/** * A string equality function that compares strings in a way that isn't suceptible to timing * attacks. An attacker can figure out the length of the string, but not the string's value. * * Use this when comparing two strings where: * - one string could be influenced by an attacker * - the other string contains data an attacker shouldn't know * * @param string $a * @param string $b * * @return bool */ public static function stringEquals($a, $b) { // Be strict with arguments. PHP's liberal types could get us pwned. if (func_num_args() !== 2) { throw new InvalidArgumentException("Expecting 2 args, got " . func_num_args() . "."); } Dropbox_Checker::argString("a", $a); Dropbox_Checker::argString("b", $b); if (strlen($a) !== strlen($b)) { return false; } $result = 0; for ($i = 0; $i < strlen($a); $i++) { $result |= ord($a[$i]) ^ ord($b[$i]); } return $result === 0; }
/** * Return the last component of a path (the file or folder name). * * <code> * Path::getName("/Misc/Notes.txt") // "Notes.txt" * Path::getName("/Misc") // "Misc" * Path::getName("/") // null * </code> * * @param string $path * The full path you want to get the last component of. * * @return null|string * The last component of <code>$path</code> or <code>null</code> if the given * <code>$path</code> was <code>"/"<code>. */ public static function getName($path) { Dropbox_Checker::argString("path", $path); if (substr_compare($path, "/", 0, 1) !== 0) { throw new InvalidArgumentException("'path' must start with \"/\""); } $l = strlen($path); if ($l === 1) { return null; } if ($path[$l - 1] === "/") { throw new InvalidArgumentException("'path' must not end with \"/\""); } $lastSlash = strrpos($path, "/"); return substr($path, $lastSlash + 1); }
/** * Perform an OAuth-2-authorized POST request to the Dropbox API. Will automatically * fill in "User-Agent" and "locale" as well. * * @param string $host * Either the "API" or "API content" hostname from {@link getHost()}. * @param string $path * The "path" part of the URL. For example, "/commit_chunked_upload". * @param array|null $params * POST parameters. * * @return Dropbox_HttpResponse * * @throws Dropbox_Exception */ public function doPost($host, $path, $params = null) { Dropbox_Checker::argString("host", $host); Dropbox_Checker::argString("path", $path); return Dropbox_RequestUtil::doPost($this->clientIdentifier, $this->accessToken, $this->userLocale, $host, $path, $params); }
/** * Call this after the user has visited the authorize URL ({@link start()}), approved your app, * and was redirected to your redirect URI. * * See <a href="https://www.dropbox.com/developers/core/docs#oa2-token">/oauth2/token</a>. * * @param array $queryParams * The query parameters on the GET request to your redirect URI. * * @return array * A <code>list(string $accessToken, string $userId, string $urlState)</code>, where * <code>$accessToken</code> can be used to construct a {@link Client}, <code>$userId</code> * is the user ID of the user's Dropbox account, and <code>$urlState</code> is the * value you originally passed in to {@link start()}. * * @throws Dropbox_Exception * Thrown if there's an error getting the access token from Dropbox. * @throws Dropbox_WebAuthException_BadRequest * @throws Dropbox_WebAuthException_BadState * @throws Dropbox_WebAuthException_Csrf * @throws Dropbox_WebAuthException_NotApproved * @throws Dropbox_WebAuthException_Provider * * */ public function finish($queryParams) { Dropbox_Checker::argArray("queryParams", $queryParams); $csrfTokenFromSession = $this->csrfTokenStore->get(); Dropbox_Checker::argStringOrNull("this->csrfTokenStore->get()", $csrfTokenFromSession); // Check well-formedness of request. if (!isset($queryParams['state'])) { throw new Dropbox_WebAuthException_BadRequest("Missing query parameter 'state'."); } $state = $queryParams['state']; Dropbox_Checker::argString("queryParams['state']", $state); $error = null; $errorDescription = null; if (isset($queryParams['error'])) { $error = $queryParams['error']; Dropbox_Checker::argString("queryParams['error']", $error); if (isset($queryParams['error_description'])) { $errorDescription = $queryParams['error_description']; Dropbox_Checker::argString("queryParams['error_description']", $errorDescription); } } $code = null; if (isset($queryParams['code'])) { $code = $queryParams['code']; Dropbox_Checker::argString("queryParams['code']", $code); } if ($code !== null && $error !== null) { throw new Dropbox_WebAuthException_BadRequest("Query parameters 'code' and 'error' are both set;" . " only one must be set."); } if ($code === null && $error === null) { throw new Dropbox_WebAuthException_BadRequest("Neither query parameter 'code' or 'error' is set."); } // Check CSRF token if ($csrfTokenFromSession === null) { throw new Dropbox_WebAuthException_BadState(); } $splitPos = strpos($state, "|"); if ($splitPos === false) { $givenCsrfToken = $state; $urlState = null; } else { $givenCsrfToken = substr($state, 0, $splitPos); $urlState = substr($state, $splitPos + 1); } if (!Dropbox_Security::stringEquals($csrfTokenFromSession, $givenCsrfToken)) { throw new Dropbox_WebAuthException_Csrf("Expected " . Dropbox_Client::q($csrfTokenFromSession) . ", got " . Dropbox_Client::q($givenCsrfToken) . "."); } $this->csrfTokenStore->clear(); // Check for error identifier if ($error !== null) { if ($error === 'access_denied') { // When the user clicks "Deny". if ($errorDescription === null) { throw new Dropbox_WebAuthException_NotApproved("No additional description from Dropbox."); } else { throw new Dropbox_WebAuthException_NotApproved("Additional description from Dropbox: {$errorDescription}"); } } else { // All other errors. $fullMessage = $error; if ($errorDescription !== null) { $fullMessage .= ": "; $fullMessage .= $errorDescription; } throw new Dropbox_WebAuthException_Provider($fullMessage); } } // If everything went ok, make the network call to get an access token. list($accessToken, $userId) = $this->_finish($code, $this->redirectUri); return array($accessToken, $userId, $urlState); }