arResultList[] = $arResult; } $dbTasksList = new CDBResult(); $dbTasksList->InitFromArray($arResultList); return $dbTasksList; }
/** * @param bool $bActive */ public static function SetActive($bActive = false) { if ($bActive) { if (!CSecurityFilter::IsActive()) { RegisterModuleDependences("main", "OnBeforeProlog", "security", "CSecurityFilter", "OnBeforeProlog", "5"); RegisterModuleDependences("main", "OnEndBufferContent", "security", "CSecurityXSSDetect", "OnEndBufferContent", 9999); // CAgent::AddAgent("CSecurityFilter::ClearTmpFiles();", "security", "N"); } } else { if (CSecurityFilter::IsActive()) { UnRegisterModuleDependences("main", "OnBeforeProlog", "security", "CSecurityFilter", "OnBeforeProlog"); UnRegisterModuleDependences("main", "OnEndBufferContent", "security", "CSecurityXSSDetect", "OnEndBufferContent"); // CAgent::RemoveAgent("CSecurityFilter::ClearTmpFiles();", "security"); } } }
/** * @param string $pAction */ protected function setAction($pAction) { if (CSecurityFilter::isActionValid($pAction)) { $this->action = $pAction; } }
public function GetDocument($documentId, $nameTemplate = false, $bShowLogin = true, $bShowTooltip = false, $arTooltipParams = false) { $iblockId = COption::GetOptionInt("intranet", "iblock_tasks", 0); if ($iblockId <= 0) { return false; } $isInSecurity = CModule::IncludeModule("security"); $arResult = false; $dbResult = CIBlockElement::GetList(array(), array("ID" => $documentId, "SHOW_NEW" => "Y", "IBLOCK_ID" => $iblockId)); if ($objResult = $dbResult->GetNextElement()) { $arResult = array(); $arFields = $objResult->GetFields(); foreach ($arFields as $fieldKey => $fieldValue) { if (substr($fieldKey, 0, 1) == "~") { continue; } $arResult[$fieldKey] = $fieldValue; if (in_array($fieldKey, array("MODIFIED_BY", "CREATED_BY"))) { $arResult[$fieldKey . "_PRINTABLE"] = CIntranetTasks::PrepareUserForPrint($fieldValue, $nameTemplate, $bShowLogin, $bShowTooltip, $arTooltipParams); } elseif ($fieldKey == "DETAIL_TEXT") { if ($isInSecurity) { $filter = new CSecurityFilter(); $arResult["DETAIL_TEXT_PRINTABLE"] = $filter->TestXSS($arFields["~DETAIL_TEXT_TYPE"] == "text" ? $arFields["DETAIL_TEXT"] : $arFields["~DETAIL_TEXT"], 'replace'); $arResult["DETAIL_TEXT"] = $arFields["~DETAIL_TEXT_TYPE"] == "text" ? nl2br($arFields["~DETAIL_TEXT"]) : $arFields["~DETAIL_TEXT"]; } else { $arResult["DETAIL_TEXT_PRINTABLE"] = nl2br($arFields["DETAIL_TEXT"]); $arResult["DETAIL_TEXT"] = $arFields["DETAIL_TEXT"]; } } else { $arResult[$fieldKey . "_PRINTABLE"] = $fieldValue; } } $arProperties = $objResult->GetProperties(); foreach ($arProperties as $propertyKey => $propertyValue) { if (is_array($propertyValue["VALUE"])) { $arResult["PROPERTY_" . $propertyKey] = array(); foreach ($propertyValue["VALUE"] as $k => $v) { $arResult["PROPERTY_" . $propertyKey][$propertyValue["PROPERTY_VALUE_ID"][$k]] = $v; } } else { $arResult["PROPERTY_" . $propertyKey] = $propertyValue["VALUE"]; } $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = $propertyValue["VALUE"]; if (strlen($propertyValue["USER_TYPE"]) > 0) { if ($propertyValue["USER_TYPE"] == "UserID") { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = CIntranetTasks::PrepareUserForPrint($propertyValue["VALUE"], $nameTemplate, $bShowLogin, $bShowTooltip, $arTooltipParams); } else { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = $propertyValue["VALUE"]; } } elseif ($arField["PROPERTY_TYPE"] == "G") { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = array(); $vx = CIntranetTasks::PrepareSectionForPrint($propertyValue["VALUE"], $propertyValue["LINK_IBLOCK_ID"]); foreach ($vx as $vx1 => $vx2) { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"][$vx1] = $vx2["NAME"]; } } elseif ($propertyValue["PROPERTY_TYPE"] == "L") { $arResult["PROPERTY_" . $propertyKey] = array(); $arPropertyValue = $propertyValue["VALUE"]; $arPropertyKey = $propertyValue["VALUE_ENUM_ID"]; if (!is_array($arPropertyValue)) { $arPropertyValue = array($arPropertyValue); $arPropertyKey = array($arPropertyKey); } for ($i = 0, $cnt = count($arPropertyValue); $i < $cnt; $i++) { $arResult["PROPERTY_" . $propertyKey][$arPropertyKey[$i]] = $arPropertyValue[$i]; } $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = $arResult["PROPERTY_" . $propertyKey]; } elseif ($propertyValue["PROPERTY_TYPE"] == "S" && $propertyValue["ROW_COUNT"] > 1) { if (is_array($propertyValue["VALUE"])) { $arResult["PROPERTY_" . $propertyKey] = array(); $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = array(); if ($isInSecurity) { foreach ($propertyValue["~VALUE"] as $k => $v) { $filter = new CSecurityFilter(); $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"][$k] = $filter->TestXSS($v, 'replace'); $arResult["PROPERTY_" . $propertyKey][$k] = $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"][$k]; } } else { foreach ($propertyValue["VALUE"] as $k => $v) { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"][$k] = nl2br($v); $arResult["PROPERTY_" . $propertyKey][$k] = $v; } } } else { if ($isInSecurity) { $filter = new CSecurityFilter(); $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = $filter->TestXSS($propertyValue["~VALUE"], 'replace'); $arResult["PROPERTY_" . $propertyKey] = $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"]; } else { $arResult["PROPERTY_" . $propertyKey . "_PRINTABLE"] = nl2br($propertyValue["VALUE"]); $arResult["PROPERTY_" . $propertyKey] = $propertyValue["VALUE"]; } } } } $arResult["ROOT_SECTION_ID"] = 0; $arResult["IBLOCK_SECTION_ID_PRINTABLE"] = array(); $v = CIntranetTasks::PrepareSectionForPrint($arResult["IBLOCK_SECTION_ID"]); foreach ($v as $k1 => $v1) { if ($arResult["ROOT_SECTION_ID"] == 0) { $arResult["ROOT_SECTION_ID"] = $k1; $arResult["TaskType"] = $v1["XML_ID"] == "users_tasks" ? "user" : "group"; $arResult["OwnerId"] = $arResult["TaskType"] == "user" ? $arResult["PROPERTY_TaskAssignedTo"] : $v1["XML_ID"]; } else { $arResult["IBLOCK_SECTION_ID_PRINTABLE"][$k1] = $v1["NAME"]; } } } return $arResult; }
$arResult["Task"][$fieldKey] = array(); if (is_array($arFields[$fieldKey])) { foreach ($arFields[$fieldKey] as $v) { if (array_key_exists($v, $arField["Options"])) { $arResult["Task"][$fieldKey][$v] = $arField["Options"][$v]; } } } else { if (array_key_exists($arFields[$fieldKey], $arField["Options"])) { $arResult["Task"][$fieldKey][$arFields[$fieldKey]] = $arField["Options"][$arFields[$fieldKey]]; } } $arResult["Task"][$fieldKey . "_PRINTABLE"] = $arResult["Task"][$fieldKey]; } elseif ($arField["Type"] == "text") { if ($isInSecurity) { $filter = new CSecurityFilter(); if (is_array($arFields[$fieldKey])) { foreach ($arFields[$fieldKey] as $k => $v) { $arResult["Task"][$fieldKey][$k] = $filter->TestXSS($v); } } else { $arResult["Task"][$fieldKey] = $filter->TestXSS($arFields[$fieldKey]); } } else { if (is_array($arFields[$fieldKey])) { foreach ($arFields[$fieldKey] as $k => $v) { $arResult["Task"][$fieldKey][$k] = htmlspecialcharsbx($v); } } else { $arResult["Task"][$fieldKey] = htmlspecialcharsbx($arFields[$fieldKey]); }