function Start() { $this->Username = jf::$XUser->Username(); $Logged = false; if (isset($_COOKIE["jframework_rememberme"])) { $rememberMeToken = $_COOKIE["jframework_rememberme"]; $userID = jf::LoadGeneralSetting("rememberme_" . $rememberMeToken); if ($userID > 0) { $Result = jf::$XUser->ForceLogin($userID); $Logged = true; } } if (isset($_POST["Username"])) { $Username = $_POST['Username']; $Password = $_POST['Password']; $loginResult = jf::$XUser->Login($Username, $Password); if ($loginResult == false) { $UserID = jf::$XUser->UserID($Username); $res = jf::$XUser->LastError; if ($res == \jf\ExtendedUserErrors::Inactive) { $ErrorString = "Your account is not activated."; } elseif ($res == \jf\ExtendedUserErrors::InvalidCredentials or $res == \jf\ExtendedUserErrors::NotFound) { $ErrorString = "Invalid Credentials."; } elseif ($res == \jf\ExtendedUserErrors::Locked) { $ErrorString = "Your account is locked. Try again in " . floor(jf::$XUser->LockTime($Username) / 60) . " minute(s)."; } elseif ($res == \jf\ExtendedUserErrors::PasswordExpired) { $Link = "./reset?user={$UserID}"; $ErrorString = "Your password is expired. You should <a href='{$Link}'>change your password</a>."; } elseif ($res == \jf\ExtendedUserErrors::TemporaryValidPassword) { $Link = "./reset?user={$UserID}&temp={$Password}"; $ErrorString = "This is a temporary password. You should <a href='{$Link}'>reset your password</a> now."; } $Logged = false; $this->Error = $ErrorString; } else { $Logged = true; if (isset($_POST['Remember'])) { $timeout = 60 * 60 * 24 * 30; $rememberMeToken = jf::$Security->RandomToken(); jf::SaveGeneralSetting("rememberme_" . $rememberMeToken, jf::CurrentUser(), $timeout); setcookie('jframework_rememberme', $rememberMeToken, jf::time() + $timeout); } } } if ($Logged == true) { if (isset($_GET['return'])) { $this->Redirect($_GET['return']); } $this->Success = true; } return $this->Present(); }
function Start() { // If validation request if (isset($_GET['validate'])) { $token = $_GET['validate']; $userId = jf::LoadGeneralSetting("activation_{$token}"); if (!jf::$XUser->UserIDExists($userId)) { $errorString = "Invalid validation token"; } else { if (jf::$XUser->IsActive($userId)) { $errorString = "Your account is already activated"; } else { jf::$XUser->Activate($userId); jf::DeleteGeneralSetting("activation_{$token}"); $this->Success = "Your account is successfully activated"; } } } // If sign up request if (isset($_POST["Username"])) { $username = $_POST['Username']; $password = $_POST['Password']; $email = $_POST['Email']; if (!preg_match('/^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$/', $email)) { $errorString = "Invalid email address."; } elseif (jf::$XUser->UserID($username)) { $errorString = "User already exists."; } elseif ($_POST['Confirm'] != $password) { $errorString = "Passwords does not match."; } if (!isset($errorString)) { $userId = jf::$XUser->CreateUser($username, $password, $email); $roleId = jf::$RBAC->Roles->TitleId(self::ROLE_NAME); jf::$RBAC->Users->Assign($roleId, $userId); // Assign role to the newly created user // Send activation email if ($this->activationMail($email, $userId, $username)) { $this->Success = "Signup successful. Check your email for activation link."; } else { $errorString = "Could not send confirmation email."; } } } if (isset($errorString)) { $this->Error = $errorString; } return $this->Present(); }
/** * @depends testLoadGeneral */ function testSaveGeneralTimeOut() { jf::SaveGeneralSetting("some_name", "some_value", jf\Timeout::DAY); $this->assertTrue(jf::SaveGeneralSetting("some_name", "some_value", jf\Timeout::DAY)); $this->movetime(jf\Timeout::DAY); jf::$Settings->_Sweep(true); $this->assertNull(jf::LoadGeneralSetting("some_name")); $this->assertTrue(jf::SaveGeneralSetting("some_name", "some_value", 1)); $this->movetime(jf\Timeout::YEAR * 10); $this->assertNotNull(jf::LoadGeneralSetting("some_name", 1)); $this->movetime(0); $this->movetime(jf\Timeout::NEVER - jf::time()); $this->assertEquals(jf::time(), 2147483647); jf::$Settings->_Sweep(true); $this->assertNull(jf::LoadGeneralSetting("some_name", 1)); }
/** * Returns the object of the lesson from * the application settings. * * @param string $lessonName Name of the lesson to be searched for * * @return Object Lesson object * @throws ArgumentMissingException If $lessonName is missing * @throws LessonNotFoundException If the lesson is not found * @throws GeneralSettingsMissingException If there is are no application * settings present */ public static function getLessonObject($lessonName = null) { if ($lessonName == null) { throw new ArgumentMissingException("Please select a lesson"); } if (!\jf::LoadGeneralSetting('categoryLessons')) { throw new GeneralSettingsMissingException("No settings found for 'categoryLessons'"); } foreach (\jf::LoadGeneralSetting('categoryLessons') as $lessons) { foreach ($lessons as $lesson) { if ($lesson[0] == $lessonName) { return $lesson[1]; } } } throw new LessonNotFoundException("Lesson '{$lessonName}' not found"); }
function Start() { $this->Username = jf::$XUser->Username(); if (isset($_GET['validate'])) { $token = $_GET['validate']; $UserID = jf::LoadGeneralSetting("activation_{$token}"); if (!jf::$XUser->UserIDExists($UserID)) { $ErrorString = "Invalid validation token."; } else { if (jf::$XUser->IsActive($UserID)) { $ErrorString = "Your account is already activated"; } else { jf::$XUser->Activate($UserID); jf::DeleteGeneralSetting("activation_{$token}"); $this->Success = "Your account is succesfully activated. You may now login."; } } } if (isset($_POST["Username"])) { $Username = $_POST['Username']; $Password = $_POST['Password']; $Email = $_POST['Email']; if (!preg_match('/^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$/', $Email)) { $ErrorString = "Invalid email address."; } elseif (jf::$XUser->UserID($Username)) { $ErrorString = "User already exists."; } elseif ($_POST['Confirm'] != $Password) { $ErrorString = "Password retype does not match."; } if (!isset($ErrorString)) { $UserID = jf::$XUser->CreateUser($Username, $Password, $Email); if ($this->ActivationMail($Email, $UserID, $Username)) { $this->Success = true; } else { $ErrorString = "Could not send confirmation email."; } } } if (isset($ErrorString)) { $this->Error = $ErrorString; } return $this->Present(); }
public function Start() { if (jf::CurrentUser()) { // Authorize the user if (jf::Check('workshop')) { $hiddenLessons = jf::LoadGeneralSetting("hiddenWorkshopLessons"); // If request to hide the lesson if (isset($_POST['hide'])) { if ($hiddenLessons === null) { // If first request i.e settings not present $hiddenLessons = array($_POST['hide']); } else { array_push($hiddenLessons, $_POST['hide']); } jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons); echo json_encode(array('status' => true)); return true; } // If request to show the lesson if (isset($_POST['show'])) { if ($hiddenLessons !== null) { $position = array_search($_POST['show'], $hiddenLessons); if ($position !== false) { unset($hiddenLessons[$position]); } } jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons); echo json_encode(array('status' => true)); return true; } // Get the list of all the lessons/categories $this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons"); $this->hiddenLessons = $hiddenLessons; // To generate 'overview' section of the dashboard // Store all the stats $obj = new \webgoat\WorkshopUsers(); if (($workshopUsers = $obj->getAll()) === null) { // Will return 'null' if no users are present $workshopUsers = array(); // Initialize it to empty array } $this->totalUsers = count($workshopUsers); $this->totalCategories = count($this->allCategoryLesson); $lessonCount = 0; foreach ($this->allCategoryLesson as $category => $lessons) { $lessonCount += count($lessons); } $this->totalLessons = $lessonCount; $this->totalVisibleLessons = $lessonCount - count($this->hiddenLessons); // For each lesson store a list of users // who have completed it $lessonsCompletedBy = array(); $lessonPrefix = "completed_webgoat\\"; foreach ($this->allCategoryLesson as $category => $lessons) { foreach ($lessons as $lesson) { $lessonsCompletedBy[$lesson[0]] = array(); // Index 0 is for name foreach ($workshopUsers as $user) { if (jf::LoadUserSetting($lessonPrefix . $lesson[0], $user['ID'])) { array_push($lessonsCompletedBy[$lesson[0]], $user['Username']); } } } } // To generate the reports page $this->reports = $lessonsCompletedBy; // To generate analytics $noOfLessonsInCategories = array(array('Category', 'No of Lessons')); // Initialize with heading foreach ($this->allCategoryLesson as $category => $lessons) { array_push($noOfLessonsInCategories, array($category, count($lessons))); } $this->analytics = $noOfLessonsInCategories; return $this->Present(); } else { // User not authorized $this->Redirect(SiteRoot); // Redirect to home page instead of Login Page } } else { // User not authenticated $this->Redirect(jf::url() . "/user/login?return=/" . jf::$BaseRequest); } }
public function Handle($request) { // This gives complete request path $request = jf::$BaseRequest; //FIXME: Fix JCatchControl so that this is not required if (jf::CurrentUser()) { // If user is logged in // Check if the user has permissions // to view the challenges if (jf::Check('view_single_chal')) { // Extract the relative request path // i.e the path after the controller URL // Ex: If request is http://localhost/webgoatphp/mode/single/challenges/HTTPBasics/static/test // $request will be mode/single/challenges/HTTPBasics/static/test // $relativePath will be HTTPBasics/static/test $relativePath = $this->getRelativePath($request); $absolutePath = LESSON_PATH . $relativePath; if (strpos($relativePath, "/static/") !== false) { if (file_exists($absolutePath)) { $FileMan = new \jf\DownloadManager(); return $FileMan->Feed($absolutePath); } } else { $nameOfLesson = stristr($relativePath, "/", true); \webgoat\LessonScanner::loadClasses(); if (strpos($relativePath, "reset/") !== false) { $lessonNameWithNS = "\\webgoat\\" . $nameOfLesson; $obj = new $lessonNameWithNS(); $obj->reset(); echo json_encode(array("status" => true)); return true; } else { if (isset($_GET['refresh']) || !jf::LoadGeneralSetting("categoryLessons")) { \webgoat\LessonScanner::run(); } $this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons"); try { $lessonObj = \webgoat\LessonScanner::getLessonObject($nameOfLesson); $lessonObj->start(); $this->lessonTitle = $lessonObj->getTitle(); $this->hints = $lessonObj->getHints(); $this->htmlContent = $lessonObj->getContent(); $this->nameOfLesson = $nameOfLesson; $secureCoding = $lessonObj->isSecureCodingAllowed(); $sourceCodeToDisplay = ""; if ($secureCoding['status'] === true) { $sourceCode = file($absolutePath . "index.php"); $firstLine = $sourceCode[$secureCoding['start']]; $this->indentSize = strlen($firstLine) - strlen(ltrim($firstLine)); for ($i = $secureCoding['start']; $i < $secureCoding['end']; $i++) { $sourceCodeToDisplay .= $this->removeWhitespaces($sourceCode[$i]) . "\n"; } $this->sourceCode = $sourceCodeToDisplay; } // To show complete PHP Code $sourceCode = file_get_contents($absolutePath . "index.php"); $this->completeSourceCode = htmlentities($sourceCode); if (isset($_POST['sourceCode'])) { // Code to handle source code evaluation } } catch (Exception $e) { //$this->error = "Lesson Not found. Please select a lesson."; $this->error = $e->getMessage(); } header("X-XSS-Protection: 0"); // Disable XSS protection return $this->Present(); } } } else { // Not sufficient permissions, redirect // to home page of the application $this->Redirect(SiteRoot); } } else { // User not logged in $this->Redirect(jf::url() . "/user/login?return=/{$request}"); } }
<?php ##################################################################################### # Transition script. Used to make changes between versions, such as database schema # # upgrades and similar things. # ##################################################################################### $OldVersion = jf::LoadGeneralSetting("Version"); $Version = constant("jf_Application_Version"); if ($Version != $OldVersion) { jf::SaveGeneralSetting("Version", $Version); # save the new version first, so that concurrent requests do not run transition again if ($OldVersion == "1.0" and $Version == "2.0") { //upgrade the database schema from version 1 to version 2 } }