/**
* Vérifie les variables $_POST $_COOKIE et $_GET qui ont été regroupée
* Chaque variable doit être connue et doit correspondre à un masque définit
* dans le fichier config.php
* @param type $rediRectToIndex Est ce que je dois rediriger vers l'index
*/
function doSecurityCheck($rediRectToIndex = TRUE)
{
global $config;
$stopExec = $config['stopOnExec'];
foreach ($_GET as $key => $value) {
if (isset($config['securite'][$key])) {
switch ($config['securite'][$key]) {
case 'int':
$regexp = '^[0-9]+$';
break;
case 'alpha':
$regexp = '^[[:alpha:]]+$';
break;
case 'ascii':
$regexp = '^[[:ascii:]]+$';
break;
case 'digit':
$regexp = '^[[:digit:]]+$';
break;
case 'alphanum':
$regexp = '^[[:alnum:]]+$';
break;
case 'alphanum-_':
$regexp = '^[[:alnum:]-_]+$';
break;
case 'mysqlChecked':
$regexp = '.*';
break;
case 'password_hash':
$regexp = '[a-zA-Z0-9$\\/.]';
break;
default:
stopSession($rediRectToIndex, $stopExec, $extra = 'index.php?redirect=0&champs=' . htmlentities($key));
break;
}
if (!preg_match("/{$regexp}/", $value)) {
stopSession($rediRectToIndex, $stopExec, $extra = 'index.php?redirect=0&champs=' . htmlentities($key));
}
} else {
stopSession($rediRectToIndex, $stopExec, $extra = 'index.php?redirect=0&champs=' . htmlentities($key));
}
}
}
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
include_once dirname(__FILE__) . '/../../lib/common.php';
$table = $_GET['inputTable'];
if (!in_array($table, $config['allowed_modals'])) {
stopSession();
}
$id = FALSE;
eval("\$target = new {$table}();");
$insert = array();
if ($target->canEdit()) {
$colonnes = $target->getColumns();
foreach ($colonnes as $col) {
if (isset($_GET[$col])) {
$insert[$col] = $_GET[$col];
}
}
if (sizeof($insert) > 0) {
//@todo gérer le cas id inserable
$id = $target->insert($insert);
if ($id !== FALSE && $id !== "0") {
function readAuthCookie()
{
global $keys, $AUTHERROR, $shibauthed;
if (get_magic_quotes_gpc()) {
$cookie = stripslashes($_COOKIE["VCLAUTH"]);
} else {
$cookie = $_COOKIE["VCLAUTH"];
}
$cookie = base64_decode($cookie);
if (!openssl_public_decrypt($cookie, $tmp, $keys['public'])) {
$AUTHERROR["code"] = 3;
$AUTHERROR["message"] = "Failed to decrypt auth cookie";
return NULL;
}
$tmparr = explode('|', $tmp);
$loginid = $tmparr[0];
$remoteIP = $tmparr[1];
$ts = $tmparr[2];
if (count($tmparr) > 3) {
$shibauthed = $tmparr[3];
# check to see if shibauth entry still exists for $shibauthed
$query = "SELECT ts FROM shibauth WHERE id = {$shibauthed}";
$qh = doQuery($query, 101);
if ($row = mysql_fetch_assoc($qh)) {
$shibstart = $row['ts'];
# TODO if $shibstart is too old, expire the login session
} else {
# user should have been logged out, log them out now
setcookie("VCLAUTH", "", time() - 10, "/", COOKIEDOMAIN);
stopSession();
dbDisconnect();
header("Location: " . BASEURL);
exit;
}
}
if ($ts < time()) {
$AUTHERROR["code"] = 4;
$AUTHERROR["message"] = "Auth cookie has expired";
return NULL;
}
if ($_SERVER["REMOTE_ADDR"] != $remoteIP) {
//setcookie("ITECSAUTH", "", time() - 10, "/", COOKIEDOMAIN);
$AUTHERROR["code"] = 4;
$AUTHERROR["message"] = "remote IP in auth cookie doesn't match user's remote IP";
return NULL;
}
return $loginid;
}
function sendHeaders()
{
global $mode, $user, $authed, $oldmode, $viewmode, $actionFunction, $skin;
global $shibauthed;
$setwrapreferer = processInputVar('am', ARG_NUMERIC, 0);
if (!$authed && $mode == "auth") {
header("Location: " . BASEURL . SCRIPT . "?mode=selectauth");
dbDisconnect();
exit;
}
switch ($mode) {
case 'logout':
if ($shibauthed) {
$shibdata = getShibauthData($shibauthed);
if (array_key_exists('Shib-logouturl', $shibdata) && !empty($shibdata['Shib-logouturl'])) {
dbDisconnect();
header("Location: {$shibdata['Shib-logouturl']}");
exit;
}
}
case 'shiblogout':
setcookie("ITECSAUTH", "", time() - 10, "/", COOKIEDOMAIN);
setcookie("VCLAUTH", "", time() - 10, "/", COOKIEDOMAIN);
if ($shibauthed) {
$msg = '';
$shibdata = getShibauthData($shibauthed);
# find and clear shib cookies
/*foreach(array_keys($_COOKIE) as $key) {
if(preg_match('/^_shibsession[_0-9a-fA-F]+$/', $key))
setcookie($key, "", time() - 10, "/", $_SERVER['SERVER_NAME']);
elseif(preg_match('/^_shibstate_/', $key))
setcookie($key, "", time() - 10, "/", $_SERVER['SERVER_NAME']);
}*/
doQuery("DELETE FROM shibauth WHERE id = {$shibauthed}", 101);
stopSession();
dbDisconnect();
if (array_key_exists('Shib-logouturl', $shibdata) && !empty($shibdata['Shib-logouturl'])) {
print "<html>\n";
print " <head>\n";
print " <style type=\"text/css\">\n";
print " .red {\n";
print " color: red;\n";
print " }\n";
print " body{\n";
print " margin:0px; color: red;\n";
print " }\n";
print " </style>\n";
print " </head>\n";
print " <body>\n";
print " <span class=red>Done.</span> <a target=\"_top\" href=\"" . BASEURL . "/\">Return to VCL</a>\n";
print " </body>\n";
print "</html>\n";
} else {
print "<html>\n";
print "<head>\n";
print "<META HTTP-EQUIV=REFRESH CONTENT=\"5;url=" . BASEURL . "\">\n";
print "<style type=\"text/css\">\n";
print " .hidden {\n";
print " display: none;\n";
print " }\n";
print "</style>\n";
print "</head>\n";
print "<body>\n";
print "Logging out of VCL...";
print "<iframe src=\"http://{$_SERVER['SERVER_NAME']}/Shibboleth.sso/Logout\" class=hidden>\n";
print "</iframe>\n";
if (array_key_exists('Shib-Identity-Provider', $shibdata) && !empty($shibdata['Shib-Identity-Provider'])) {
$tmp = explode('/', $shibdata['Shib-Identity-Provider']);
$idp = "{$tmp[0]}//{$tmp[2]}";
print "<iframe src=\"{$idp}/idp/logout.jsp\" class=hidden>\n";
print "</iframe>\n";
}
print "</body>\n";
print "</html>\n";
}
exit;
}
header("Location: " . HOMEURL);
stopSession();
dbDisconnect();
exit;
}
if ($mode == "submitviewmode") {
$expire = time() + 31536000;
//expire in 1 year
$newviewmode = processInputVar("viewmode", ARG_NUMERIC);
if (!empty($newviewmode) && $newviewmode <= $user['adminlevelid']) {
setcookie("VCLVIEWMODE", $newviewmode, $expire, "/", COOKIEDOMAIN);
}
stopSession();
header("Location: " . BASEURL . SCRIPT);
dbDisconnect();
exit;
}
if ($mode == "statgraphday" || $mode == "statgraphdayconcuruser" || $mode == "statgraphdayconcurblade" || $mode == "statgraphhour") {
$actionFunction();
dbDisconnect();
exit;
}
if ($mode == "viewNodes") {
$openNodes = processInputVar("openNodes", ARG_STRING);
$activeNode = processInputVar("activeNode", ARG_NUMERIC);
if (!empty($openNodes)) {
$expire = time() + 31536000;
//expire in 1 year
setcookie("VCLNODES", $openNodes, $expire, "/", COOKIEDOMAIN);
}
if (!empty($activeNode)) {
$expire = time() + 31536000;
//expire in 1 year
setcookie("VCLACTIVENODE", $activeNode, $expire, "/", COOKIEDOMAIN);
}
return;
}
if ($mode == "submitDeleteNode") {
$activeNode = processInputVar("activeNode", ARG_NUMERIC);
$nodeinfo = getNodeInfo($activeNode);
$expire = time() + 31536000;
//expire in 1 year
setcookie("VCLACTIVENODE", $nodeinfo["parent"], $expire, "/", COOKIEDOMAIN);
}
if ($mode == "sendRDPfile") {
header("Cache-Control: max-age=5, must-revalidate");
header('Pragma: cache');
} else {
header("Cache-Control: no-cache, must-revalidate");
}
header("Expires: Sat, 1 Jan 2000 00:00:00 GMT");
}
<?php /* * Copyright (C) 2014 saez0pub * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ include_once dirname(__FILE__) . '/../../lib/common.php'; stopSession(FALSE);
