/** * Encoder constructor. * * @param array $_codecs An array of Codec instances which will be used for * canonicalization. * * @return does not return a value. */ function __construct($_codecs = null) { $this->logger = ESAPI::getAuditor("Encoder"); // initialise codecs $this->_base64Codec = new Base64Codec(); $this->_cssCodec = new CSSCodec(); $this->_htmlCodec = new HTMLEntityCodec(); $this->_javascriptCodec = new JavaScriptCodec(); $this->_percentCodec = new PercentCodec(); $this->_vbscriptCodec = new VBScriptCodec(); $this->_xmlCodec = new XMLEntityCodec(); // initialise array of codecs for use by canonicalize if ($_codecs === null) { array_push($this->_codecs, $this->_htmlCodec); array_push($this->_codecs, $this->_javascriptCodec); array_push($this->_codecs, $this->_percentCodec); // leaving css and vbs codecs out - they eat / and " chars respectively // array_push($this->_codecs,$this->_cssCodec); // array_push($this->_codecs,$this->_vbscriptCodec); } else { if (!is_array($_codecs)) { throw new Exception('Invalid Argument. Codec list must be of type ' . 'Array.'); } else { // check array contains only codec instances foreach ($_codecs as $codec) { if ($codec instanceof Codec == false) { throw new Exception('Invalid Argument. Codec list must ' . 'contain only Codec instances.'); } } $this->_codecs = array_merge($this->_codecs, $_codecs); } } }
/** * Instantiates a new intrusion exception. * * @param string $userMessage The message displayed to the user * @param string $logMessage the message logged * * @return does not return a value. */ public function __construct($userMessage = '', $logMessage = '') { parent::__construct($userMessage); $this->logMessage = $logMessage; $logger = ESAPI::getAuditor("IntrusionException"); $logger->error(DefaultAuditor::SECURITY, false, "INTRUSION - " . $logMessage); }
/** * Constructor sets-up the validation rule with a descriptive name for this * validator, an optional Encoder instance (for canonicalization) and an * optional whitelist regex pattern to validate the input against prior to * HTML purification. * An instance of the HTMLPurifier class is created and stored too. * * @param string $typeName descriptive name for this validator. * @param object $encoder providing canonicalize method. * @param string $whitelistPattern Whitelist regex. * * @return does not return a value. */ public function __construct($typeName, $encoder = null, $whitelistPattern = null) { parent::__construct($typeName, $encoder); $this->_auditor = ESAPI::getAuditor('HTMLValidationRule'); try { $this->_purifier = new HTMLPurifier($this->_basicConfig()); } catch (Exception $e) { throw new ValidationException('Could not initialize HTMLPurifier.', 'Caught ' . gettype($e) . ' attempting to instantiate HTMLPurifier: ' . $e->getMessage, 'HTMLValidationRule->construct'); } }
/** * Creates a new instance of EnterpriseSecurityException that includes a * root cause. * * @param string $userMessage The message displayed to the user * @param string $logMessage the message logged */ public function __construct($userMessage = '', $logMessage = '') { $cause = 0; if (empty($userMessage)) { $userMessage = null; } parent::__construct($userMessage); $this->logMessage = $logMessage; $this->logger = ESAPI::getAuditor("EnterpriseSecurityException"); if (!ESAPI::getSecurityConfiguration()->getDisableIntrusionDetection()) { ESAPI::getIntrusionDetector()->addException($this); } }
/** * Constructor sets-up the validation rule with a descriptive name for this * validator, an optional Encoder instance (for canonicalization) and an * optional whitelist regex pattern to validate the input against prior to * email address purification. * An instance of the HTMLPurifier class is created and stored too. * * @param string $typeName descriptive name for this validator. * @param object $encoder object providing canonicalize method. * @param string $whitelistPattern Whitelist regex. * * @return does not return a value. */ public function __construct($typeName, $encoder = null, $whitelistPattern = null) { parent::__construct($typeName, $encoder); $this->_auditor = ESAPI::getAuditor("EmailAddressValidationRule"); }
/** * Helper function. * * @param string $msg Message to output to the console. * * @return does not return a value. */ private function _logSpecial($msg) { ESAPI::getAuditor('DefaultSecurityConfiguration')->warning(Auditor::SECURITY, false, $msg); }
/** * _addString is called by addEncodedString or addUnencodedString and adds * Codec input to the buffer character by character. It also adds some * backtrace information to the buffer before adding any characters. * * @param string $string is a UTF-32 encoded string. * * @return null */ private function _addString($string) { if ($this->_enabled == false || !ESAPI::getAuditor(CD_LOG)->isDebugEnabled() || !$this->_allowRecurse) { return; } // start with some details about the caller if ($this->_buf === null) { $caller = null; try { $caller = $this->_shortTrace(); } catch (Exception $e) { $caller = $this->_verb . 'ing'; } $this->_buf = $caller . ":\n"; } // add the string, char by char $len = mb_strlen($string, 'UTF-32'); if ($len == 0) { $this->_addNormalized(''); return; } for ($i = 0; $i < $len; $i++) { $char = mb_substr($string, $i, 1, 'UTF-32'); $this->_addNormalized($char); } }
/** * The constructor stores an instance of Auditor for the purpose of logging. */ public function __construct() { $this->_auditor = ESAPI::getAuditor('DefaultHTTPUtilities'); $this->_validator = ESAPI::getValidator(); }
/** * Constructor stores an instance of Auditor for logging and initialises the * storage for events generated for a user. * * @return null */ function __construct() { $this->_auditor = ESAPI::getAuditor('IntrusionDetector'); $this->_userEvents = array(); }
/** * Validator constructor. * * @return does not return a value. */ public function __construct() { $this->_auditor = ESAPI::getAuditor('DefaultValidator'); $this->_encoder = ESAPI::getEncoder(); $this->_fileValidator = new DefaultEncoder(array(new HTMLEntityCodec(), new PercentCodec())); }
/** * Add a reCaptcha element to the form assuming that: * o we have an ini file * o the 'use' options is not set to 'off' * o the 'use' option is set to 'on', and conditionallyUseCaptcha is not * false. * * @return null */ public function setCaptcha() { $bs = Zend_Controller_Front::getInstance()->getParam('bootstrap'); $captchaConfigLoc = $bs->getOption('captchaconfigloc'); // return if captcha should not be used. $captchaConfig = null; if (!empty($captchaConfigLoc)) { $captchaConfig = new Zend_Config_Ini($captchaConfigLoc, APPLICATION_ENV, false); if ($captchaConfig instanceof Zend_Config) { if (strtolower($captchaConfig->recaptcha->use) == 'on' && $this->_conditionallyUseCaptcha === false || strtolower($captchaConfig->recaptcha->use) == 'off') { return; } } else { return; } } else { return; } // Recaptcha key pairs can be used at a single domain (and subdomains). // See if there are multiple key pairs (one per domain) and select the // correct pair. {@see matchDomianName} $keyConfig = null; foreach ($captchaConfig->recaptcha as $_ => $keypair) { if ($_ == 'use') { continue; } if (!isset($keypair->domain)) { ESAPI::getAuditor('Form_Contact')->error(Auditor::SECURITY, false, 'Misconfiguration in captcha.ini - missing domain name from key pair set - Captcha Not Initialised!'); return; } if ($this->_matchDomainName($keypair->domain) === true) { $keyConfig = $keypair; break; } } if ($keyConfig instanceof Zend_Config === false) { ESAPI::getAuditor('Form_Contact')->error(Auditor::SECURITY, false, 'Misconfiguration in captcha.ini - could not find key pairs for this host - Captcha Not Initialised!'); return; } $this->addElement(new Zend_Form_Element_Captcha('challenge', array('order' => 750, 'captcha' => 'ReCaptcha', 'captchaOptions' => array('captcha' => 'ReCaptcha', 'service' => new Zend_Service_ReCaptcha($keyConfig->publicKey, $keyConfig->privateKey))))); }
$util->killAllCookies($req); $view .= '<p>The response should have requested your User Agent to delete your cookies. Let us see if it will honour that request.'; $view .= " <a href=\"{$uri}?req=test2\">click me!</a></p>"; } elseif ($req->getParameter('req') == 'test2') { $view .= '<p>Cookies received in that request: '; $view .= ESAPI::getEncoder()->encodeForHTML(print_r($req->getCookies(), true)); $view .= '</p>'; $view .= '<p>'; if ($req->getCookie('testcookie') === null) { $view .= 'It worked! testcookie was not received in that request.'; } else { $view .= 'It did not work. testcookie was received in that request.'; } $view .= '</p>'; $tests['cookie'] .= ' - DONE'; $a = ESAPI::getAuditor('HTTPUtilsExtraTests'); $log = $util->logHTTPRequest($req, $a); $logO = $util->logHTTPRequestObfuscate($req, $a, array('req')); $view .= '<p>Please check the ESAPI Auditor logfile for two INFO entries which log that request. The second entry will contain the obfuscated "req" parameter.'; $view .= '</p>'; $tests['log'] .= ' - DONE'; $tests['logo'] .= ' - DONE'; session_destroy(); } else { $href = $util->addCSRFToken("{$uri}?req=test1"); $view .= '<p>testcookie has been set with a value \'testcookieValue\'. now <a href="'; $view .= $href; $view .= '">click me</a> to have it deleted. (Please ensure logging is on before you continue!)</p>'; setcookie('testcookie', 'testcookieValue'); } $view .= '<p>Under Test:</p>';
/** * Validates the POST half of a double submit cookie against the COOKIE half * and both against string length and character set constraints. * * @param string $value The POST half of a double submit cookie from, for * example a hidden HTML form field. * * @return null */ public function isValid($value) { $auditor = ESAPI::getAuditor('App_Validate_Token'); $canonicalPostToken = ESAPI::getEncoder()->canonicalize($value, false); $this->_setValue($canonicalPostToken); $isValid = false; $v_len = new Zend_Validate_StringLength($this->_expectedLen, $this->_expectedLen); if ($v_len->isValid($canonicalPostToken) !== true) { $this->_error(self::POST_BAD_LENGTH); $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::POST_BAD_LENGTH]); return false; } $v_regex = new Custom_Validate_Charset($this->_expectedCharset); if ($v_regex->isValid($canonicalPostToken) !== true) { $this->_error(self::POST_BAD_CHARSET); $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::POST_BAD_CHARSET]); return false; } $controller = Zend_Controller_Front::getInstance(); $req = $controller->getRequest(); $cookieVal = $req->getCookie($this->_cookieName); $canonicalCookie = ESAPI::getEncoder()->canonicalize($cookieVal, false); if ($canonicalCookie === null) { $this->_error(self::MISSING_COOKIE); $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::MISSING_COOKIE]); return false; } if ($v_len->isValid($canonicalCookie) !== true) { $this->_error(self::COOKIE_BAD_LENGTH); $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::COOKIE_BAD_LENGTH]); return false; } if ($v_regex->isValid($canonicalCookie) !== true) { $this->_error(self::COOKIE_BAD_CHARSET); $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::COOKIE_BAD_CHARSET]); return false; } $v_identical = new Zend_Validate_Identical($this->_value); if ($v_identical->isValid($canonicalCookie) !== true) { $this->_error(self::TOKENS_DIFFER); $auditor->warning(Auditor::SECURITY, false, $this->_messageTemplates[self::TOKENS_DIFFER]); return false; } return true; }
/** * Encoder constructor. * * @param array $codecs An array of Codec instances which will be used for * canonicalization. * * @throws InvalidArgumentException * * @return does not return a value. */ public function __construct($codecs = null) { $this->logger = ESAPI::getAuditor("Encoder"); // initialise codecs $this->_base64Codec = new Base64Codec(); $this->_cssCodec = new CSSCodec(); $this->_htmlCodec = new HTMLEntityCodec(); $this->_javascriptCodec = new JavaScriptCodec(); $this->_percentCodec = new PercentCodec(); $this->_vbscriptCodec = new VBScriptCodec(); $this->_xmlCodec = new XMLEntityCodec(); // initialise array of codecs for use by canonicalize if ($codecs === null) { array_push($this->_codecs, $this->_htmlCodec); array_push($this->_codecs, $this->_javascriptCodec); array_push($this->_codecs, $this->_percentCodec); // leaving css and vbs codecs out - they eat / and " chars respectively // array_push($this->_codecs,$this->_cssCodec); // array_push($this->_codecs,$this->_vbscriptCodec); } elseif (!is_array($codecs)) { throw new InvalidArgumentException('Expected the $codecs array parameter to be an array of instances of Codec.'); } else { // check array contains only codec instances foreach ($codecs as $codec) { if ($codec instanceof Codec == false) { throw new InvalidArgumentException('Expected every member of the $codecs array parameter to be an instance of Codec.'); } } $this->_codecs = array_merge($this->_codecs, $codecs); } }
/** * SafeRequest can be forced to use the supplied cookies, headers and server * globals by passing an array containing the following keys: 'cookies', * 'headers', 'env'. The values for each of the keys should be an associative * array e.g. 'headers' => array('REQUEST_METHOD' => 'GET'). * If any of the three options keys are not supplied then those elements will be * extracted from the actual request. * TODO accept a string like: 'GET / HTTP/1.1\r\nHost:example.com\r\n\r\n' * TODO accept GET and REQUEST parameters. * * @param NULL|array $options Array (optional) of HTTP Request elements. */ public function __construct($options = null) { $codecs = array(new HTMLEntityCodec(), new PercentCodec()); $this->_encoder = new DefaultEncoder($codecs); $this->_auditor = ESAPI::getAuditor('SafeRequest'); $this->_validator = ESAPI::getValidator(); if ($options !== null && is_array($options)) { if (array_key_exists('cookies', $options)) { $this->_cookies = $this->_validateCookies($options['cookies']); } if (array_key_exists('headers', $options)) { $this->_headers = $this->_validateHeaders($options['headers']); } if (array_key_exists('env', $options)) { $this->_serverGlobals = $this->_canonicalizeServerGlobals($options['env']); } } }
/** * Executor constructor. * * @return does not return a value. */ public function __construct() { $this->_auditor = ESAPI::getAuditor('Executor'); $this->_config = ESAPI::getSecurityConfiguration(); }
/** * Validates the input string against a list of valid recipients. * * @param string $input The input to be validated as a recipient. * * @return bool True if input string is a valid recipient, otherwise * False. */ public function isValid($input) { $auditor = ESAPI::getAuditor('App_Validate_Recipient'); if (!is_string($input)) { $auditor->warning(Auditor::SECURITY, false, 'isValid expects a string!'); $this->_error(self::INVALID); return false; } if ($this->_recipients instanceof Zend_Config !== true) { $this->_error(self::INVALID_RECIPIENT); $auditor->warning(Auditor::SECURITY, false, 'isValid requires an array of recipients!'); return false; } $encoder = ESAPI::getEncoder(); // canonicalise the input string. $canonical = null; try { $canonical = $encoder->canonicalize($input, true); } catch (Exception $e) { // Process the input no further. $this->_error(self::INVALID_RECIPIENT); $auditor->warning(Auditor::SECURITY, false, 'isValid rejected a string in which double or mixed encoding was detected.', $e); return false; } // Convert input to lower case $charEnc = mb_detect_encoding($canonical); $canonicalLower = mb_strtolower($canonical, $charEnc); // Get a whitespace removal filter $whitespace = new Zend_Filter_PregReplace(array('match' => '/ /', 'replace' => '')); // for each of our valid recipients use an identical validator // to determine whether $canonical matches. $validator = new Zend_Validate_Identical(); foreach ($this->_recipients as $_ => $cfg) { foreach ($cfg as $key => $validRecipient) { if ($key !== 'display') { continue; } $charEnc = mb_detect_encoding($validRecipient . ''); $validRecipientL = mb_strtolower($validRecipient, $charEnc); $validRecipientS = $whitespace->filter($validRecipientL); $validator->setToken($validRecipientL); if ($validator->isValid($canonicalLower)) { return true; } $validator->setToken($validRecipientS); if ($validator->isValid($canonicalLower)) { return true; } } } // if that fails, the form has been tampered with or a dummy option has // been selected - check for the latter of these now: foreach ($this->_dummyRecipients as $dummy => $value) { $charEnc = mb_detect_encoding($dummy . ''); $dummyL = mb_strtolower($dummy, $charEnc); $dummyS = $whitespace->filter($dummyL); $validator->setToken($dummyL); if ($validator->isValid($canonicalLower)) { $this->_error(self::DUMMY_RECIPIENT); return false; } $validator->setToken($dummyS); if ($validator->isValid($canonicalLower)) { $this->_error(self::DUMMY_RECIPIENT); return false; } } $auditor->warning(Auditor::SECURITY, false, "isValid. Input [{$canonicalLower}] is not a valid recipient."); $this->_error(self::INVALID_RECIPIENT); return false; }
public function testSetLevelMultipleLogsExpectedTrue() { //Now test to see if a change to the logging level in one log affects other logs $newLogger = ESAPI::getAuditor('test_num2'); $this->testLogger->setLevel(Auditor::OFF); $newLogger->setLevel(Auditor::INFO); $log_1_result = $this->testLogger->isInfoEnabled(); $log_2_result = $newLogger->isInfoEnabled(); $this->assertTrue(!$log_1_result && $log_2_result); }
/** * Public Constructor */ function __construct() { $logger = ESAPI::getAuditor("Base64"); }
/** * The router is set to /action and this segment of the url is overloaded * so that /someRecipient is also valid. This __call method is invoked * whenever this segment of the url is not a defined action and in these * cases, the $actionMethod may be a valid recipient. These sre trapped * here and, if valid, the request is re-dispatched to the index action to * which we pass a recipient parameter. * If a valid recipient is not found then execution is passed to the parent * __call method. * * @param string $actionMethod Url segment. * @param array $args Request arguments. * * @return null */ public function __call($actionMethod, $args) { $logger = ESAPI::getAuditor('IndexController'); // I do not anticipate this happening often... if (!is_string($actionMethod)) { return parent::__call($actionMethod, $args); } // If there's less than two recipients defined, we don't need to trap // usernames. ignore them. if ($this->_recipientsConfig->count() < 2) { return parent::__call($actionMethod, $args); } // Strip the trailing 'Action' from the method name. $method = null; $detectedCharacterEncoding = mb_detect_encoding($actionMethod); $len = mb_strlen($actionMethod, $detectedCharacterEncoding); if (mb_substr($actionMethod, $len - 6, 6, $detectedCharacterEncoding) == 'Action') { $method = mb_substr($actionMethod, 0, $len - 6, $detectedCharacterEncoding); } else { $method = $actionMethod; } // Validate the possible recipient and, if valid, add a 'recipient' // request param and continue on to the indexAction of this controller. $recipientValidator = new Custom_Validate_ValidRecipient($this->_recipientsConfig); if ($recipientValidator->isValid($method)) { $this->_request->setActionName('index'); $this->_request->setParams(array('recipient' => $method, 'action' => 'index')); $this->_request->setDispatched(false); return; } return parent::__call($actionMethod, $args); }
* Index. This is the public script through which all requests for the contact * application will be routed. * * @category Simple-PHP-Contact-Form * @package Public * @author jah <*****@*****.**> * @copyright 2010 jah <*****@*****.**> * @license New BSD License {@see LICENSE} * @version Release: @package_version@ * @link http://code.google.com/p/simple-php-contact-form/ */ // Define path to application directory defined('APPLICATION_PATH') || define('APPLICATION_PATH', realpath(dirname(__FILE__) . '/../application')); // Define path to library directory (not application/library/) defined('LIBRARY_PATH') || define('LIBRARY_PATH', realpath(dirname(__FILE__) . '/../library')); // Define path to this directory defined('PUBLIC_ROOT') || define('PUBLIC_ROOT', dirname($_SERVER['PHP_SELF']) == '\\' || dirname($_SERVER['PHP_SELF']) == '/' ? '/' : dirname($_SERVER['PHP_SELF']) . '/'); // Define application environment defined('APPLICATION_ENV') || define('APPLICATION_ENV', getenv('APPLICATION_ENV') ? getenv('APPLICATION_ENV') : 'production'); // Ensure application/library is on include_path set_include_path(implode(PATH_SEPARATOR, array(LIBRARY_PATH, realpath(APPLICATION_PATH . '/library'), get_include_path()))); /* ESAPI */ require_once LIBRARY_PATH . '/ESAPI/src/ESAPI.php'; global $ESAPI; $ESAPI = new ESAPI(APPLICATION_PATH . '/configs/ESAPI.xml'); ESAPI::getAuditor('Bootstrap'); /* Zend_Application */ require_once 'Zend/Application.php'; // Create application, bootstrap, and run $application = new Zend_Application(APPLICATION_ENV, APPLICATION_PATH . '/configs/application.ini'); $application->bootstrap()->run();
/** * Validator constructor. * * @return does not return a value. */ public function __construct() { global $ESAPI; $this->_auditor = ESAPI::getAuditor('DefaultValidator'); $this->_encoder = ESAPI::getEncoder(); }
/** * Initialises logging. * * @return null */ public function __construct() { $this->_auditor = ESAPI::getAuditor('App_Helper_SendMail'); }