/** * This function includes the IDS vendor parts and runs the * detection routines on the request array. * * @param object cake controller object * @return boolean */ public function check(&$args) { // lets bypass a few civicrm urls from this check static $skip = array('civicrm/ajax', 'civicrm/admin/setting/updateConfigBackend', 'civicrm/admin/messageTemplates'); $path = implode('/', $args); if (in_array($path, $skip)) { return; } #add request url and user agent $_REQUEST['IDS_request_uri'] = $_SERVER['REQUEST_URI']; if (isset($_SERVER['HTTP_USER_AGENT'])) { $_REQUEST['IDS_user_agent'] = $_SERVER['HTTP_USER_AGENT']; } require_once 'IDS/Init.php'; // init the PHPIDS and pass the REQUEST array $config =& CRM_Core_Config::singleton(); $configFile = $config->configAndLogDir . 'Config.IDS.ini'; if (!file_exists($configFile)) { $tmpDir = empty($config->uploadDir) ? CIVICRM_TEMPLATE_COMPILEDIR : $config->uploadDir; // also clear the stat cache in case we are upgrading clearstatcache(); global $civicrm_root; $contents = "\n[General]\n filter_type = xml\n filter_path = {$civicrm_root}/packages/IDS/default_filter.xml\n tmp_path = {$tmpDir}\n HTML_Purifier_Path = IDS/vendors/htmlpurifier/HTMLPurifier.auto.php\n HTML_Purifier_Cache = {$tmpDir}\n scan_keys = false\n exceptions[] = __utmz\n exceptions[] = __utmc\n exceptions[] = widget_code\n exceptions[] = html_message\n exceptions[] = body_html\n exceptions[] = msg_html\n exceptions[] = msg_text\n exceptions[] = msg_subject\n exceptions[] = description\n html[] = intro\n html[] = thankyou_text\n html[] = intro_text\n html[] = body_text\n html[] = footer_text\n html[] = thankyou_text\n html[] = thankyou_footer\n html[] = thankyou_footer_text\n html[] = new_text\n html[] = renewal_text\n html[] = help_pre\n html[] = help_post\n html[] = confirm_title\n html[] = confirm_text\n html[] = confirm_footer_text\n html[] = confirm_email_text\n html[] = report_header\n html[] = report_footer\n html[] = data\n html[] = instructions\n"; if (file_put_contents($configFile, $contents) === false) { require_once 'CRM/Core/Error.php'; CRM_Core_Error::movedSiteError($configFile); } // also create the .htaccess file so we prevent the reading of the log and ini files // via a browser, CRM-3875 require_once 'CRM/Utils/File.php'; CRM_Utils_File::restrictAccess($config->configAndLogDir); } $init = IDS_Init::init($configFile); $ids = new IDS_Monitor($_REQUEST, $init); $result = $ids->run(); if (!$result->isEmpty()) { $this->react($result); } return true; }
/** * Create the default config file for the IDS system. * * @param bool $force * Should we recreate it irrespective if it exists or not. * * @return string * the full path to the config file */ public static function createConfigFile($force = FALSE) { $config = CRM_Core_Config::singleton(); $configFile = $config->configAndLogDir . 'Config.IDS.ini'; if (!$force && file_exists($configFile)) { return $configFile; } $tmpDir = empty($config->uploadDir) ? CIVICRM_TEMPLATE_COMPILEDIR : $config->uploadDir; // also clear the stat cache in case we are upgrading clearstatcache(); global $civicrm_root; $contents = "\n[General]\n filter_type = xml\n filter_path = {$civicrm_root}/packages/IDS/default_filter.xml\n tmp_path = {$tmpDir}\n HTML_Purifier_Path = IDS/vendors/htmlpurifier/HTMLPurifier.auto.php\n HTML_Purifier_Cache = {$tmpDir}\n scan_keys = false\n exceptions[] = __utmz\n exceptions[] = __utmc\n exceptions[] = widget_code\n exceptions[] = html_message\n exceptions[] = text_message\n exceptions[] = body_html\n exceptions[] = msg_html\n exceptions[] = msg_text\n exceptions[] = msg_subject\n exceptions[] = description\n exceptions[] = intro\n exceptions[] = thankyou_text\n exceptions[] = intro_text\n exceptions[] = body_text\n exceptions[] = footer_text\n exceptions[] = thankyou_text\n exceptions[] = tf_thankyou_text\n exceptions[] = thankyou_footer\n exceptions[] = thankyou_footer_text\n exceptions[] = new_text\n exceptions[] = renewal_text\n exceptions[] = help_pre\n exceptions[] = help_post\n exceptions[] = confirm_title\n exceptions[] = confirm_text\n exceptions[] = confirm_footer_text\n exceptions[] = confirm_email_text\n exceptions[] = report_header\n exceptions[] = report_footer\n exceptions[] = data\n exceptions[] = json\n exceptions[] = instructions\n exceptions[] = suggested_message\n exceptions[] = page_text\n"; if (file_put_contents($configFile, $contents) === FALSE) { CRM_Core_Error::movedSiteError($configFile); } // also create the .htaccess file so we prevent the reading of the log and ini files // via a browser, CRM-3875 CRM_Utils_File::restrictAccess($config->configAndLogDir); return $configFile; }
/** * Restrict access to a given directory (by planting there a restrictive .htaccess file) * * @param string $dir * The directory to be secured. * @param bool $overwrite */ public static function restrictAccess($dir, $overwrite = FALSE) { // note: empty value for $dir can play havoc, since that might result in putting '.htaccess' to root dir // of site, causing site to stop functioning. // FIXME: we should do more checks here - if (!empty($dir) && is_dir($dir)) { $htaccess = <<<HTACCESS <Files "*"> Order allow,deny Deny from all </Files> HTACCESS; $file = $dir . '.htaccess'; if ($overwrite || !file_exists($file)) { if (file_put_contents($file, $htaccess) === FALSE) { CRM_Core_Error::movedSiteError($file); } } } }
/** * Export data to a CSV file * * @param string $filename * @param array $header * @param data $data * * @return void * @access public */ static function exportCSV($fileName, $header, $data) { if (file_exists($fileName) && !is_writable($fileName)) { CRM_Core_Error::movedSiteError($fileName); } //hack to remove '_status', '_statusMsg' and '_id' from error file $errorValues = array(); $dbRecordStatus = array('IMPORTED', 'ERROR', 'DUPLICATE', 'INVALID', 'NEW'); foreach ($data as $rowCount => $rowValues) { $count = 0; foreach ($rowValues as $key => $val) { if (in_array($val, $dbRecordStatus) && $count == count($rowValues) - 3) { break; } $errorValues[$rowCount][$key] = $val; $count++; } } $data = $errorValues; $output = array(); $fd = fopen($fileName, 'w'); foreach ($header as $key => $value) { $header[$key] = "\"{$value}\""; } $config = CRM_Core_Config::singleton(); $output[] = implode($config->fieldSeparator, $header); foreach ($data as $datum) { foreach ($datum as $key => $value) { $datum[$key] = "\"{$value}\""; } $output[] = implode($config->fieldSeparator, $datum); } fwrite($fd, implode("\n", $output)); fclose($fd); }
/** * This function includes the IDS vendor parts and runs the * detection routines on the request array. * * @param object cake controller object * @return boolean */ public function check(&$args) { // lets bypass a few civicrm urls from this check static $skip = array('civicrm/ajax', 'civicrm/admin/setting/updateConfigBackend'); $path = implode('/', $args); if (in_array($path, $skip)) { return; } #add request url and user agent $_REQUEST['IDS_request_uri'] = $_SERVER['REQUEST_URI']; if (isset($_SERVER['HTTP_USER_AGENT'])) { $_REQUEST['IDS_user_agent'] = $_SERVER['HTTP_USER_AGENT']; } require_once 'IDS/Init.php'; // init the PHPIDS and pass the REQUEST array $config =& CRM_Core_Config::singleton(); $configFile = $config->configAndLogDir . 'Config.IDS.ini'; if (!file_exists($configFile)) { global $civicrm_root; $contents = "\n[General]\n filter_type = xml\n filter_path = {$civicrm_root}/packages/IDS/default_filter.xml\n tmp_path = {$config->uploadDir}\n HTML_Purifier_Path = IDS/vendors/htmlpurifier/HTMLPurifier.auto.php\n HTML_Purifier_Cache = {$config->uploadDir}\n scan_keys = false\n exceptions[] = __utmz\n exceptions[] = __utmc\n exceptions[] = widget_code\n exceptions[] = html_message\n exceptions[] = body_html\n exceptions[] = msg_html\n html[] = description\n html[] = intro\n html[] = thankyou_text\n html[] = intro_text\n html[] = body_text\n html[] = footer_text\n html[] = thankyou_text\n html[] = thankyou_footer\n html[] = new_text\n html[] = renewal_text\n html[] = help_pre\n html[] = help_post\n html[] = msg_html\n html[] = confirm_title\n html[] = confirm_text\n html[] = confirm_footer_text\n html[] = confirm_email_text\n"; if (file_put_contents($configFile, $contents) === false) { require_once 'CRM/Core/Error.php'; CRM_Core_Error::movedSiteError($configFile); } // also create the .htaccess file so we prevent the reading of the log and ini files // via a browser, CRM-3875 $htaccessFile = $config->configAndLogDir . '.htaccess'; if (!file_exists($htaccessFile)) { $contents = ' # Protect files and directories from prying eyes. <FilesMatch "\\.(log|ini)$"> Order allow,deny </FilesMatch> '; if (file_put_contents($htaccessFile, $contents) === false) { require_once 'CRM/Core/Error.php'; CRM_Core_Error::movedSiteError($htaccessFile); } } } $init = IDS_Init::init($configFile); $ids = new IDS_Monitor($_REQUEST, $init); $result = $ids->run(); if (!$result->isEmpty()) { $this->react($result); } return true; }
/** * Restrict access to a given directory (by planting there a restrictive .htaccess file) * * @param string $dir the directory to be secured */ static function restrictAccess($dir) { // note: empty value for $dir can play havoc, since that might result in putting '.htaccess' to root dir // of site, causing site to stop functioning. // FIXME: we should do more checks here - if (!empty($dir)) { $htaccess = <<<HTACCESS <Files "*"> Order allow,deny Deny from all </Files> HTACCESS; $file = $dir . '.htaccess'; if (file_put_contents($file, $htaccess) === false) { require_once 'CRM/Core/Error.php'; CRM_Core_Error::movedSiteError($file); } } }