private static function setPassAlgo_default($password, $salt, $complexity)
{
// Append a Hash-Specific Salt
$append = str_replace("\$", "", Security_Hash::random(27));
$complex = mt_rand(1, $complexity * $complexity);
// Create a randomized hash salt that will be saved with the final hash
$prep1 = substr(hash('sha512', $password . $salt . $append . $complex), 0, mt_rand(66, 86));
// Return the hash (Note: We're using base64_encode for optimization purposes)
return "default\$" . $complexity . "\$" . $append . "\$" . base64_encode(hash('sha512', $prep1 . $salt . $append . $complex, true));
}
private static function type_default($key, $encData)
{
// Can only send the first 32 characters of the key
$key = Security_Hash::value($key, 32, 64);
// Get the initialization vector (appends a public salt)
$vectorSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$vector = mcrypt_create_iv($vectorSize, MCRYPT_RAND);
// Encrypt the data
$encData = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $encData, MCRYPT_MODE_CBC, $vector);
return "|" . base64_encode($vector . $encData);
}
public static function type_default($key, $encryptedData)
{
// Only the first 32 characters of the key were sent, and done so with the Security_Hash::value method
$key = Security_Hash::value($key, 32, 64);
// Begin decryption
$encryptedData = base64_decode($encryptedData);
$vectorSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$vector = substr($encryptedData, 0, $vectorSize);
$encryptedData = substr($encryptedData, $vectorSize);
$decryptedData = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encryptedData, MCRYPT_MODE_CBC, $vector);
// mcrypt pads the return string with nulls, so we need to trim the end
return rtrim($decryptedData, "");
}
public static function delete($cookieName)
{
// Prepare Values
$cookieName = Security_Hash::value($cookieName, 5, 62) . '-' . $cookieName;
$timestamp = time();
// Remove Global Cookie Values
if (isset($_COOKIE[$cookieName])) {
unset($_COOKIE[$cookieName]);
}
if (isset($_COOKIE[$cookieName . "_key"])) {
unset($_COOKIE[$cookieName . "_key"]);
}
// Cookie_Server vs. Cookie_Site differences
$domain = get_called_class() == "Cookie_Server" ? BASE_DOMAIN : FULL_DOMAIN;
// Remove desired Cookie and its associated key
setcookie($cookieName, "", $timestamp - 360000, "/", URL_PREFIX . $domain);
setcookie($cookieName . "_key", "", $timestamp - 360000, "/", URL_PREFIX . $domain);
}
public static function run()
{
// Check if the user agent matches up between page loads.
// If it doesn't, that's suspicious - let's destroy the session to avoid potential hijacking.
if (isset($_SESSION['user_agent'])) {
if ($_SERVER['HTTP_USER_AGENT'] !== $_SESSION['user_agent']) {
session_destroy();
}
} elseif (isset($_SERVER['HTTP_USER_AGENT'])) {
// Keep track of the current user agent
$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
}
// Prepare a session-based CSRF token if not present
// Note: if the user logs out (or times out), this will reset, causing existing pages to fail functionality.
if (!isset($_SESSION[SITE_HANDLE]['csrfToken'])) {
$_SESSION[SITE_HANDLE]['csrfToken'] = Security_Hash::random(64);
}
return true;
}
public static function submitted($uniqueIdentifier = "")
{
// Make sure all of the right data was sent
if (isset($_POST['formguard_key']) && isset($_POST['formguard_salt']) && isset($_POST['tos_soimportant']) && isset($_POST['human_answer'])) {
// Make sure the honeypots weren't tripped
if ($_POST['tos_soimportant'] != "") {
return false;
}
if ($_POST['human_answer'] != "") {
return false;
}
// Get Important Data
$keys = explode("-", $_POST['formguard_key'], 3);
// Prepare identifier that will make forms unique to each user
$uniqueIdentifier .= SITE_SALT;
// Add User Agent
$uniqueIdentifier .= isset($_SESSION['user_agent']) ? md5($_SESSION['user_agent']) : "";
// Add Auth Token
$uniqueIdentifier .= isset($_SESSION[SITE_HANDLE]['auth_token']) ? $_SESSION[SITE_HANDLE]['auth_token'] : "";
// Add CSRF Token
//$uniqueIdentifier .= (isset($_SESSION[SITE_HANDLE]['csrfToken']) ? $_SESSION[SITE_HANDLE]['csrfToken'] : "");
// Generate the Hash
$hash = Security_Hash::value($uniqueIdentifier . $_POST['formguard_salt'] . $keys[0] . $keys[1], 82, 72);
// Make sure the hash was valid
if ($keys[2] == $hash) {
// Prevent Most Accidental Resubmissions
$mini = substr($hash, 0, 10);
if (!isset($_SESSION[SITE_HANDLE]['trackForm'])) {
$_SESSION[SITE_HANDLE]['trackForm'] = '';
}
if (strpos($_SESSION[SITE_HANDLE]['trackForm'], "~" . $mini) !== false) {
return false;
}
$_SESSION[SITE_HANDLE]['trackForm'] = "~" . $mini . substr($_SESSION[SITE_HANDLE]['trackForm'], 0, 110);
// If the submission wasn't a resubmit, post it
return true;
}
}
return false;
}
public static function getData($origClickVal)
{
// Make sure all of the right data was sent
if (!isset($_GET['lslt']) or !isset($_GET['lhsh']) or !isset($_GET['lcv']) or !isset($_GET['ldata'])) {
return array();
}
/// Decode the prepared click value and confirm it matches
if (!($clickVal = base64_decode($_GET['lcv'])) or $origClickVal != $clickVal) {
return array();
}
// Prepare identifier that will make forms unique to each user
$siteSalt = SERVER_SALT;
// Add User Agent
$siteSalt .= isset($_SESSION['user_agent']) ? md5($_SESSION['user_agent']) : "";
// Add Auth Token
$siteSalt .= isset($_SESSION[SITE_HANDLE]['auth_token']) ? $_SESSION[SITE_HANDLE]['auth_token'] : "";
// Add CSRF Token
//$siteSalt .= (isset($_SESSION[SITE_HANDLE]['csrfToken']) ? $_SESSION[SITE_HANDLE]['csrfToken'] : "");
// Generate the Hash
$hash = Security_Hash::value($siteSalt . $_GET['lslt'] . $clickVal, 15, 62);
// Make sure the hash was valid
if ($_GET['lhsh'] == $hash) {
// Prevent Page Refreshes
if (!isset($_SESSION[SITE_HANDLE]['trackLink'])) {
$_SESSION[SITE_HANDLE]['trackLink'] = '';
}
if (strpos($_SESSION[SITE_HANDLE]['trackLink'], "~" . $hash) !== false) {
return array();
}
$_SESSION[SITE_HANDLE]['trackLink'] = "~" . $hash . substr($_SESSION[SITE_HANDLE]['trackLink'], 0, 110);
$someData = Security_Decrypt::run($hash, $_GET['ldata']);
// If the submission wasn't a resubmit, post it
return json_decode($someData, true);
}
return array();
}
This script will return the user to the last known "Return URL", which is the location that was previously stored by the user's session to identify where they should return to after a redirect.
This is most likely called after an attempt for automatically logging in to Auth that failed (due to Auth not being logged in).
*/
// Make sure the Return URL exists
if (!isset($_SESSION['login']['return_url'])) {
unset($_SESSION['login']);
header("Location: /");
exit;
}
// If you're already logged in, return to the Return URL
if (Me::$id) {
header("Location: /" . $_SESSION['login']['return_url']);
exit;
}
// Retrieve the Site Key
$apiData = API_Data::get("auth");
// Save the site handshake
$_SESSION['login']['handshake'] = Security_Hash::random(30, 62);
// Prepare Custom Data
$customData = array("handshake" => $_SESSION['login']['handshake']);
// If we're making an auto-login action, inform Auth so that it can react appropriately
if (isset($_GET['action']) and $_GET['action'] == "autolog") {
$customData['autolog'] = true;
}
// Create a query string with valid packet data
$queryStringPacket = API_PacketEncrypt::queryString($customData, $apiData['site_key']);
// Redirect to Auth's Automatic Login Page (Get credentials and return)
header("Location: " . $apiData['site_url'] . "/login-auto?" . $queryStringPacket);
exit;
private static function prepIndexHash($entityName, $entityID, $attribute)
{
return Security_Hash::value($entityName . $entityID . $attribute, 16);
}
public function handleFilename()
{
// Check if the extension used is allowed
if (!in_array($this->toExtension, $this->allowedExtensions)) {
Alert::error("Illegal Extension", "That file extension is not allowed.", 8);
$this->valid = false;
return false;
}
// If the image is provided a unique name (disregards original name)
if ($this->saveMode == self::MODE_UNIQUE) {
$saltLen = 4;
while ($saltLen++ < 11 && $saltLen <= $this->maxFilenameLength) {
$miscSalt = Security_Hash::random($saltLen, 62);
if (!File::exists($this->saveDirectory . '/' . $miscSalt . '.' . $this->toExtension)) {
$this->filename = $miscSalt;
return true;
}
}
Alert::error("File Name", "Ending due to naming availability being overly exhausted.");
$this->valid = false;
return false;
}
// Check if a file of the same name has been uploaded
if (File::exists($this->saveDirectory . '/' . $this->filename . '.' . $this->toExtension)) {
// Switch activity based on the image's save mode
switch ($this->saveMode) {
// If the image is to be overwritten
case self::MODE_OVERWRITE:
if (strlen($this->filename) > $this->maxFilenameLength) {
Alert::error("File Name Length", "The length of the image's filename has exceeded allowance.", 1);
$this->valid = false;
return false;
}
return true;
// If the image will be renamed if a naming conflict is caught
// If the image will be renamed if a naming conflict is caught
case self::MODE_RENAME:
$saltLen = 3;
while (true) {
$miscSalt = Security_Hash::random($saltLen, 62);
if (!File::exists($this->saveDirectory . '/' . substr($this->filename, $this->maxFilenameLength - $saltLen - 1) . '-' . $miscSalt . '.' . $this->toExtension)) {
$this->filename .= substr($this->filename, $this->maxFilenameLength - $saltLen - 1) . '-' . $miscSalt;
return true;
}
if ($saltLen++ > 7) {
Alert::error("File Name", "Ending due to file's naming convention being too highly consumed.");
$this->valid = false;
return false;
}
}
return true;
// If the image is to be named AS-IS, no changes allowed
// If the image is to be named AS-IS, no changes allowed
case self::MODE_STANDARD:
default:
Alert::error("File Name", "A file already exists with that name.");
$this->valid = false;
return false;
}
}
// Check if the filename is too long
if (strlen($this->filename) > $this->maxFilenameLength) {
Alert::error("File Name Length", "The length of the filename has exceeded allowance.", 1);
$this->valid = false;
return false;
}
return true;
}
public static function JSChat()
{
if (Me::$id) {
// Prepare Values
$jsEncrypt = Security_Hash::jsHash(Me::$vals['handle'], self::$jsData['key']);
$jsUser = Me::$vals['handle'];
$jsTime = microtime(true) - 90;
return '<script>var JSUser = "******"; var JSEncrypt = "' . $jsEncrypt . '"; var JSChatTime = ' . $jsTime . '; var JSProfilePic = "' . ProfilePic::image(Me::$id, "small") . '";</script>';
}
return '';
}
header("Location: /install/connect-handle");
exit;
}
// If the form was not submitted, set the $_POST values to the default configuration values.
// This will allow us to auto-fill the form with useful data, rather than leaving them all empty.
if (!isset($_POST['site-salt']) and isset(Config::$siteConfig['database'])) {
$_POST['site-salt'] = SITE_SALT;
$_POST['site-handle'] = SITE_HANDLE;
$_POST['site-url'] = SITE_URL;
$_POST['site-name'] = Config::$siteConfig['Site Name'];
$_POST['site-domain'] = FULL_DOMAIN;
$_POST['site-database-name'] = Database::$databaseName;
}
// Prepare Installation Values
$buildApp = "";
$randSalt = Security_Hash::random(82, 80);
$randSalt = str_replace('"', '', $randSalt);
$randSalt = str_replace('$', '', $randSalt);
// Prepare POST Values: make sure that every $_POST value has a default value provided.
$_POST['site-salt'] = isset($_POST['site-salt']) ? Sanitize::text($_POST['site-salt']) : $randSalt;
$_POST['site-handle'] = isset($_POST['site-handle']) ? Sanitize::variable($_POST['site-handle']) : "";
$_POST['site-url'] = isset($_POST['site-url']) ? Sanitize::variable($_POST['site-url'], ":/.") : $_SERVER['SERVER_NAME'];
$_POST['site-name'] = isset($_POST['site-name']) ? Sanitize::text($_POST['site-name']) : "";
$_POST['site-domain'] = isset($_POST['site-domain']) ? Sanitize::variable($_POST['site-domain'], ":/.") : "";
$_POST['site-database-name'] = isset($_POST['site-database-name']) ? Sanitize::variable($_POST['site-database-name']) : "";
// Run the Form
if (Form::submitted("install-app-config")) {
// Check if all of the input you sent is valid:
Validate::variable("Site Handle", $_POST['site-handle'], 3, 22);
Validate::safeword("Site Name", $_POST['site-name'], 3, 42);
Validate::url("URL", $_POST['site-url'], 3, 64);
// Check if the handle has already been taken
if (AppAccount::handleTaken($_POST['handle'])) {
Alert::error("Handle Taken", "That handle has already been taken", 1);
}
if (Database::selectOne("SELECT email FROM users WHERE email=? LIMIT 1", array($_POST['email']))) {
Alert::error("Email", "That email already exists.", 1);
}
// Final Validation Test
if (Validate::pass()) {
Database::startTransaction();
$uniID = 0;
// Check if the account already exists
if ($checkAuth = Database::selectValue("SELECT uni_id FROM users WHERE handle=? LIMIT 1", array($_POST['handle']))) {
$uniID = (int) $checkAuth;
} else {
if ($regSuccess = Database::query("INSERT INTO users (handle, display_name, email, password, date_joined, auth_token, verified) VALUES (?, ?, ?, ?, ?, ?, ?)", array($_POST['handle'], $_POST['display_name'], $_POST['email'], Security_HashPassword::set($_POST['password']), time(), Security_Hash::random(22, 72), 1))) {
$uniID = (int) Database::$lastID;
if (isset($_POST['send_email'])) {
// Email a verification letter
AppVerification::sendVerification($uniID);
Alert::success("Email Sent", "The account was created successfully! A verification email has been sent to " . $_POST['email'] . "!");
} else {
Alert::success("User Added", "The account was created successfully!");
}
}
}
// Create the account
if ($uniID) {
$pass = Database::query("INSERT INTO users_handles (handle, uni_id) VALUES (?, ?)", array($_POST['handle'], $uniID));
if (Database::endTransaction($pass)) {
// Create the ProfilePic for this Account
