private static function setPassAlgo_default($password, $salt, $complexity) { // Append a Hash-Specific Salt $append = str_replace("\$", "", Security_Hash::random(27)); $complex = mt_rand(1, $complexity * $complexity); // Create a randomized hash salt that will be saved with the final hash $prep1 = substr(hash('sha512', $password . $salt . $append . $complex), 0, mt_rand(66, 86)); // Return the hash (Note: We're using base64_encode for optimization purposes) return "default\$" . $complexity . "\$" . $append . "\$" . base64_encode(hash('sha512', $prep1 . $salt . $append . $complex, true)); }
private static function type_default($key, $encData) { // Can only send the first 32 characters of the key $key = Security_Hash::value($key, 32, 64); // Get the initialization vector (appends a public salt) $vectorSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $vector = mcrypt_create_iv($vectorSize, MCRYPT_RAND); // Encrypt the data $encData = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $encData, MCRYPT_MODE_CBC, $vector); return "|" . base64_encode($vector . $encData); }
public static function type_default($key, $encryptedData) { // Only the first 32 characters of the key were sent, and done so with the Security_Hash::value method $key = Security_Hash::value($key, 32, 64); // Begin decryption $encryptedData = base64_decode($encryptedData); $vectorSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $vector = substr($encryptedData, 0, $vectorSize); $encryptedData = substr($encryptedData, $vectorSize); $decryptedData = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $encryptedData, MCRYPT_MODE_CBC, $vector); // mcrypt pads the return string with nulls, so we need to trim the end return rtrim($decryptedData, ""); }
public static function delete($cookieName) { // Prepare Values $cookieName = Security_Hash::value($cookieName, 5, 62) . '-' . $cookieName; $timestamp = time(); // Remove Global Cookie Values if (isset($_COOKIE[$cookieName])) { unset($_COOKIE[$cookieName]); } if (isset($_COOKIE[$cookieName . "_key"])) { unset($_COOKIE[$cookieName . "_key"]); } // Cookie_Server vs. Cookie_Site differences $domain = get_called_class() == "Cookie_Server" ? BASE_DOMAIN : FULL_DOMAIN; // Remove desired Cookie and its associated key setcookie($cookieName, "", $timestamp - 360000, "/", URL_PREFIX . $domain); setcookie($cookieName . "_key", "", $timestamp - 360000, "/", URL_PREFIX . $domain); }
public static function run() { // Check if the user agent matches up between page loads. // If it doesn't, that's suspicious - let's destroy the session to avoid potential hijacking. if (isset($_SESSION['user_agent'])) { if ($_SERVER['HTTP_USER_AGENT'] !== $_SESSION['user_agent']) { session_destroy(); } } elseif (isset($_SERVER['HTTP_USER_AGENT'])) { // Keep track of the current user agent $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT']; } // Prepare a session-based CSRF token if not present // Note: if the user logs out (or times out), this will reset, causing existing pages to fail functionality. if (!isset($_SESSION[SITE_HANDLE]['csrfToken'])) { $_SESSION[SITE_HANDLE]['csrfToken'] = Security_Hash::random(64); } return true; }
public static function submitted($uniqueIdentifier = "") { // Make sure all of the right data was sent if (isset($_POST['formguard_key']) && isset($_POST['formguard_salt']) && isset($_POST['tos_soimportant']) && isset($_POST['human_answer'])) { // Make sure the honeypots weren't tripped if ($_POST['tos_soimportant'] != "") { return false; } if ($_POST['human_answer'] != "") { return false; } // Get Important Data $keys = explode("-", $_POST['formguard_key'], 3); // Prepare identifier that will make forms unique to each user $uniqueIdentifier .= SITE_SALT; // Add User Agent $uniqueIdentifier .= isset($_SESSION['user_agent']) ? md5($_SESSION['user_agent']) : ""; // Add Auth Token $uniqueIdentifier .= isset($_SESSION[SITE_HANDLE]['auth_token']) ? $_SESSION[SITE_HANDLE]['auth_token'] : ""; // Add CSRF Token //$uniqueIdentifier .= (isset($_SESSION[SITE_HANDLE]['csrfToken']) ? $_SESSION[SITE_HANDLE]['csrfToken'] : ""); // Generate the Hash $hash = Security_Hash::value($uniqueIdentifier . $_POST['formguard_salt'] . $keys[0] . $keys[1], 82, 72); // Make sure the hash was valid if ($keys[2] == $hash) { // Prevent Most Accidental Resubmissions $mini = substr($hash, 0, 10); if (!isset($_SESSION[SITE_HANDLE]['trackForm'])) { $_SESSION[SITE_HANDLE]['trackForm'] = ''; } if (strpos($_SESSION[SITE_HANDLE]['trackForm'], "~" . $mini) !== false) { return false; } $_SESSION[SITE_HANDLE]['trackForm'] = "~" . $mini . substr($_SESSION[SITE_HANDLE]['trackForm'], 0, 110); // If the submission wasn't a resubmit, post it return true; } } return false; }
public static function getData($origClickVal) { // Make sure all of the right data was sent if (!isset($_GET['lslt']) or !isset($_GET['lhsh']) or !isset($_GET['lcv']) or !isset($_GET['ldata'])) { return array(); } /// Decode the prepared click value and confirm it matches if (!($clickVal = base64_decode($_GET['lcv'])) or $origClickVal != $clickVal) { return array(); } // Prepare identifier that will make forms unique to each user $siteSalt = SERVER_SALT; // Add User Agent $siteSalt .= isset($_SESSION['user_agent']) ? md5($_SESSION['user_agent']) : ""; // Add Auth Token $siteSalt .= isset($_SESSION[SITE_HANDLE]['auth_token']) ? $_SESSION[SITE_HANDLE]['auth_token'] : ""; // Add CSRF Token //$siteSalt .= (isset($_SESSION[SITE_HANDLE]['csrfToken']) ? $_SESSION[SITE_HANDLE]['csrfToken'] : ""); // Generate the Hash $hash = Security_Hash::value($siteSalt . $_GET['lslt'] . $clickVal, 15, 62); // Make sure the hash was valid if ($_GET['lhsh'] == $hash) { // Prevent Page Refreshes if (!isset($_SESSION[SITE_HANDLE]['trackLink'])) { $_SESSION[SITE_HANDLE]['trackLink'] = ''; } if (strpos($_SESSION[SITE_HANDLE]['trackLink'], "~" . $hash) !== false) { return array(); } $_SESSION[SITE_HANDLE]['trackLink'] = "~" . $hash . substr($_SESSION[SITE_HANDLE]['trackLink'], 0, 110); $someData = Security_Decrypt::run($hash, $_GET['ldata']); // If the submission wasn't a resubmit, post it return json_decode($someData, true); } return array(); }
This script will return the user to the last known "Return URL", which is the location that was previously stored by the user's session to identify where they should return to after a redirect. This is most likely called after an attempt for automatically logging in to Auth that failed (due to Auth not being logged in). */ // Make sure the Return URL exists if (!isset($_SESSION['login']['return_url'])) { unset($_SESSION['login']); header("Location: /"); exit; } // If you're already logged in, return to the Return URL if (Me::$id) { header("Location: /" . $_SESSION['login']['return_url']); exit; } // Retrieve the Site Key $apiData = API_Data::get("auth"); // Save the site handshake $_SESSION['login']['handshake'] = Security_Hash::random(30, 62); // Prepare Custom Data $customData = array("handshake" => $_SESSION['login']['handshake']); // If we're making an auto-login action, inform Auth so that it can react appropriately if (isset($_GET['action']) and $_GET['action'] == "autolog") { $customData['autolog'] = true; } // Create a query string with valid packet data $queryStringPacket = API_PacketEncrypt::queryString($customData, $apiData['site_key']); // Redirect to Auth's Automatic Login Page (Get credentials and return) header("Location: " . $apiData['site_url'] . "/login-auto?" . $queryStringPacket); exit;
private static function prepIndexHash($entityName, $entityID, $attribute) { return Security_Hash::value($entityName . $entityID . $attribute, 16); }
public function handleFilename() { // Check if the extension used is allowed if (!in_array($this->toExtension, $this->allowedExtensions)) { Alert::error("Illegal Extension", "That file extension is not allowed.", 8); $this->valid = false; return false; } // If the image is provided a unique name (disregards original name) if ($this->saveMode == self::MODE_UNIQUE) { $saltLen = 4; while ($saltLen++ < 11 && $saltLen <= $this->maxFilenameLength) { $miscSalt = Security_Hash::random($saltLen, 62); if (!File::exists($this->saveDirectory . '/' . $miscSalt . '.' . $this->toExtension)) { $this->filename = $miscSalt; return true; } } Alert::error("File Name", "Ending due to naming availability being overly exhausted."); $this->valid = false; return false; } // Check if a file of the same name has been uploaded if (File::exists($this->saveDirectory . '/' . $this->filename . '.' . $this->toExtension)) { // Switch activity based on the image's save mode switch ($this->saveMode) { // If the image is to be overwritten case self::MODE_OVERWRITE: if (strlen($this->filename) > $this->maxFilenameLength) { Alert::error("File Name Length", "The length of the image's filename has exceeded allowance.", 1); $this->valid = false; return false; } return true; // If the image will be renamed if a naming conflict is caught // If the image will be renamed if a naming conflict is caught case self::MODE_RENAME: $saltLen = 3; while (true) { $miscSalt = Security_Hash::random($saltLen, 62); if (!File::exists($this->saveDirectory . '/' . substr($this->filename, $this->maxFilenameLength - $saltLen - 1) . '-' . $miscSalt . '.' . $this->toExtension)) { $this->filename .= substr($this->filename, $this->maxFilenameLength - $saltLen - 1) . '-' . $miscSalt; return true; } if ($saltLen++ > 7) { Alert::error("File Name", "Ending due to file's naming convention being too highly consumed."); $this->valid = false; return false; } } return true; // If the image is to be named AS-IS, no changes allowed // If the image is to be named AS-IS, no changes allowed case self::MODE_STANDARD: default: Alert::error("File Name", "A file already exists with that name."); $this->valid = false; return false; } } // Check if the filename is too long if (strlen($this->filename) > $this->maxFilenameLength) { Alert::error("File Name Length", "The length of the filename has exceeded allowance.", 1); $this->valid = false; return false; } return true; }
public static function JSChat() { if (Me::$id) { // Prepare Values $jsEncrypt = Security_Hash::jsHash(Me::$vals['handle'], self::$jsData['key']); $jsUser = Me::$vals['handle']; $jsTime = microtime(true) - 90; return '<script>var JSUser = "******"; var JSEncrypt = "' . $jsEncrypt . '"; var JSChatTime = ' . $jsTime . '; var JSProfilePic = "' . ProfilePic::image(Me::$id, "small") . '";</script>'; } return ''; }
header("Location: /install/connect-handle"); exit; } // If the form was not submitted, set the $_POST values to the default configuration values. // This will allow us to auto-fill the form with useful data, rather than leaving them all empty. if (!isset($_POST['site-salt']) and isset(Config::$siteConfig['database'])) { $_POST['site-salt'] = SITE_SALT; $_POST['site-handle'] = SITE_HANDLE; $_POST['site-url'] = SITE_URL; $_POST['site-name'] = Config::$siteConfig['Site Name']; $_POST['site-domain'] = FULL_DOMAIN; $_POST['site-database-name'] = Database::$databaseName; } // Prepare Installation Values $buildApp = ""; $randSalt = Security_Hash::random(82, 80); $randSalt = str_replace('"', '', $randSalt); $randSalt = str_replace('$', '', $randSalt); // Prepare POST Values: make sure that every $_POST value has a default value provided. $_POST['site-salt'] = isset($_POST['site-salt']) ? Sanitize::text($_POST['site-salt']) : $randSalt; $_POST['site-handle'] = isset($_POST['site-handle']) ? Sanitize::variable($_POST['site-handle']) : ""; $_POST['site-url'] = isset($_POST['site-url']) ? Sanitize::variable($_POST['site-url'], ":/.") : $_SERVER['SERVER_NAME']; $_POST['site-name'] = isset($_POST['site-name']) ? Sanitize::text($_POST['site-name']) : ""; $_POST['site-domain'] = isset($_POST['site-domain']) ? Sanitize::variable($_POST['site-domain'], ":/.") : ""; $_POST['site-database-name'] = isset($_POST['site-database-name']) ? Sanitize::variable($_POST['site-database-name']) : ""; // Run the Form if (Form::submitted("install-app-config")) { // Check if all of the input you sent is valid: Validate::variable("Site Handle", $_POST['site-handle'], 3, 22); Validate::safeword("Site Name", $_POST['site-name'], 3, 42); Validate::url("URL", $_POST['site-url'], 3, 64);
// Check if the handle has already been taken if (AppAccount::handleTaken($_POST['handle'])) { Alert::error("Handle Taken", "That handle has already been taken", 1); } if (Database::selectOne("SELECT email FROM users WHERE email=? LIMIT 1", array($_POST['email']))) { Alert::error("Email", "That email already exists.", 1); } // Final Validation Test if (Validate::pass()) { Database::startTransaction(); $uniID = 0; // Check if the account already exists if ($checkAuth = Database::selectValue("SELECT uni_id FROM users WHERE handle=? LIMIT 1", array($_POST['handle']))) { $uniID = (int) $checkAuth; } else { if ($regSuccess = Database::query("INSERT INTO users (handle, display_name, email, password, date_joined, auth_token, verified) VALUES (?, ?, ?, ?, ?, ?, ?)", array($_POST['handle'], $_POST['display_name'], $_POST['email'], Security_HashPassword::set($_POST['password']), time(), Security_Hash::random(22, 72), 1))) { $uniID = (int) Database::$lastID; if (isset($_POST['send_email'])) { // Email a verification letter AppVerification::sendVerification($uniID); Alert::success("Email Sent", "The account was created successfully! A verification email has been sent to " . $_POST['email'] . "!"); } else { Alert::success("User Added", "The account was created successfully!"); } } } // Create the account if ($uniID) { $pass = Database::query("INSERT INTO users_handles (handle, uni_id) VALUES (?, ?)", array($_POST['handle'], $uniID)); if (Database::endTransaction($pass)) { // Create the ProfilePic for this Account